18d50f05499e3311fa811582868c234924fef1e271586bdaac4403856f125ab5

Analysis

max time kernel
113s
max time network
120s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
03/02/2024, 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gang nuker.py
Size

11.1MB
MD5

1c80ffbc9ec6f4b94e97c0061d4c5311
SHA1

199d4102b3203c5e2866bd636e7c7f5e1f22c6a4
SHA256

b71d0426e720edd06a7fde5bf5614cc47ee4051ed26e074c2c82adf360af21a4
SHA512

5c4eac83f48c4b435b1fdbbd9ec638443dc0d0ad0a1907731730f57ac0e2cf6129898f0f620e163fdedf5e0ab894eef10e02a17c152eca3ad350ef4646d9455b
SSDEEP

12288:V2+8gwhNesLEuVNFXS1y8XAyr3NHwDbnPu3euBvMA3ntJMl/M6p2lMG3:FjwhN1EkNN69dHUbPLudT3B6W

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4292	python-3.12.1-amd64.exe
4960	python-3.12.1-amd64.exe
1512	python-3.12.1-amd64.exe

Loads dropped DLL 1 IoCs

pid	Process
4960	python-3.12.1-amd64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{86e52725-ef45-452f-ac4c-b8958718bfea} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{86e52725-ef45-452f-ac4c-b8958718bfea}\\python-3.12.1-amd64.exe\" /burn.runonce"	python-3.12.1-amd64.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
118	3720	msiexec.exe
120	3720	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e585fb3.msi	msiexec.exe
File created	C:\Windows\Installer\e585fb8.msi	msiexec.exe
File created	C:\Windows\Installer\e585fb4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F07.tmp	msiexec.exe
File created	C:\Windows\Installer\e585fc7.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e585fbd.msi	msiexec.exe
File created	C:\Windows\Installer\e585fc2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID3D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e585faf.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8C53CBDD-4DAF-426F-9478-6C7C2920CDDA}	msiexec.exe
File opened for modification	C:\Windows\Installer\e585fb9.msi	msiexec.exe
File created	C:\Windows\Installer\e585fbe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e585fbe.msi	msiexec.exe
File created	C:\Windows\Installer\e585faf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{AC82C1A3-9597-40F2-893D-F02F778FBA4D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64B0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e585fb4.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{44BC9F9C-15C2-46C1-B88D-3135A9DA555F}	msiexec.exe
File opened for modification	C:\Windows\Installer\e585fc3.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A41.tmp	msiexec.exe
File created	C:\Windows\Installer\e585fb9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7ED9.tmp	msiexec.exe
File created	C:\Windows\Installer\e585fc3.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E309AE00-4FB1-4817-9172-7E198668375D}	msiexec.exe
File opened for modification	C:\Windows\Installer\e585fc8.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{47957EE3-0E23-4075-B825-F202E913670F}	msiexec.exe
File created	C:\Windows\Installer\e585fc8.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{AC82C1A3-9597-40F2-893D-F02F778FBA4D}	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{44BC9F9C-15C2-46C1-B88D-3135A9DA555F}\ = "{44BC9F9C-15C2-46C1-B88D-3135A9DA555F}"	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{44BC9F9C-15C2-46C1-B88D-3135A9DA555F}\Dependents\{86e52725-ef45-452f-ac4c-b8958718bfea}	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{44BC9F9C-15C2-46C1-B88D-3135A9DA555F}\Dependents	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents\{86e52725-ef45-452f-ac4c-b8958718bfea}	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{AC82C1A3-9597-40F2-893D-F02F778FBA4D}\Dependents\{86e52725-ef45-452f-ac4c-b8958718bfea}	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{44BC9F9C-15C2-46C1-B88D-3135A9DA555F}\Version = "3.12.1150.0"	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{8C53CBDD-4DAF-426F-9478-6C7C2920CDDA}	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{E309AE00-4FB1-4817-9172-7E198668375D}\ = "{E309AE00-4FB1-4817-9172-7E198668375D}"	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\CPython-3.12\ = "{86e52725-ef45-452f-ac4c-b8958718bfea}"	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{AC82C1A3-9597-40F2-893D-F02F778FBA4D}\Version = "3.12.1150.0"	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{AC82C1A3-9597-40F2-893D-F02F778FBA4D}\DisplayName = "Python 3.12.1 Core Interpreter (64-bit)"	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{47957EE3-0E23-4075-B825-F202E913670F}\Dependents\{86e52725-ef45-452f-ac4c-b8958718bfea}	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{E309AE00-4FB1-4817-9172-7E198668375D}\Version = "3.12.1150.0"	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\CPython-3.12\Version = "3.12.1150.0"	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{AC82C1A3-9597-40F2-893D-F02F778FBA4D}\Dependents	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{8C53CBDD-4DAF-426F-9478-6C7C2920CDDA}\Version = "3.12.1150.0"	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{8C53CBDD-4DAF-426F-9478-6C7C2920CDDA}\Dependents	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{47957EE3-0E23-4075-B825-F202E913670F}	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{62667662-A580-409C-8044-55B06F774AE2}\ = "{62667662-A580-409C-8044-55B06F774AE2}"	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\CPython-3.12\DisplayName = "Python 3.12.1 (64-bit)"	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{AC82C1A3-9597-40F2-893D-F02F778FBA4D}\ = "{AC82C1A3-9597-40F2-893D-F02F778FBA4D}"	