1a2288ddc2f77315e92ce27b3e4173f07583c0abad6d140ea6f5975842bc6b73

Analysis

max time kernel
150s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crack.exe
Size

154.6MB
MD5

8b84e516f463274edac1626940ce148a
SHA1

5eded4555f84d27b44ea281ba797c57c880285f2
SHA256

469742a21ac48ae0ab0d99fad8ae250735f67f4999bb6b6d43b28293fc657205
SHA512

ed3f224b90cfab3a269188bbcdf7b92ad287c4ca751c252572bd00ce6605e0cfc25aa863e70e5daecebe2618ef2413010c4fc3cfae003a52f8a43f20727fb810
SSDEEP

1572864:gCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:6DAgZi

Score

9^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	crack.exe

Loads dropped DLL 2 IoCs

pid	Process
5048	crack.exe
5048	crack.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
15	raw.githubusercontent.com

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
3656	cmd.exe
4600	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2732	tasklist.exe
3204	tasklist.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2096	powershell.exe
2096	powershell.exe
3800	powershell.exe
3800	powershell.exe
3800	powershell.exe
2732	crack.exe
2732	crack.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2752	WMIC.exe
Token: SeSecurityPrivilege	2752	WMIC.exe
Token: SeTakeOwnershipPrivilege	2752	WMIC.exe
Token: SeLoadDriverPrivilege	2752	WMIC.exe
Token: SeSystemProfilePrivilege	2752	WMIC.exe
Token: SeSystemtimePrivilege	2752	WMIC.exe
Token: SeProfSingleProcessPrivilege	2752	WMIC.exe
Token: SeIncBasePriorityPrivilege	2752	WMIC.exe
Token: SeCreatePagefilePrivilege	2752	WMIC.exe
Token: SeBackupPrivilege	2752	WMIC.exe
Token: SeRestorePrivilege	2752	WMIC.exe
Token: SeShutdownPrivilege	2752	WMIC.exe
Token: SeDebugPrivilege	2752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2752	WMIC.exe
Token: SeRemoteShutdownPrivilege	2752	WMIC.exe
Token: SeUndockPrivilege	2752	WMIC.exe
Token: SeManageVolumePrivilege	2752	WMIC.exe
Token: 33	2752	WMIC.exe
Token: 34	2752	WMIC.exe
Token: 35	2752	WMIC.exe
Token: 36	2752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2752	WMIC.exe
Token: SeSecurityPrivilege	2752	WMIC.exe
Token: SeTakeOwnershipPrivilege	2752	WMIC.exe
Token: SeLoadDriverPrivilege	2752	WMIC.exe
Token: SeSystemProfilePrivilege	2752	WMIC.exe
Token: SeSystemtimePrivilege	2752	WMIC.exe
Token: SeProfSingleProcessPrivilege	2752	WMIC.exe
Token: SeIncBasePriorityPrivilege	2752	WMIC.exe
Token: SeCreatePagefilePrivilege	2752	WMIC.exe
Token: SeBackupPrivilege	2752	WMIC.exe
Token: SeRestorePrivilege	2752	WMIC.exe
Token: SeShutdownPrivilege	2752	WMIC.exe
Token: SeDebugPrivilege	2752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2752	WMIC.exe
Token: SeRemoteShutdownPrivilege	2752	WMIC.exe
Token: SeUndockPrivilege	2752	WMIC.exe
Token: SeManageVolumePrivilege	2752	WMIC.exe
Token: 33	2752	WMIC.exe
Token: 34	2752	WMIC.exe
Token: 35	2752	WMIC.exe
Token: 36	2752	WMIC.exe
Token: SeShutdownPrivilege	5048	crack.exe
Token: SeCreatePagefilePrivilege	5048	crack.exe
Token: SeShutdownPrivilege	5048	crack.exe
Token: SeCreatePagefilePrivilege	5048	crack.exe
Token: SeDebugPrivilege	2732	tasklist.exe
Token: SeDebugPrivilege	3204	tasklist.exe
Token: SeShutdownPrivilege	5048	crack.exe
Token: SeCreatePagefilePrivilege	5048	crack.exe
Token: SeShutdownPrivilege	5048	crack.exe
Token: SeCreatePagefilePrivilege	5048	crack.exe
Token: SeShutdownPrivilege	5048	crack.exe
Token: SeCreatePagefilePrivilege	5048	crack.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeShutdownPrivilege	5048	crack.exe
Token: SeCreatePagefilePrivilege	5048	crack.exe
Token: SeShutdownPrivilege	5048	crack.exe
Token: SeCreatePagefilePrivilege	5048	crack.exe
Token: SeShutdownPrivilege	5048	crack.exe
Token: SeCreatePagefilePrivilege	5048	crack.exe
Token: SeShutdownPrivilege	5048	crack.exe
Token: SeCreatePagefilePrivilege	5048	crack.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 2736	5048	crack.exe	85
PID 5048 wrote to memory of 2736	5048	crack.exe	85
PID 2736 wrote to memory of 2752	2736	cmd.exe	87
PID 2736 wrote to memory of 2752	2736	cmd.exe	87
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 5052	5048	crack.exe	89
PID 5048 wrote to memory of 4288	5048	crack.exe	90
PID 5048 wrote to memory of 4288	5048	crack.exe	90
PID 5048 wrote to memory of 628	5048	crack.exe	91
PID 5048 wrote to memory of 628	5048	crack.exe	91
PID 5048 wrote to memory of 732	5048	crack.exe	93
PID 5048 wrote to memory of 732	5048	crack.exe	93
PID 628 wrote to memory of 2732	628	cmd.exe	95
PID 628 wrote to memory of 2732	628	cmd.exe	95
PID 732 wrote to memory of 3204	732	cmd.exe	96
PID 732 wrote to memory of 3204	732	cmd.exe	96
PID 5048 wrote to memory of 3656	5048	crack.exe	99
PID 5048 wrote to memory of 3656	5048	crack.exe	99
PID 3656 wrote to memory of 2096	3656	cmd.exe	101
PID 3656 wrote to memory of 2096	3656	cmd.exe	101
PID 5048 wrote to memory of 4600	5048	crack.exe	103
PID 5048 wrote to memory of 4600	5048	crack.exe	103
PID 4600 wrote to memory of 3800	4600	cmd.exe	105
PID 4600 wrote to memory of 3800	4600	cmd.exe	105
PID 5048 wrote to memory of 2732	5048	crack.exe	119
PID 5048 wrote to memory of 2732	5048	crack.exe	119

