803e6d299ab9239cd3a68219edd285433eb625b28bdb056bc54b507ff92c71d1

Analysis

max time kernel
129s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

creal.py
Size

42KB
MD5

29198d66a396295aecd774053e5ded02
SHA1

0da5fdb00aefa2ef2bed6ffe614a88caf6483b75
SHA256

803e6d299ab9239cd3a68219edd285433eb625b28bdb056bc54b507ff92c71d1
SHA512

47dbfa3f5e112694ae91cd182470bd209cadd835f9fe8d0b07edf72fe5ff018ac8dadae27bfeea7fae7e4dfb7507afdb3a2adbad542916d5f2cfe0bf66333091
SSDEEP

768:IRDAWRqnXeihOCSlqLCxzAj6VppDPi7WA:IRkWRqnhhFSQLhmVpoWA

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4984	python-3.12.2-amd64.exe
3104	python-3.12.2-amd64.exe

Loads dropped DLL 1 IoCs

pid	Process
3104	python-3.12.2-amd64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{b6178a40-1665-4565-b73e-48dd6e039a65} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{b6178a40-1665-4565-b73e-48dd6e039a65}\\python-3.12.2-amd64.exe\" /burn.runonce"	python-3.12.2-amd64.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
119	3088	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI3CB1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e59319a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI52CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7113.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e593195.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e5931a8.msi	msiexec.exe
File created	C:\Windows\Installer\e59319e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI456E.tmp	msiexec.exe
File created	C:\Windows\Installer\e593195.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e593199.msi	msiexec.exe
File created	C:\Windows\Installer\e59319f.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F131E2DD-B8C5-42F3-85B7-3D4BAC9582CD}	msiexec.exe
File created	C:\Windows\Installer\e5931a4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4534F2ED-1616-434D-98A6-0DA358DCD466}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{94087C99-E4F5-4637-A789-3B6059DF787B}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E172CAF3-ABC7-4B62-BA8C-3A2472DE44F6}	msiexec.exe
File created	C:\Windows\Installer\e5931a9.msi	msiexec.exe
File created	C:\Windows\Installer\e59319a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5931a9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5931a4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI400E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e59319f.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{097D2A37-E94B-4FAD-8C89-D63443BD4D4A}	msiexec.exe
File created	C:\Windows\Installer\e5931a3.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{4534F2ED-1616-434D-98A6-0DA358DCD466}\DisplayName = "Python 3.12.2 Core Interpreter (64-bit)"	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{E172CAF3-ABC7-4B62-BA8C-3A2472DE44F6}\Dependents\{b6178a40-1665-4565-b73e-48dd6e039a65}	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{F131E2DD-B8C5-42F3-85B7-3D4BAC9582CD}\DisplayName = "Python 3.12.2 Development Libraries (64-bit)"	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{E172CAF3-ABC7-4B62-BA8C-3A2472DE44F6}\DisplayName = "Python 3.12.2 Standard Library (64-bit)"	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{94087C99-E4F5-4637-A789-3B6059DF787B}	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{097D2A37-E94B-4FAD-8C89-D63443BD4D4A}\ = "{097D2A37-E94B-4FAD-8C89-D63443BD4D4A}"	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{4534F2ED-1616-434D-98A6-0DA358DCD466}\Dependents\{b6178a40-1665-4565-b73e-48dd6e039a65}	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{F131E2DD-B8C5-42F3-85B7-3D4BAC9582CD}	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{F131E2DD-B8C5-42F3-85B7-3D4BAC9582CD}\Dependents	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{94087C99-E4F5-4637-A789-3B6059DF787B}\DisplayName = "Python 3.12.2 Test Suite (64-bit)"	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents\{b6178a40-1665-4565-b73e-48dd6e039a65}	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{4534F2ED-1616-434D-98A6-0DA358DCD466}	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{097D2A37-E94B-4FAD-8C89-D63443BD4D4A}	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{097D2A37-E94B-4FAD-8C89-D63443BD4D4A}\Dependents	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{94087C99-E4F5-4637-A789-3B6059DF787B}\ = "{94087C99-E4F5-4637-A789-3B6059DF787B}"	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\CPython-3.12\ = "{b6178a40-1665-4565-b73e-48dd6e039a65}"	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\CPython-3.12\DisplayName = "Python 3.12.2 (64-bit)"	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{097D2A37-E94B-4FAD-8C89-D63443BD4D4A}\Version = "3.12.2150.0"	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{F131E2DD-B8C5-42F3-85B7-3D4BAC9582CD}\Version = "3.12.2150.0"	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{E172CAF3-ABC7-4B62-BA8C-3A2472DE44F6}\Version = "3.12.2150.0"	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\CPython-3.12	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\CPython-3.12\Version = "3.12.2150.0"	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{4534F2ED-1616-434D-98A6-0DA358DCD466}\Version = "3.12.2150.0"	