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{8C53CBDD-4DAF-426F-9478-6C7C2920CDDA}\Dependents\{86e52725-ef45-452f-ac4c-b8958718bfea}	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{E309AE00-4FB1-4817-9172-7E198668375D}\Dependents\{86e52725-ef45-452f-ac4c-b8958718bfea}	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{62667662-A580-409C-8044-55B06F774AE2}	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{62667662-A580-409C-8044-55B06F774AE2}\DisplayName = "Python 3.12.1 Documentation (64-bit)"	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{47957EE3-0E23-4075-B825-F202E913670F}\Dependents	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{E309AE00-4FB1-4817-9172-7E198668375D}\Dependents	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{62667662-A580-409C-8044-55B06F774AE2}\Version = "3.12.1150.0"	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{44BC9F9C-15C2-46C1-B88D-3135A9DA555F}	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{8C53CBDD-4DAF-426F-9478-6C7C2920CDDA}\ = "{8C53CBDD-4DAF-426F-9478-6C7C2920CDDA}"	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{8C53CBDD-4DAF-426F-9478-6C7C2920CDDA}\DisplayName = "Python 3.12.1 Development Libraries (64-bit)"	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{47957EE3-0E23-4075-B825-F202E913670F}\ = "{47957EE3-0E23-4075-B825-F202E913670F}"	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{E309AE00-4FB1-4817-9172-7E198668375D}\DisplayName = "Python 3.12.1 Test Suite (64-bit)"	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\CPython-3.12	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{44BC9F9C-15C2-46C1-B88D-3135A9DA555F}\DisplayName = "Python 3.12.1 Executables (64-bit)"	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{47957EE3-0E23-4075-B825-F202E913670F}\Version = "3.12.1150.0"	python-3.12.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{47957EE3-0E23-4075-B825-F202E913670F}\DisplayName = "Python 3.12.1 Standard Library (64-bit)"	python-3.12.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Installer\Dependencies\{E309AE00-4FB1-4817-9172-7E198668375D}	python-3.12.1-amd64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\python-3.12.1-amd64.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4588	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4640	firefox.exe
Token: SeDebugPrivilege	4640	firefox.exe
Token: SeBackupPrivilege	2832	vssvc.exe
Token: SeRestorePrivilege	2832	vssvc.exe
Token: SeAuditPrivilege	2832	vssvc.exe
Token: SeShutdownPrivilege	4960	python-3.12.1-amd64.exe
Token: SeIncreaseQuotaPrivilege	4960	python-3.12.1-amd64.exe
Token: SeSecurityPrivilege	3720	msiexec.exe
Token: SeCreateTokenPrivilege	4960	python-3.12.1-amd64.exe
Token: SeAssignPrimaryTokenPrivilege	4960	python-3.12.1-amd64.exe
Token: SeLockMemoryPrivilege	4960	python-3.12.1-amd64.exe
Token: SeIncreaseQuotaPrivilege	4960	python-3.12.1-amd64.exe
Token: SeMachineAccountPrivilege	4960	python-3.12.1-amd64.exe
Token: SeTcbPrivilege	4960	python-3.12.1-amd64.exe
Token: SeSecurityPrivilege	4960	python-3.12.1-amd64.exe
Token: SeTakeOwnershipPrivilege	4960	python-3.12.1-amd64.exe
Token: SeLoadDriverPrivilege	4960	python-3.12.1-amd64.exe
Token: SeSystemProfilePrivilege	4960	python-3.12.1-amd64.exe
Token: SeSystemtimePrivilege	4960	python-3.12.1-amd64.exe
Token: SeProfSingleProcessPrivilege	4960	python-3.12.1-amd64.exe
Token: SeIncBasePriorityPrivilege	4960	python-3.12.1-amd64.exe
Token: SeCreatePagefilePrivilege	4960	python-3.12.1-amd64.exe
Token: SeCreatePermanentPrivilege	4960	python-3.12.1-amd64.exe
Token: SeBackupPrivilege	4960	python-3.12.1-amd64.exe
Token: SeRestorePrivilege	4960	python-3.12.1-amd64.exe
Token: SeShutdownPrivilege	4960	python-3.12.1-amd64.exe
Token: SeDebugPrivilege	4960	python-3.12.1-amd64.exe
Token: SeAuditPrivilege	4960	python-3.12.1-amd64.exe
Token: SeSystemEnvironmentPrivilege	4960	python-3.12.1-amd64.exe
Token: SeChangeNotifyPrivilege	4960	python-3.12.1-amd64.exe
Token: SeRemoteShutdownPrivilege	4960	python-3.12.1-amd64.exe
Token: SeUndockPrivilege	4960	python-3.12.1-amd64.exe
Token: SeSyncAgentPrivilege	4960	python-3.12.1-amd64.exe
Token: SeEnableDelegationPrivilege	4960	python-3.12.1-amd64.exe
Token: SeManageVolumePrivilege	4960	python-3.12.1-amd64.exe
Token: SeImpersonatePrivilege	4960	python-3.12.1-amd64.exe
Token: SeCreateGlobalPrivilege	4960	python-3.12.1-amd64.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
864	NOTEPAD.EXE
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4960	python-3.12.1-amd64.exe
4960	python-3.12.1-amd64.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe
4640	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 864	4588	OpenWith.exe	73
PID 4588 wrote to memory of 864	4588	OpenWith.exe	73
PID 512 wrote to memory of 4640	512	firefox.exe	76
PID 512 wrote to memory of 4640	512	firefox.exe	76
PID 512 wrote to memory of 4640	512	firefox.exe	76
PID 512 wrote to memory of 4640	512	firefox.exe	76
PID 512 wrote to memory of 4640	512	firefox.exe	76
PID 512 wrote to memory of 4640	512	firefox.exe	76
PID 512 wrote to memory of 4640	512	firefox.exe	76
PID 512 wrote to memory of 4640	512	firefox.exe	76
PID 512 wrote to memory of 4640	512	firefox.exe	76
PID 512 wrote to memory of 4640	512	firefox.exe	76
PID 512 wrote to memory of 4640	512	firefox.exe	76
PID 4640 wrote to memory of 1944	4640	firefox.exe	77
PID 4640 wrote to memory of 1944	4640	firefox.exe	77
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2788	4640	firefox.exe	78
PID 4640 wrote to memory of 2168	4640	firefox.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\gang nuker.py"
1⤵
- Modifies registry class
PID:168