C:\Users\Admin\AppData\Local\Temp\crack.exe
"C:\Users\Admin\AppData\Local\Temp\crack.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC csproduct get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC csproduct get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- C:\Users\Admin\AppData\Local\Temp\crack.exe
  "C:\Users\Admin\AppData\Local\Temp\crack.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\crack" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1872,i,15802869171775443497,9162738404966000609,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:5052
- C:\Users\Admin\AppData\Local\Temp\crack.exe
  "C:\Users\Admin\AppData\Local\Temp\crack.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\crack" --mojo-platform-channel-handle=2100 --field-trial-handle=1872,i,15802869171775443497,9162738404966000609,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:4288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,63,148,94,215,45,68,211,72,154,201,163,107,233,226,232,177,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,143,115,20,54,168,32,97,244,143,97,151,19,223,167,94,142,66,73,244,230,96,5,28,15,20,90,128,144,95,76,6,125,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,148,103,240,241,227,169,217,71,9,67,167,211,200,24,135,245,245,95,48,41,160,5,233,196,158,246,201,239,202,98,76,100,48,0,0,0,89,242,20,207,13,106,252,33,186,45,233,248,70,147,68,8,113,234,241,130,57,87,26,113,5,182,239,174,179,249,36,146,163,253,186,168,230,8,135,144,59,214,176,74,74,118,150,41,64,0,0,0,30,10,198,142,173,238,114,204,14,209,198,2,217,106,107,78,79,45,57,201,214,186,231,24,88,36,198,47,161,208,122,254,223,240,86,96,116,50,48,232,111,132,248,94,173,24,72,48,48,229,146,231,120,98,200,29,108,59,84,241,108,236,134,71), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,63,148,94,215,45,68,211,72,154,201,163,107,233,226,232,177,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,143,115,20,54,168,32,97,244,143,97,151,19,223,167,94,142,66,73,244,230,96,5,28,15,20,90,128,144,95,76,6,125,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,148,103,240,241,227,169,217,71,9,67,167,211,200,24,135,245,245,95,48,41,160,5,233,196,158,246,201,239,202,98,76,100,48,0,0,0,89,242,20,207,13,106,252,33,186,45,233,248,70,147,68,8,113,234,241,130,57,87,26,113,5,182,239,174,179,249,36,146,163,253,186,168,230,8,135,144,59,214,176,74,74,118,150,41,64,0,0,0,30,10,198,142,173,238,114,204,14,209,198,2,217,106,107,78,79,45,57,201,214,186,231,24,88,36,198,47,161,208,122,254,223,240,86,96,116,50,48,232,111,132,248,94,173,24,72,48,48,229,146,231,120,98,200,29,108,59,84,241,108,236,134,71), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,63,148,94,215,45,68,211,72,154,201,163,107,233,226,232,177,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,21,216,147,164,40,111,6,51,101,6,76,4,183,182,149,224,165,96,1,41,112,199,29,85,222,173,67,42,45,119,189,236,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,61,86,48,108,112,207,26,228,192,84,211,42,22,181,228,46,248,89,125,115,247,207,63,151,199,6,104,208,162,8,134,41,48,0,0,0,99,134,28,42,100,118,189,166,9,27,60,214,174,32,138,10,144,123,149,51,41,151,10,249,31,55,192,57,250,28,165,210,76,123,98,207,186,250,209,107,54,148,77,203,106,0,106,146,64,0,0,0,244,176,98,129,224,53,136,231,161,102,120,147,43,99,157,107,27,44,34,54,41,35,158,182,86,208,148,105,231,251,2,252,206,40,119,17,98,2,57,147,69,51,17,106,59,125,60,227,214,179,221,102,48,104,179,201,166,22,153,201,63,92,17,174), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,63,148,94,215,45,68,211,72,154,201,163,107,233,226,232,177,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,21,216,147,164,40,111,6,51,101,6,76,4,183,182,149,224,165,96,1,41,112,199,29,85,222,173,67,42,45,119,189,236,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,61,86,48,108,112,207,26,228,192,84,211,42,22,181,228,46,248,89,125,115,247,207,63,151,199,6,104,208,162,8,134,41,48,0,0,0,99,134,28,42,100,118,189,166,9,27,60,214,174,32,138,10,144,123,149,51,41,151,10,249,31,55,192,57,250,28,165,210,76,123,98,207,186,250,209,107,54,148,77,203,106,0,106,146,64,0,0,0,244,176,98,129,224,53,136,231,161,102,120,147,43,99,157,107,27,44,34,54,41,35,158,182,86,208,148,105,231,251,2,252,206,40,119,17,98,2,57,147,69,51,17,106,59,125,60,227,214,179,221,102,48,104,179,201,166,22,153,201,63,92,17,174), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- C:\Users\Admin\AppData\Local\Temp\crack.exe
  "C:\Users\Admin\AppData\Local\Temp\crack.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\crack" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 --field-trial-handle=1872,i,15802869171775443497,9162738404966000609,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f48896adf9a23882050cdff97f610a7f