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{4534F2ED-1616-434D-98A6-0DA358DCD466}\Dependents	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{E172CAF3-ABC7-4B62-BA8C-3A2472DE44F6}	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{F131E2DD-B8C5-42F3-85B7-3D4BAC9582CD}\ = "{F131E2DD-B8C5-42F3-85B7-3D4BAC9582CD}"	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{E172CAF3-ABC7-4B62-BA8C-3A2472DE44F6}\Dependents	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{94087C99-E4F5-4637-A789-3B6059DF787B}\Version = "3.12.2150.0"	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{4534F2ED-1616-434D-98A6-0DA358DCD466}\ = "{4534F2ED-1616-434D-98A6-0DA358DCD466}"	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{097D2A37-E94B-4FAD-8C89-D63443BD4D4A}\Dependents\{b6178a40-1665-4565-b73e-48dd6e039a65}	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{E172CAF3-ABC7-4B62-BA8C-3A2472DE44F6}\ = "{E172CAF3-ABC7-4B62-BA8C-3A2472DE44F6}"	python-3.12.2-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{097D2A37-E94B-4FAD-8C89-D63443BD4D4A}\DisplayName = "Python 3.12.2 Executables (64-bit)"	python-3.12.2-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Installer\Dependencies\{F131E2DD-B8C5-42F3-85B7-3D4BAC9582CD}\Dependents\{b6178a40-1665-4565-b73e-48dd6e039a65}	python-3.12.2-amd64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\python-3.12.2-amd64.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3088	msiexec.exe
3088	msiexec.exe
3088	msiexec.exe
3088	msiexec.exe
3088	msiexec.exe
3088	msiexec.exe
3088	msiexec.exe
3088	msiexec.exe
3088	msiexec.exe
3088	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4072	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	firefox.exe
Token: SeDebugPrivilege	2108	firefox.exe
Token: SeShutdownPrivilege	3104	python-3.12.2-amd64.exe
Token: SeIncreaseQuotaPrivilege	3104	python-3.12.2-amd64.exe
Token: SeSecurityPrivilege	3088	msiexec.exe
Token: SeCreateTokenPrivilege	3104	python-3.12.2-amd64.exe
Token: SeAssignPrimaryTokenPrivilege	3104	python-3.12.2-amd64.exe
Token: SeLockMemoryPrivilege	3104	python-3.12.2-amd64.exe
Token: SeIncreaseQuotaPrivilege	3104	python-3.12.2-amd64.exe
Token: SeMachineAccountPrivilege	3104	python-3.12.2-amd64.exe
Token: SeTcbPrivilege	3104	python-3.12.2-amd64.exe
Token: SeSecurityPrivilege	3104	python-3.12.2-amd64.exe
Token: SeTakeOwnershipPrivilege	3104	python-3.12.2-amd64.exe
Token: SeLoadDriverPrivilege	3104	python-3.12.2-amd64.exe
Token: SeSystemProfilePrivilege	3104	python-3.12.2-amd64.exe
Token: SeSystemtimePrivilege	3104	python-3.12.2-amd64.exe
Token: SeProfSingleProcessPrivilege	3104	python-3.12.2-amd64.exe
Token: SeIncBasePriorityPrivilege	3104	python-3.12.2-amd64.exe
Token: SeCreatePagefilePrivilege	3104	python-3.12.2-amd64.exe
Token: SeCreatePermanentPrivilege	3104	python-3.12.2-amd64.exe
Token: SeBackupPrivilege	3104	python-3.12.2-amd64.exe
Token: SeRestorePrivilege	3104	python-3.12.2-amd64.exe
Token: SeShutdownPrivilege	3104	python-3.12.2-amd64.exe
Token: SeDebugPrivilege	3104	python-3.12.2-amd64.exe
Token: SeAuditPrivilege	3104	python-3.12.2-amd64.exe
Token: SeSystemEnvironmentPrivilege	3104	python-3.12.2-amd64.exe
Token: SeChangeNotifyPrivilege	3104	python-3.12.2-amd64.exe
Token: SeRemoteShutdownPrivilege	3104	python-3.12.2-amd64.exe
Token: SeUndockPrivilege	3104	python-3.12.2-amd64.exe
Token: SeSyncAgentPrivilege	3104	python-3.12.2-amd64.exe
Token: SeEnableDelegationPrivilege	3104	python-3.12.2-amd64.exe
Token: SeManageVolumePrivilege	3104	python-3.12.2-amd64.exe
Token: SeImpersonatePrivilege	3104	python-3.12.2-amd64.exe
Token: SeCreateGlobalPrivilege	3104	python-3.12.2-amd64.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe
Token: SeRestorePrivilege	3088	msiexec.exe
Token: SeTakeOwnershipPrivilege	3088	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2108	firefox.exe
2108	firefox.exe
2108	firefox.exe
2108	firefox.exe
2108	firefox.exe
2108	firefox.exe
3104	python-3.12.2-amd64.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2108	firefox.exe
2108	firefox.exe
2108	firefox.exe
2108	firefox.exe
2108	firefox.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
2108	firefox.exe
2108	firefox.exe
2108	firefox.exe
2108	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2108	2044	firefox.exe	91
PID 2044 wrote to memory of 2108	2044	firefox.exe	91
PID 2044 wrote to memory of 2108	2044	firefox.exe	91
PID 2044 wrote to memory of 2108	2044	firefox.exe	91
PID 2044 wrote to memory of 2108	2044	firefox.exe	91
PID 2044 wrote to memory of 2108	2044	firefox.exe	91
PID 2044 wrote to memory of 2108	2044	firefox.exe	91
PID 2044 wrote to memory of 2108	2044	firefox.exe	91
PID 2044 wrote to memory of 2108	2044	firefox.exe	91
PID 2044 wrote to memory of 2108	2044	firefox.exe	91
PID 2044 wrote to memory of 2108	2044	firefox.exe	91
PID 2108 wrote to memory of 488	2108	firefox.exe	92
PID 2108 wrote to memory of 488	2108	firefox.exe	92
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 1716	2108	firefox.exe	93
PID 2108 wrote to memory of 4056	2108	firefox.exe	94
PID 2108 wrote to memory of 4056	2108	firefox.exe	94
PID 2108 wrote to memory of 4056	2108	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\creal.py
1⤵
- Modifies registry class
PID:1244