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\gang nuker.py
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:512
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.0.2027635325\2135859905" -parentBuildID 20221007134813 -prefsHandle 1648 -prefMapHandle 1664 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f79fff4-daa6-4586-b60f-b67fbd57defe} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 1764 169fe1edf58 gpu
    3⤵
    PID:1944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.1.1854237120\1926775756" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2e84a8b-cbdf-4f73-a7e3-79fc69e8152d} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 2120 169ebe72258 socket
    3⤵
    - Checks processor information in registry
    PID:2788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.2.1813899411\1391756020" -childID 1 -isForBrowser -prefsHandle 2776 -prefMapHandle 2608 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {875d1fa7-0228-417b-975d-45192448b9a8} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 2948 1698289e558 tab
    3⤵
    PID:2168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.3.69636436\1404179515" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3464 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {444b012a-3f44-4faa-a081-2b8a5431c1ba} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 3476 1698363a758 tab
    3⤵
    PID:3224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.4.1523176497\429447767" -childID 3 -isForBrowser -prefsHandle 4024 -prefMapHandle 4216 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60e79357-ec1d-4c2a-85ef-74bcd1d2314f} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 4228 169846d6658 tab
    3⤵
    PID:4960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.5.1338934710\739257454" -childID 4 -isForBrowser -prefsHandle 4852 -prefMapHandle 4844 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da4e0866-9f44-4b76-b993-0fd21036a953} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 4840 169846d6358 tab
    3⤵
    PID:4496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.7.454742338\2133452543" -childID 6 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {17ee3760-8f08-414f-a093-529b8e217370} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 5152 16984d13958 tab
    3⤵
    PID:2664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.6.1108262593\2012019920" -childID 5 -isForBrowser -prefsHandle 4988 -prefMapHandle 4992 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e9abc85-2a02-4d6a-ae94-74088b6c950a} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 4980 16984d12d58 tab
    3⤵
    PID:3464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.8.1062235316\1833918664" -childID 7 -isForBrowser -prefsHandle 5596 -prefMapHandle 5592 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cadfcb0b-3a89-44ff-8605-f062ea681d28} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 5336 16986021558 tab
    3⤵
    PID:3832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4640.9.1362855767\647821766" -childID 8 -isForBrowser -prefsHandle 4344 -prefMapHandle 4340 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c238b18-5dce-40f4-bbe6-4854b24afb2d} 4640 "\\.\pipe\gecko-crash-server-pipe.4640" 4836 16986512258 tab
    3⤵
    PID:5112
- - C:\Users\Admin\Downloads\python-3.12.1-amd64.exe
    "C:\Users\Admin\Downloads\python-3.12.1-amd64.exe"
    3⤵
    - Executes dropped EXE
    PID:4292
  - - C:\Windows\Temp\{B7B19BD8-DE84-4C67-9E90-5A6ECE977C99}\.cr\python-3.12.1-amd64.exe
      "C:\Windows\Temp\{B7B19BD8-DE84-4C67-9E90-5A6ECE977C99}\.cr\python-3.12.1-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.12.1-amd64.exe" -burn.filehandle.attached=532 -burn.filehandle.self=528
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4960
    - - C:\Windows\Temp\{1557389B-E404-4FA8-836C-09EB05BA62FD}\.be\python-3.12.1-amd64.exe
        