SHA1
4c5a610df62834d43f470cae7e851946530e3086

SHA256
3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

SHA512
16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
498ec1e23f5b415ac2f1260e2df1f2dd

SHA1
09b361775c19385abf2c492a548c4f171b667bfb

SHA256
c4f0af0ba6c245de8bb2c5e61bda7023deb0e252797c94cd8a5702291d29d60d

SHA512
3f91d169bf61ae67b7b8f252b2bb3710dce0c96adc7da3376df4c56960733d0b2644fb46a23e75d84f8eb0d445a5ee25c2abaff5e5558ced515aaaa41b16febe

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f1c67d3-15ab-45fd-851a-c9399b73bf05.tmp.node

Filesize
1.6MB

MD5
e072ecfeb22be9afabbc6e0548819df7

SHA1
1a8e67f9b539cdfd43051886126b8dbbc71511ff

SHA256
d48dae81f0becf590317a12ca431d934c7c3e5bed13c155f30375c354ae961fa

SHA512
857e7efee0fed20bafa93ce1fb6a92827bf231332542a9d4b871c3e89baff36f801eea479dc654621eeced3f47bf7b5beb82a6850b05a3154e2bd91b62ed3c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\79eacf4a-dbb9-45de-8e9c-a46f9bd899dc.tmp.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\WallyW\WallyWHaha.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3yxlksbp.02b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2096-15-0x0000012750060000-0x0000012750082000-memory.dmp

Filesize
136KB

Download
memory/2096-25-0x0000012768550000-0x00000127685A0000-memory.dmp

Filesize
320KB

Download
memory/2732-82-0x00000196FDCA0000-0x00000196FDCA1000-memory.dmp

Filesize
4KB

Download
memory/2732-80-0x00000196FDCA0000-0x00000196FDCA1000-memory.dmp

Filesize
4KB

Download
memory/2732-81-0x00000196FDCA0000-0x00000196FDCA1000-memory.dmp

Filesize
4KB

Download
memory/2732-86-0x00000196FDCA0000-0x00000196FDCA1000-memory.dmp

Filesize
4KB

Download
memory/2732-88-0x00000196FDCA0000-0x00000196FDCA1000-memory.dmp

Filesize
4KB

Download
memory/2732-92-0x00000196FDCA0000-0x00000196FDCA1000-memory.dmp

Filesize
4KB

Download
memory/2732-91-0x00000196FDCA0000-0x00000196FDCA1000-memory.dmp

Filesize
4KB

Download
memory/2732-90-0x00000196FDCA0000-0x00000196FDCA1000-memory.dmp

Filesize
4KB

Download
memory/2732-89-0x00000196FDCA0000-0x00000196FDCA1000-memory.dmp

Filesize
4KB

Download
memory/2732-87-0x00000196FDCA0000-0x00000196FDCA1000-memory.dmp

Filesize
4KB

Download