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4072

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2108.0.189143535\452036158" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29c97a85-291a-47d2-8552-53b5700fc493} 2108 "\\.\pipe\gecko-crash-server-pipe.2108" 1964 13ea77d7b58 gpu
    3⤵
    PID:488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2108.1.1423713582\1507908689" -parentBuildID 20221007134813 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {097caef3-4744-4347-a742-ec3f5a5d4682} 2108 "\\.\pipe\gecko-crash-server-pipe.2108" 2364 13ea770cc58 socket
    3⤵
    PID:1716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2108.2.829643024\55633025" -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 2996 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {362d565c-cc7d-4dc5-9748-33f87d9a3bed} 2108 "\\.\pipe\gecko-crash-server-pipe.2108" 1668 13eab99db58 tab
    3⤵
    PID:4056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2108.3.1212722165\1104955930" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3500 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b7ed52f-9d1f-4ff1-b37e-666967edc728} 2108 "\\.\pipe\gecko-crash-server-pipe.2108" 3580 13e9af61358 tab
    3⤵
    PID:2504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2108.4.1112462934\1014819255" -childID 3 -isForBrowser -prefsHandle 3984 -prefMapHandle 3976 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54f28531-9929-4c1e-9a95-f412a6acd0a3} 2108 "\\.\pipe\gecko-crash-server-pipe.2108" 4008 13eac783458 tab
    3⤵
    PID:4336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2108.6.953810050\1588814617" -childID 5 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84c8f3f8-02cd-4163-91e3-85e4ba35e86f} 2108 "\\.\pipe\gecko-crash-server-pipe.2108" 5232 13eaeb17758 tab
    3⤵
    PID:3256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2108.5.1329819764\1364167283" -childID 4 -isForBrowser -prefsHandle 5192 -prefMapHandle 5200 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a012a53b-453c-4f0d-9d65-ed631fd102bf} 2108 "\\.\pipe\gecko-crash-server-pipe.2108" 5212 13eaa0eff58 tab
    3⤵
    PID:4148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2108.7.2123934032\973024235" -childID 6 -isForBrowser -prefsHandle 5524 -prefMapHandle 5528 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7ffa92b-6aa6-4f42-90b6-f014bc2298f2} 2108 "\\.\pipe\gecko-crash-server-pipe.2108" 5516 13eaeb17158 tab
    3⤵
    PID:4124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2108.8.2144967228\541718194" -childID 7 -isForBrowser -prefsHandle 5960 -prefMapHandle 5956 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {847d9064-4dbe-47ae-b422-5d310e0070cc} 2108 "\\.\pipe\gecko-crash-server-pipe.2108" 5972 13eaf5e5458 tab
    3⤵
    PID:3168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2108.9.128991316\656393204" -childID 8 -isForBrowser -prefsHandle 5260 -prefMapHandle 5276 -prefsLen 26646 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a921c66c-f549-4c0f-9b01-eb227f7e88a3} 2108 "\\.\pipe\gecko-crash-server-pipe.2108" 5272 13eaf9eb558 tab
    3⤵
    PID:1612
- - C:\Users\Admin\Downloads\python-3.12.2-amd64.exe
    "C:\Users\Admin\Downloads\python-3.12.2-amd64.exe"
    3⤵
    - Executes dropped EXE
    PID:4984
  - - C:\Windows\Temp\{926753CD-6D21-44A8-AA5A-08DF95430B24}\.cr\python-3.12.2-amd64.exe
      "C:\Windows\Temp\{926753CD-6D21-44A8-AA5A-08DF95430B24}\.cr\python-3.12.2-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.12.2-amd64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=540
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:3104

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e593198.rbs

Filesize
8KB

MD5
d2b3684ae414c39edbc33d3350614489

SHA1
8fb1bab9d48b1beba858b4680a189ccaecfe62b2

SHA256
97ae5d6a31068a681bbd2e83f4b19da58cf1cae63c2dc8fd2bfcfacf2b3fa5cc

SHA512
d15fcafa17d27b10f962784f15599795d654aa110051e2d401707a155a8118691541da7d56abe410e263a28b43c1d5a1aa10a3c5af5856cb880f012cdfa58ed8