        "C:\Windows\Temp\{1557389B-E404-4FA8-836C-09EB05BA62FD}\.be\python-3.12.1-amd64.exe" -q -burn.elevated BurnPipe.{89B1997D-F08E-4C45-9320-50D4D1830F7B} {4B5F7632-C2B0-4325-9F77-1A966C69D5CB} 4960
        5⤵
        Executes dropped EXE
        
        PID:1512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e585fb2.rbs

Filesize
8KB

MD5
959ea749558467fb3c80de80e618f9f4

SHA1
9676a6e03a0f4b87761f26efb16045a43e24615b

SHA256
8b780dd7c5bec1ccf0b6f7143da5cb518a7f02b1148495caa542b399826d1b62

SHA512
c1162d9bc0ed239d4e5ee82ddadad9c2e2318b04a85fded90014739e161e07dab79fbe36e11895ac16af65d37a26c0205b3c7f3572e99e9f562f9041d62084dc

Download Submit
C:\Config.Msi\e585fb7.rbs

Filesize
12KB

MD5
805127812c7cf6d4fb0b110fb9f933d0

SHA1
214d3e4ec05e878dbb360001a35b508ae9cf7547

SHA256
f2d349b914f64003550ce7065307da250473d274cc0bc8daa55974e0132f59f7

SHA512
fff4b0bdce18db237e8d4458a9ca7305e7002de896bab9ec2974787d7032a00d8b19c5b8f8ec583190b910695d9fa9dd2f2e3f6577fc38e906a4d81b0c915d65

Download Submit
C:\Config.Msi\e585fbc.rbs

Filesize
50KB

MD5
efb214154f4b8736851849f36b0a3afe

SHA1
aeb7952220b4c7102b7edd4754e00b11576111fa

SHA256
fadfb2bcbab7a1dbe1fe82b87529b97aec5ca17b283b6acecf9e51732e0d93d9

SHA512
25f9107dd4bbfe320f76f9381b47cf6b745821c54ba493debf54da17552d8263a1ba832d4f7ea2e86b3723667f43563a884659351a4cf9e31a25f3db62371a0c

Download Submit
C:\Config.Msi\e585fc1.rbs

Filesize
138KB

MD5
74a71e12f4a25204f915ad5332ff9bec

SHA1
689b17da7b06aa4dd6e20f218ee3e8eff1603172

SHA256
89caabc4df66d9e9f3f2852cc09489177596f28c782f22a6e2263e3a5dfdd1fa

SHA512
ccd55101362e90708afb8ff2e12136406142f0ef80acf00e58330ed70cc652e5ef4476dd17136ab7e5b7d8b6f05607598e428b471de7e2d2c9050fca517b0fe7

Download Submit
C:\Config.Msi\e585fc6.rbs

Filesize
344KB

MD5
d476801468202c7aefbe8d30c77eb70a

SHA1
4f4ccc6e193027dac4851a10ef88691f4bff9c90

SHA256
cffc9db520c4138bb658f1ed958299d2bacbcd1bb219608c5604c4319b8c08fe

SHA512
39921690e93e297b348ce258582bf7b8eacb54fd17a00dadc79ee514a680e3139127ade52e1f81deea0808a1517a93b4f03a73f9239550da37aef279f430b2f1

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\doc_JustForMe

Filesize
5.4MB

MD5
889c3ca7c1c9a219885107dada45d964

SHA1
94a1aea8364c83c760c2326fa132e022dae26b52

SHA256
5a5ed8845c657e9da8295212f1d5707963fda0d24cfbc00dd98759d6cbdb94a0

SHA512
493b5c8c0249f84d3138d3aed392a4b19240414b52507d3a6ca9e934f648d304b59b104646551d029aa81174f32f2f6207c4709f8f31f9b4041ead4a6603eff7

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
7.3MB

MD5
edbce3c99323313366b3e8cae2ed1d19

SHA1
80aeadfc615b28bd9a203907412732a105920856

SHA256
da44635c27a805e8880becf8c37a3adc409acdaa29f7a6885120065bcef74c62

SHA512
8cecfd485d86efe6afb121e9db9bf852e26505f59a4896b54cba543e342de306ec4d1f2668b781be7635593442b3d9d657cc440b724ec72470e579430469a3f5

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
bd4312bc8b66a9c14327500cbe037f3e

SHA1
9b1b58906a2513f04a822b4f1e0e4c89aee27a5d

SHA256
3644168e49612b0ed467aa1416616290f0c910282fab6b82543afc824f725eac

SHA512
3471de112ed44aee1d39fdc4780990dfdbe08c60802c38aa8c5d9b71097813f6923e42f683e942fc37a40aac54460b8b540b9499731af46662fad41adb5cca88

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{44BC9F9C-15C2-46C1-B88D-3135A9DA555F}v3.12.1150.0\exe.msi

Filesize
708KB

MD5
b9eb5c9415e84a234670557b9613a71b

SHA1
bdfe86c5aef22dec6cfa53f7e509c72976ecdb74

SHA256
0ce054fd3b18729f80a14766863b7e5de41baccb100207129f7911cad7ef6cbc

SHA512
affd39a5ce33584a27406fe55af168439da951755599c9ae7e578d96fd51fa6b30ca29cd671d4eb62eb8171fbaf2ce0d151bfe3c303596eae4565d719d3201e4

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{8C53CBDD-4DAF-426F-9478-6C7C2920CDDA}v3.12.1150.0\dev.msi

Filesize
384KB

MD5
c4ef8e7aa4296dd06e47baefb8e786b2

SHA1
264fee3a5939b54794ec026835b4d28ebb239566

SHA256
b84cc0b7e358618c83d2c462e9777937468821ef1a510fe308d347b441a99dd6

SHA512
53f960efa09a6da92c4708bad66fba09fc30c9d42f9fc86ec10bbc64cece0a2b053af71af95d8fbc82af89e8f52e4bbab19d5de945bf4836ce6c1cc3b0a05232

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{AC82C1A3-9597-40F2-893D-F02F778FBA4D}v3.12.1150.0\core.msi