Download Submit
C:\Config.Msi\e59319d.rbs

Filesize
12KB

MD5
88b037c66654eec3a65f154cd4634ba1

SHA1
9a6705214f5b8ab217a9c894ca6a26b9fe4f56f4

SHA256
730da30250d755bd476488bff131b5a58195ee851ef4328bd6eab46b768e9aa1

SHA512
1bff8e4ce4e882f088507ceef73ba84295d371dfe912aecf69caa54714b2b7ff96a9c0bb4f5e098f311c898c10919e130082932290d64bac9c70daff2f833d7b

Download Submit
C:\Config.Msi\e5931a2.rbs

Filesize
50KB

MD5
fe14c017621028d4f61fcaa6164613f9

SHA1
c38f458264e19b26e999c68b79dcfad997f3ef2e

SHA256
14822224435de1106ea8152ae8aa801cb491a42afa804500feb47cb36673a443

SHA512
518966e40091b85405e21360b3fb03504e558e473c2926580932c3c5279182bfb0ad9ea775bfc00578141c092ac477b16f1325073189a5b73c707f5736454359

Download Submit
C:\Config.Msi\e5931a7.rbs

Filesize
138KB

MD5
094748c90ad85926889391778aca1635

SHA1
07ea03ac7fff1715ba20dacfc7200204d844576a

SHA256
8f11be4c1b175ec6c5b87c749aa160de66740f92167d7c5a2c02d4837001393e

SHA512
480d6737c8fcc0defe5c1443f0f324bdf90bc144ae4a949ea005a91c22c474da7aad01c693dd6a3d12661af024fa03c4b025f6a086a51fee63278c3bb15ad683

Download Submit
C:\Config.Msi\e5931ac.rbs

Filesize
345KB

MD5
0be46b1261b5d760373fc6fb230b6efb

SHA1
4fccb88d3a217bca40de5f7d48c94e7cc81b157d

SHA256
86b03586d220e15970e720b97d677ce9fbd29f61cf6cdbc8d25c89a1221fb44d

SHA512
d50f9efa893b3bdd8394517ee092747fe8ebdbf900a27cbb8100c7911193d860d4954baa5028216297df975e09b2f9946c30daab85dbfa907b09526f5010df97

Download Submit
C:\Config.Msi\e5931b1.rbs

Filesize
130KB

MD5
0fd70c3c3243fba0aed987f5eb371f28

SHA1
2204c467a115bb23b51596ab0cafecdac3e763b5

SHA256
fc819cc6d2b940ec88aa61107e23f298995a19e53c0f5928b1ac51370aa7aa99

SHA512
7ac9b30484c2acece1c68a768bf3b1d8a53dfce2bcb2c2e2a380b1a681d6b533b3f0b83ee183f0011fd125e0bcc92343b178d3857cd0cbcdd87f953db3d5b5d6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\e2sf79v1.default-release\cache2\doomed\30173

Filesize
9KB

MD5
d2f9f5d2e1994cadc0400f2f602d5b97

SHA1
b5cc73f5d268f838d86c5ec9687905466561aeb7

SHA256
550a42263e002e89ae2bac67c4fb29b0c7bdcaafd5221a16fd9ec0110fa7c9e1

SHA512
f68aa81163d8818ef1b885d3ba86ad0f9eea9bdd23c86fb5d036a967eba84d505ee4f2a68302d6e57c16a7b48513c0c94b56678522ee48ed620a3c65c680eea0

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\doc_JustForMe

Filesize
2.6MB

MD5
828e8db82b2fc4f223848ea04ae15f3a

SHA1
a5334abf9811e94fbe7bd9f4105b28d8072dddb9

SHA256
6b3e900bbd3a0bcd6c20e1635ffda03faca759cc3ff2734cff7170f5237cee78

SHA512
c3533ac05278079dc76a4763ebdbc4b457b7687dadddffbb49b76968c6b95278e8218384026f8b93c30f7ef4213eb0a8ec74fd1e97d69487cbe635fa11761ca9

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
52KB

MD5
108d02477bbe40ad51fe4940c3c51c05

SHA1
04afa74d7ad6c5105fbb23bd16d3866619e01e8e

SHA256
5cc257ab5aa833d64057822904e2d905b66ceb9def40bce6bb92f863ea498748

SHA512
da27751b51dab3519712441a0b9af958201438735298a954a967aef1b9ef170c2de3c22ac2ff368ef7e2c9afbca35cc423071ea8e3664278d66061fe8b94ad4c

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
2.4MB

MD5
2f517c8a7f2e72929b1c212f89ccc237

SHA1
5ab8c180a93e79022a32614471200f5136e1d732

SHA256
c8421edb877749daf1b611e8f189d01cea5a76e368a82a4de604de803be5f4f7

SHA512
57c6463eadef4a8ce8daba23b9a65936033431584d967117cd20a6275de1e3278d7a9fff814ace36b9d9cb796abb05274d9652db6fca362309693e89db35e085

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{097D2A37-E94B-4FAD-8C89-D63443BD4D4A}v3.12.2150.0\exe.msi

Filesize
712KB

MD5
9245623543644d494cc7ebe9ba4bdf49

SHA1
416d483ececc8a6e5ba092d1ae75e7880fa4be36

SHA256
91f05b779c2bbeb7a371c2ca24f600d8c21664ad8d2bc464e5565bb90e9405d2

SHA512
4946990d92c6dce2da3c9eaf16cfb7e61a8070af11b8ffd67d75e541b6007e4ea459d3b0e27da9d08e39b407fec9ca9da3ea5cad789cad9722f0408d62d02366