Filesize
2.0MB

MD5
63c5d6e5e0008838966824eeffde79e3

SHA1
423de7e669755943243e32b920f87a900c086a8e

SHA256
26e5200cd208f1461a3b7f542d47a2ff898c70576da5e25f73082e8b8a434994

SHA512
5ebbdf45e5ecdbf470e3daddb612c58ef16dddd584c31b748ce236663eccc26243fc48b514c22ed122e178b43ed28123b6fdd2e517e0e1505f8140f01ebe6dd5

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{E309AE00-4FB1-4817-9172-7E198668375D}v3.12.1150.0\test.msi

Filesize
5.3MB

MD5
9549ced5dd8186cd0b7b86745a4c9aaa

SHA1
3034b9ef4040db6c769e08b1014ef301cf045d3a

SHA256
60b49745541d2b6f34c79feb116c6d4c12e9f3b12ab5ecb3e69b0186ab9e8f7e

SHA512
dfc686109bfb4a11607eb863833445dc968b6916e2eb84eb71edf51b335a594042d6d9382065bb059bf869ade532b53fe5e3599865a71ea29cac8c7d13ea2b4c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python312\Lib\test\test_importlib\frozen\__init__.py

Filesize
147B

MD5
c3239b95575b0ad63408b8e633f9334d

SHA1
7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc

SHA256
6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225

SHA512
5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python312\Lib\test\test_importlib\frozen\__main__.py

Filesize
62B

MD5
47878c074f37661118db4f3525b2b6cb

SHA1
9671e2ef6e3d9fa96e7450bcee03300f8d395533

SHA256
b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216

SHA512
13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.1 (64-bit)_20240203005529_000_core_JustForMe.log

Filesize
3KB

MD5
6edc44b9ddb1fed4cc8a8c2482b12e50

SHA1
f1f6b0c75bd91b88e3d3090dbfd1c145fad66dde

SHA256
645d340634de3546a38b9d65e7e19273a2eb52dc17750368ba04adcfc140e618

SHA512
4deb2bc2bd49c1c9b2d8620e2251260ceaaf3ef8416bf19376a3beaa877098b1b304572e41b7442176cf4fec9b95ce0b24a3f26eb0a54fbae138011f08f31957

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.1 (64-bit)_20240203005529_001_exe_JustForMe.log

Filesize
1KB

MD5
f37566d1bef44e7383b91f4797a4811b

SHA1
403da82b9c2b0dae0adc7b34c6c58a186d18cc97

SHA256
3c1c0fca67cc54c877d603c2f4181f00f9f51bf158ec587866894542897d9e1d

SHA512
3b539732bbd0824a074c95c9fb5084685f86417d155b1c205c14f296d936bfecd8db38c5659e9f90c2c27439384fc5e294e0a862389d7451fbe906252f4aff36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.1 (64-bit)_20240203005529_002_dev_JustForMe.log

Filesize
1KB

MD5
cee150b190b8de669f4cad2d5ae43a0a

SHA1
23e1ce1860e69021c6cae2d7556a13f01887ac04

SHA256
59913953255f1a6696fc301e68f63ac610f6793f0dd9d384420b9fd83a45ecdd

SHA512
00bca9f5c406201e791042722b8c3d2a5cff78280edd67285c5c21b8c17fbf2834ab29a5e032b8cba7ff44beacf458ca237efd61861ca138047e45b926b0df0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.1 (64-bit)_20240203005529_003_lib_JustForMe.log

Filesize
1KB

MD5
50860cd21721b0daae6f5224cf56359a

SHA1
6bd01df6946ddc5685ec48b9de61f329477d5f77

SHA256
95433395b6039d08bb346ac7adf869b96fd50556e2db272082b9f690e52876af

SHA512
43d625f19597ec656e45b22f0572d35df445b4bed28a041b097d6d89d24b07bd36b200486bbb6c3d2d7e6c70eb52bb117d95936805cb27ab93e4412c0f069e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.1 (64-bit)_20240203005529_004_test_JustForMe.log

Filesize
1KB

MD5
3133795167d0816ca8bea052190882b3

SHA1
0c1e3b175ed449542cb170a4f344e70e3646e319

SHA256
8fa083dcc13ee453f8651896c39208ebcdb66bf08077735dfa8c3c419daf7283

SHA512
4c2b3933cef60a826744e3e9ab178bad27288a079cbca9e1128b506c16143bd7ff1753f57ae0411571d6d6a65de2684749ee4b48032ec142380a8c5b0441baab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.1 (64-bit)_20240203005529_005_doc_JustForMe.log