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{4534F2ED-1616-434D-98A6-0DA358DCD466}v3.12.2150.0\core.msi

Filesize
760KB

MD5
100379622996f7da743ae9c0fc2ddf59

SHA1
237d12426723a617770bc89474f3171dad14ee8e

SHA256
9feb4a9c8f2c60b49f8520848cdb956285b92159a6a60859cd998d4ec1965807

SHA512
dbebcf37371bc44b4e190a5029fc8c5e9d514e1606b253bd93b6c941974609ebf7d1ddee1e11b77dc1eb151406be2724e4b78382542fd32184795a314e9562ef

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{94087C99-E4F5-4637-A789-3B6059DF787B}v3.12.2150.0\test.msi

Filesize
5.3MB

MD5
7cc11322ca54161b318a49a85caac8bf

SHA1
333e12785f407e5d930c98fa9578bf8c8b6b5d5f

SHA256
fc1036043979b114687df71c1d80abb91734e8fa1e39e7b60056801f0c39db4a

SHA512
84e189bd7f4379ebd6261cdcd7cfeca6b4a2229bb116f9f47ab649cbc01a325aecc4a514855280488515590c794545eb1fb783e064d4d3921efe452d7dea31f6

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{B50C92E9-2780-433A-AA61-E9F06D0AFF8A}v3.12.2150.0\tcltk.msi

Filesize
3.4MB

MD5
cedd6738fae24edddfff69b10e4f46dd

SHA1
97538a7df13e0354a5eaccee7057192d10466a9f

SHA256
f0d5c603ff7d87412f5a1e45e8ab7bd95d6f40bb90fd107125964421d7f06233

SHA512
0c75c2d1263eeb6ed638d49b1cf3c3004353fff8452ed7288a8853133dc2ad32fe913cc7020b864aaf362b5b29be55e4ec0b38ef978a811c6462552c8cf32e1b

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{BD32BDE9-835D-4013-8F9A-45FF11456F02}v3.12.2150.0\doc.msi

Filesize
5.4MB

MD5
5fc6e030f31d0aae7b95068bf17a72fc

SHA1
1daa17c033f29c122c76409dd5636716351bf7a2

SHA256
02cc5a3a1d6c54390d68ee97f6c08c2a061a457780e48919c29462ef95a92b09

SHA512
0fc29106e0263815ee7418a32d8f52c258d0a1378fc6b5e59b68ccef2fa34e2164f4dc9f4b1ba0232497f95155d9e71b6571dea4e8e446af1faf11d194bb94ec

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{E172CAF3-ABC7-4B62-BA8C-3A2472DE44F6}v3.12.2150.0\lib.msi

Filesize
495KB

MD5
2781e41bf0f3cb34d11521114a34fb8b

SHA1
9f53daadb788e4ad6345db653e0c360515b10444

SHA256
fa2f28dcf7be0b762618522afe229dadb22e17db6fa919cefd954052975c986a

SHA512
20938c98226c8bbb9fcac32cc85653515d45d9b1114e2a15e9bbd56184075dd32df648781653a3e9ad99ea8d2152eb27beb24ef77913ef1ec6bf1b58027c7353

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{F131E2DD-B8C5-42F3-85B7-3D4BAC9582CD}v3.12.2150.0\dev.msi

Filesize
384KB

MD5
f7a21ea8323d54f6348c08e185d4a429

SHA1
4a969a5aa49728821e5b0064ab20e36f8d1825c5

SHA256
633283cfcc5e870c6ce19404267a5e0509625b6b106d0c68e7133557d5c1bcb6

SHA512
161b3d0392cc0626f222a9d525f9af8cae3184c6c71d9c6e90749f1c6a71df0bf4a130234a50648c63e56099b72a0647c647b57b7ff05db3161cd5fac2c5bdd7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python312\Lib\test\test_importlib\extension\__init__.py

Filesize
147B

MD5
c3239b95575b0ad63408b8e633f9334d

SHA1
7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc

SHA256
6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225

SHA512
5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python312\Lib\test\test_importlib\frozen\__main__.py

Filesize
62B

MD5
47878c074f37661118db4f3525b2b6cb

SHA1
9671e2ef6e3d9fa96e7450bcee03300f8d395533

SHA256
b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216

SHA512
13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.2 (64-bit)_20240221194511_000_core_JustForMe.log

Filesize
1KB

MD5
c705b61586186d591a247dcad0bdd923

SHA1
541c8469978dd4bcc48ead12c4b85a46181e176d

SHA256
e10a14f424e4f19b33badfdb8d042caeea9be4f66c0eed04c0da08e9926250b0

SHA512
93645f608181e99ef9a0bca62e89e843366ad50aa85b0758a8d411288c1098e6a2b9e6b9ae362e29567c72523e4522b7b351499c9e92015698fcb80f4d451085

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.2 (64-bit)_20240221194511_001_exe_JustForMe.log