Filesize
1KB

MD5
079f8d0269ea239d2a47537b2d27d278

SHA1
c3e3a87010c83f2d07b8308b67702df84bdf9c63

SHA256
ccc087fa1734c337e2ceedd3aeb1cecd1964762f1563ce90ba5e4222d1b094f7

SHA512
b2887b7b35c1dfd4d249db7feb94b5d8a5a7f40108bd931104097d17d926a19c0fa36a959c8de20fccfd02f973b44c3b15396f89bb2156cc156109a878e94f76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\45vkl36a.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
549a1ed635df2661ac6470fbb5d6ed26

SHA1
2398b5a70370dfafe2ce5afcce3d9c4a8d973d69

SHA256
6c293c3cc167e583821ae557c5ebffc675b6d03b1a94b66c5dedb25bb4951101

SHA512
af0e8a41e086c27c0da6623b3ceb4d4b7fbea00939d02ad16c27ab42936ef84b4c3da001289f2275b51855e117c18f524470ceced457a7d1c19d030527db1410

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\45vkl36a.default-release\datareporting\glean\pending_pings\d10335b5-3cbf-451d-8975-5560ef587b31

Filesize
734B

MD5
89139773f03827c71d427c43492e2230

SHA1
2f82363f1498d26dd982c6a3ac2f0889ffc2453a

SHA256
e3a6b7c19a5070d3f65accc9085c9b38810a19c5a85f5b3fdb3959328a5f8bc3

SHA512
b77380dc66040943eebe280328736f8d895011f85f4f26f0715c115a6067591661bc662777feb32cdaccd6922244cf73054361475d9f03fb9b94100037841ede

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\45vkl36a.default-release\prefs-1.js

Filesize
6KB

MD5
8aeb6aae5a7352338d6102365e4426e9

SHA1
194bd764b8bc2ca9bbd3e6ab8831a84366d1dd0e

SHA256
137db19864f807aaf6ef72d038657fe85ff441dad42e5404539c87747fdf45ba

SHA512
d83b2e08dd33413acb33a523d75ac82b596f3c5141f4e318943cf9e3e1e44c053bb065b235c059a00fb074996f7e67f195c35d40d6a91621fb7cee84f4df2135

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\45vkl36a.default-release\prefs-1.js

Filesize
6KB

MD5
50a92bf30a1f85c0ecfd4da0d4e788ef

SHA1
149e292ef25f99f4621ebaaf798a2782bce87a13

SHA256
cf121c966a14788ec1efe0e03678a8eb819a85dbcf98cefc03cad20b41458f68

SHA512
b9407ded8d234a9f25dcfa28cfa1a183cc26792764e508fd6d482ad22d0d5cbeb8ca877a76e6944ed3e95811c3546127a78f7738eb01f1718024062309fae097

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\45vkl36a.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\45vkl36a.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
5a23e1b06c0bbe727daebede4d90f678

SHA1
97d37707a715ec668dd0caa251fb2b4699d64b84

SHA256
16e32af085727c0f46202b2b0c19f48a35daff31889172871c10d1389f89dbc5

SHA512
7fa864455bdf084e2d26d002e32b8bbe20166b6f54e06719d184bd1712af1c559e75881b6a5bb66fc467f885622b138ece30fc486135ffb6ca35cb778d08e0ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\45vkl36a.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
759525bda2b40e2c886e5f3549d90acc

SHA1
b0cc38e8f3f4b936f4b9601e7ab11e4e3f5c69c0

SHA256
b4c4a8fcdefa1247948d180bb20e2eac00bf86e0fdc5713d025941ec271bd052

SHA512
1801a2b394325e7030b07d02776132d7109e197fd1c134f36ed97b742b483248b5ea4a942092db1c54c5bcb961f50caa614c7b186e0664da060253b90c06639a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\45vkl36a.default-release\sessionstore.jsonlz4