Filesize
3KB

MD5
032eb23df0b490e56998530e2b0fa85b

SHA1
4a0e52ea508268789169becdcd2f80615c7b7c8c

SHA256
44ab0b234aa9f5036c4045f8e6e02701be1709efcbb915fa1a9628c71c54cb07

SHA512
8aadbda21fa8740b11a8e25597b52ebd86530d89bb6de4d2d667187e0a2fff420cb9ed61106934a15ed5a7ce66e725bbad6032345832fab9c5dfdf8c8778980f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.2 (64-bit)_20240221194511_002_dev_JustForMe.log

Filesize
1KB

MD5
5b2da2adb6d9a9152b66d99d2d938c6d

SHA1
28f41d41a76cfc6e299f9892d2abc77649d006ae

SHA256
2b8bc315e3245071df2856ee25da199d2224968460d3d5470e5fd2236d6a9bcf

SHA512
48b3e6e21d0a09250ce2059e24c01f1d38a1c9a921950073730f67da0b5ea309a842b6cb1ee8695b3bbedf2fe1f1cbed31aa4e6991eab236449141dc8ed96faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.2 (64-bit)_20240221194511_003_lib_JustForMe.log

Filesize
3KB

MD5
04b778b42facf71eb010d54272976dc6

SHA1
f49f7eee05a02a87190d7a123cc9c5e83e8e425a

SHA256
e5144d18e05b6df2831a12491714c42674d3e0917877d39c7a0ce1db955be4bf

SHA512
c132927aca595b7c4bebe4c4ff17de679cf47c8690e2363df95b4414b67a1342381a7c15f72ff85c7587e1ad5500ba4c1dbdd82a89783af5a69ab15e823311ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.2 (64-bit)_20240221194511_004_test_JustForMe.log

Filesize
1KB

MD5
32152865ba1c67c1a83b3f1d43e93f5d

SHA1
59349dc13aaf8c29fbf26ff71b0e979eb53339ea

SHA256
869514927090a17160e5a450986e2db3c3a9d50fe88ed1d59c684199cca583c3

SHA512
0dd5cd3e543cb607ef16018dd1854c424fc437713949aefc8e44b3a5cc3b67e04cc35b12d4af5a2199ed3838c4da01b669a64f8cbf6350a948e3f4cf03aea643

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.2 (64-bit)_20240221194511_005_doc_JustForMe.log

Filesize
1KB

MD5
f66a244c3de5fc24225c98ded113345a

SHA1
6a9034f7f6b979dd87b19d5738964710f16aab80

SHA256
044f37dbf5ae5d14f1dbf717613da7e7fc5f4162ecd028f89432df236781e389

SHA512
0078106cb3d2ff3525c032bb91b8647f747f3a72fa4e63b42ddc9ec94602b78aeb3cda1e3721e532a157a6a1f6ccfc2603baa4088f416cb54d417bd1d3615ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.2 (64-bit)_20240221194511_006_tcltk_JustForMe.log

Filesize
3KB

MD5
3682733c75d1d899c4263272c7a158c9

SHA1
8ee9375ab703aa8ec08954a0000c2d7325021237

SHA256
3c6407f91721517b7beb5c02034ea5970fa13761441347edcb3156cc3d48b9a6

SHA512
449de6238553ae4556f783eb46f51d48556d5589016d17c9ffaa813c643ad3e9f437b553259d3c86986e26dbf247bbddaf6b0646ffa7ab6f37f3eca1c0b1ff2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
384KB

MD5
ec627d3eee6237a39b7ff7eba984e892

SHA1
84cf008b9d56e1e4d3aa957b300941c7a608debe

SHA256
8438c83086180d75b23093d56f62579c51fee3da0e636af2b534c029d4e675f1

SHA512
f6c742a2494eda95809c5900d35c028f4845a62de27fb7a93c3ffd353d76189f17be42d4323565d92c69223d982e49852cda13a8268296822abee33b9e972541

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
5.9MB

MD5
05fc4ab1467d12a4c063bfae26672308

SHA1
404de5858aacbc37ae83972ee61fb708659ea57e

SHA256
832de0e0f47592aff6a16e64b20a6aca8eca3a068a84f270122225a52053f00e

SHA512
52ffc9d03533a1e390e806dc4e42a8438d542b61509a014c4978dce99ffb46707b9bcb5849959c4a2bf817cb537b84ab3b7444926d49853c96657e936b897f67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
351bf4dc80b1a0fcd7de30a4073be03c

SHA1
ba037a3e742d42d3f83e7f87aa5eee26392c1d8a

SHA256
b01e4398a2dd26e2d930ea67762939cbbdd4d115d05d4947837eebaab9749623

SHA512
55cf64de2cbe6cd9624bc615c89238cb7743650431ef09cd191d009c9c608128e8b07d54e644707b304dc419b22fd81cfab351be9a4e3a09613136471849b80c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\datareporting\glean\pending_pings\749aa9f3-eb9c-4c0a-b44e-9206b4535623

Filesize
734B

MD5
620d6cecfbb95f3bc67cd602c7f3e3aa

SHA1
dc5c852a9e11c8174a5a320937781bbbbd4406c9

SHA256
f5bd1f87070b24e22b3e379e109369a616a018aa411034d65cd41f515c264d9a

SHA512
8544ca5a751f09d546baf30be32d4c20fbe9412ed5dfb90da9c863db20c65bbd51a7caedd3437f5d3c8d157e937ef12a56ecb872db5936d7366befbfa6587fe7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
42KB

MD5
5c424f84afae21c936aa3de707f1c541

SHA1
31ea8f6ec87c3ed8f8a3f1ab385b6b87c456dd96

SHA256
10d06b60d5c381228bf066805840964d8ebd7cb2e2eeb745a29c1e392bac2695

SHA512
e0e2a39c8ff77bfbf5c56fc6718beb719cf8d87c5b53bec8dda7dfd3019dc353008ef14ea163476fd15b31b14466a3f003fdefa4b1b57ae9a4f25cc164b97527

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
5.8MB

MD5
32f7f83b7e063a619d99b30ac3339331

SHA1
79a9ae2eb98980eed01c95deea5d944cb4ab3adc

SHA256
5243b8772b9178405e1d94db75b50fb3205abd5eeab70a06243cbef273cab8d3

SHA512
dfa14586518842a43d441a89b16c5e43d13a36209ba737bc8795a82dfb83ce0d77de73eab2335267480a4ec89bf65e339a7117dac29228bbc61deaed9a15bd4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\prefs-1.js

Filesize
6KB

MD5
a9240ddb9cd3f5afade2a552eeb9b5b6

SHA1
c5dd177ec0b3aa8170ce016a902c4d32f89bb770

SHA256
36afb371a5202186cfc12afe1771b0309de4d18c043781747d464afc5d19716a

SHA512
62fa109f89dcf9c01c17514635959d36d78e77c134caf0e03f0944b9b308d1f45e2acdc01e8c07cf33a39f8c413d4dbab6a186985558be4a3269e829ac4202b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\prefs-1.js

Filesize
6KB

MD5
aa1fa0d86fbf6f5b0e100b57eccb4586

SHA1
d506e7c4a71a9e4bccd777fdecf19ac52f40a3d8

SHA256
b394b8f51dae98de2c44e70fb29b9fd6eb43f397a5315bb55c6c0dcf41c0f811

SHA512
04c0c6e2383ba60622264c86e061567c8fa27b742a9d13b01fa79a9a1c0354be1906d1bde000ca32a8f6f4da3ef04de4695163338be1dad211fbe883b66855e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\prefs-1.js

Filesize
7KB

MD5
6176a529c44724c8f4010a6b9543bc5b

SHA1
f9b3591858982f91a388b4d05c39f48564d36607

SHA256
22fefffb526d04231427bc70451ef0cf5486e8e79e15218e75f817b8470d717a

SHA512
47cbd6486a72690319ef7c9c5ded9d48dcf8b774419dfa9cf485966dd0f336b5b9267826358359700a5377d67bd1bda0b2335f2b2f319f8b850d4c55a7158f86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\prefs.js

Filesize
6KB

MD5
72adb1e08ef33378fd9a83396fdf0854

SHA1
15e34f39c0fdab8c1d092819bac8f780c8131b8f

SHA256
20d93e8cc0af767df72357c34e3148994e9c2e20b5f1744e398a8d70ce9bac5f

SHA512
5ad2b8ab798be3c2d81d518ff317061cade03b1a17403ef9f333d2bbd5d3e73bab784a6fceea45ff9143070b616208facd87e172589a1a366c314466064a2616

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
b8cdc32e5c8af6223dd5c23f45f9d620

SHA1
f9e41c446ca16511111cf07bfd25bab3a322c052

SHA256
92ff00c834a6a538c12df4ae12dc4d58387ff84de9500af6aaa73831cac6e4a2

SHA512
7ee3d5a15bbab22513642ce5ae46369df2d9b0413c906e13bdc81398d304f258bc20faf448c79e662c3640e3aa0108a603b6ac07cbab4de7e30eaede6c3c88a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
07e455e7f41882d87a5bed247c458891

SHA1
abd78ca848e0a349d57e850aed676a3774e33025

SHA256
42d6255d1c57270c06f7319d657fad9e8d93ed845f0a64dae6f3f9055fc6c5c8

SHA512
668847eae4b3881359f35a60197daaeb337850f3e18e37180dff0b7309a4abf7e8d757aa955f1d9fcb5698c8af39c4ea54e8fce9a5fe3a1dd093ee859a228e41

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
ae3c9626d9107d138aa5f0db7687dbd6

SHA1
b43986cfd09254c3bf1c23046b1d482a36a494c0

SHA256
19c75b7fb1f16ac1617806fdb61f8df0d2be4b5f0b76a28944274cc168cc29f0

SHA512
a92663c9c80c1b6c8b5cbbac489108ba51a044ba98dfb86b039b5c68c31db9da0feeda341213531ed5c223d1b307ec6436fe844ba53ec45d053fb17a6e06d989

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e2sf79v1.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
3caa498192d841a0a977676abf781f5e

SHA1
9a222ec47767419431381aa8d51aeddea8a8400f

SHA256
92f3c7ec43ba20504c514845ef7197085226143f335e91f49a1c5366db28c8f1

SHA512
4a7d2afd673359834f16a9950b59383e0513dafbfffe3adf943720c243d28bc365ee38f7ac7ed83bd202108fc5dcc9e91f0ea4bccad8eca8177f8e26099566eb