Filesize
11KB

MD5
9efef534bd30e16f1d2d6e5424475233

SHA1
843baa7c98c9a1115d1d67d9a6c838942ed29c2c

SHA256
0484adac404584e5fa096f3b9f7c1fc27b9de82c6b86582a4fcfb0be25242367

SHA512
c6c2ad7e777b75ecdf6f4c2257bcea959d16887d124dbd898d237d3cf1ff5a3c6c21431ccd8486d402b53626b791c8cbca2fe8ad3a898064846c2f86e69401b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\45vkl36a.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
16fd0b758b4a0a47ff93df8ddde3ac75

SHA1
eb1ece5efe6519992ceb826ac2b74ab33234cb1e

SHA256
df190394b93b692df76a77124cc1cd8fdea37465a20006f9e79531ca3a349ff2

SHA512
f9c777765df4f29d054bec4acbb1c7060f1d5a46522e2cddea2a1116317d0cb997f6d6a64f39a78e1a25d7f4d4f1262c6df5231f6ca41e4617937992d7f3b8f4

Download Submit
C:\Users\Admin\Downloads\python-3.12.1-amd64.exe

Filesize
25.4MB

MD5
3e3b6550e58772d324f7519bfa8066dc

SHA1
0ab0169635dbf038775aeb286d59df394afa81b1

SHA256
2437d83db04fb272af8de65eead1a2fc416b9fac3f6af9ce51a627e32b4fe8f8

SHA512
f7c70d8df4bb1dd8887cbf369812dbd6f9f5f16fbddfa813cae71129a8ab57038376f7753ac1a05711e8ef2958bf4799338301579faae6c1d061063cda208c24

Download Submit
C:\Windows\Temp\{1557389B-E404-4FA8-836C-09EB05BA62FD}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{1557389B-E404-4FA8-836C-09EB05BA62FD}\launcher_AllUsers

Filesize
540KB

MD5
6ecf7757be53123e63dc80ff9a46be2e

SHA1
270d3d5cd04b4a1dc69c328ce0a683f3117a6383

SHA256
07d206c3fd638887bec1319e6464c6337ce253dfc14d03b7ab173132003ff8ec

SHA512
3cb06967b6d3fd827cd656c7008bd2deb9737f62b9066930cf55752fd8fa416fea587b85c1d7ae602bcd56fb14e9d190c1617ceed071fee66c58d5f4d0ebafe3

Download Submit
C:\Windows\Temp\{1557389B-E404-4FA8-836C-09EB05BA62FD}\pip_JustForMe

Filesize
268KB

MD5
d7cf20812bb818524f6d3615144d9f55

SHA1
45f160b3daa06833142b2d1d0c3dad3a784d7aa2

SHA256
e0d537a92a6dd87f6a8edc31b7fc423e5063ebbb6f6ae11657b0258b74e1d598

SHA512
ee2bfa97318163b17ab41b5c64823168bd9d0b0f8a8ac796f067cd9ffb87043215ffd05d86b001b4a5b052d68539aff487fc1e89491cd0cbf47c27f404756bd6

Download Submit
C:\Windows\Temp\{B7B19BD8-DE84-4C67-9E90-5A6ECE977C99}\.cr\python-3.12.1-amd64.exe

Filesize
858KB

MD5
a550379c156f0740ee642d8d1051bc6b

SHA1
a752892c15e7272e54bf85888033d39bc0a42678

SHA256
76d8f0d64bd4006fc84e6be1a87515f30f23f5733d43d3439b42ece10c19b61e

SHA512
1090a5c58a09a4fc08267eceed70ac0ccbed5a83d4a177f486e3d5fbea3a5c3b01342eb087a17ec68947ffbb053de94639cae5969a51f7a4c089d2208c72920d

Download Submit
\Windows\Temp\{1557389B-E404-4FA8-836C-09EB05BA62FD}\.ba\PythonBA.dll

Filesize
675KB

MD5
df09402727865d10374dc381e16d3b1a

SHA1
1d05751be64fb7541172d608f2fb2e3eec3145e8

SHA256
6f8d9a394d58bb41ae7e40732fd06d33d53aaa12905c2db78cee29c319d9f748

SHA512
87fcc2c443a1fc5c477ef14001aaae791d1c532c80450bd9477e62e9b8ef572195a84b712c98ced576204f17c74f7e479e4f52ae837ead2e8178b1989faa235a

Download Submit