Download Submit
C:\Users\Admin\Downloads\python-3.12.2-amd64.exe

Filesize
4.4MB

MD5
a9902c1358bfd3a6e854ba5e96d6897e

SHA1
2531d634efb02feb078ad62630039cc96f1af453

SHA256
fa13e84d54d165bd72a4afacee2d9973660649e1155b7debebede85882e125e8

SHA512
9449da2f96cc5e27debc3fee699a1e9f48a65805649b02d0d275a6a314080b59d7994e3c9dd1b3eb29deca0500301315647e2f2de4c25ab272b79fc1e667c899

Download Submit
C:\Users\Admin\Downloads\python-3.12.2-amd64.exe

Filesize
2.9MB

MD5
b064271c24637aef71e820efad067c1c

SHA1
713d98a20d3017ee2151d6893d7ef2093da2e90a

SHA256
512619a5b6b03483dea4cba27f701da9bc798c30e40e482df7d3dec85e2cde42

SHA512
c52a2ba170b9c1a8414dd0aa905cfe3f985e7fb46955394d841ab8980b50a093411bf2693cdb2d3f6c36f27a8f479af8ab632d98cc12497296b09cf2edd4a1d5

Download Submit
C:\Users\Admin\Downloads\python-3.lX4vrFwT.12.2-amd64.exe.part

Filesize
1.0MB

MD5
7c91d46caa5621da1c3c17540de560ce

SHA1
4280658f77e405e1138aa72ea7b91a4958c2c7c0

SHA256
04221031026718816380639966a1be1a38d2f8941d5371d4ee955bce18231a88

SHA512
8195ef77c6422b6f4ac97336c2f26a098244021aea2086ef8e034badbcdde41e09d354fda9b6a86b4d21ddd2c19fd683104aa4dc3dd9823b2caf9a1484107a69

Download Submit
C:\Windows\Temp\{6E6BF13E-67F1-42D7-9409-A171C35CE87B}\.ba\PythonBA.dll

Filesize
675KB

MD5
8294dc8850dd596d0ce8455167496832

SHA1
5c75c685c95bee8c1a39187da8af46b6c7892757

SHA256
565f03893da383e5bec8c6eaa7c8fbb3e6db0b9bddd5a1399b0dec66fa44d64d

SHA512
21015ca201b64e3316f3d1ee32e4c562d0142111c1ed576f03aa078619fe656c56848b5998313af23aabb97293c5452be0e27d5c44878be5d90ac2d2d2f05851

Download Submit
C:\Windows\Temp\{6E6BF13E-67F1-42D7-9409-A171C35CE87B}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{6E6BF13E-67F1-42D7-9409-A171C35CE87B}\.be\python-3.12.2-amd64.exe

Filesize
858KB

MD5
ab21a1bea9e3eaab64a2c062ab613221

SHA1
310b1f7921af8edf125eacba71944b6e5356acdf

SHA256
1474dbd6a33da8f2f0b50007ba48f0c1ddb3e0e6f8c969722eed1e683a9af68a

SHA512
b39b5a24bb7b2d3ead8aed284452c94280398a9e4855f17a8e3593fe718e9b3573e88b15f1dd4659030827e754b17e7f918ba24803e4d522ad9601167fb70df4

Download Submit
C:\Windows\Temp\{6E6BF13E-67F1-42D7-9409-A171C35CE87B}\pip_JustForMe

Filesize
268KB

MD5
083842cfa5cb8331820b45599cb883ef

SHA1
2858179692c35368251f72894a8612db25fecc74

SHA256
cfe1f73cd965e2cf1bcb94143fd87b7a6cb0d315977cab1da3002f5029948b98

SHA512
e3325c99fc05280dc05d2d458ee942aa406b13b95993d2415817ab3c55752cb66a8d1613514382b092eb55c08c2319b57dd261120db525253398b7a456091229

Download Submit
C:\Windows\Temp\{926753CD-6D21-44A8-AA5A-08DF95430B24}\.cr\python-3.12.2-amd64.exe

Filesize
646KB

MD5
1774dd2357744683a5e6e0a1aa74e87c

SHA1
110ec222146c53e765ab006b4407e3531a3ad6ab

SHA256
2916d391d09086b9f1110785fd686ec5ac243f0d4f03ee8e87eec2374c509b5f

SHA512
39dcd25c2d87aed7dcb05897820a152efe72362cef5ccb479dc9b59d694a2d0d7bca5a350851b663a89b878a5268889988c88be152c2b8bb2e24e421327ff808

Download Submit
C:\Windows\Temp\{926753CD-6D21-44A8-AA5A-08DF95430B24}\.cr\python-3.12.2-amd64.exe

Filesize
668KB

MD5
2534171be9e07275a2e1be4491c29d9a

SHA1
ee8ddbf7dcafe209aa99faba712fb7cc618e4e9b

SHA256
3749e9b05b6b6fa46cfba32f7589614b20d3c5c7a1d412e4582266f43e957053

SHA512
fd7e5d0ff33e386b93702a016e244e311be977e1e229e2a786a18aab6711dd7e2b2105e22bd2f78a06909a1008a0af301b342f37ede44b662cbab88a9c81fbbf

Download Submit