79e1377ac17e6aece067d4cf6a202d8baf43a9906cea353de7188c43b20500c8

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Builder.bat
Size

1KB
MD5

69f3538d09da509b93329b22fd59a956
SHA1

d74ccc96102895e111712beedabcdc725fb23360
SHA256

79e1377ac17e6aece067d4cf6a202d8baf43a9906cea353de7188c43b20500c8
SHA512

a5e2fdeb2d185acda43e6a0d964966fc5246d2fe598d094e0b59bd757c42170d3e4125cf7da736080a95141b453d12a53af295eb53bd64e431285e8213da9b07

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	python-3.12.4-amd64.exe

Executes dropped EXE 3 IoCs

pid	Process
2724	python-3.12.4-amd64.exe
4904	python-3.12.4-amd64.exe
1372	python-3.12.4-amd64.exe

Loads dropped DLL 1 IoCs

pid	Process
4904	python-3.12.4-amd64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{fb355cb0-c07e-4095-85a7-81c5a2838da6} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{fb355cb0-c07e-4095-85a7-81c5a2838da6}\\python-3.12.4-amd64.exe\" /burn.runonce"	python-3.12.4-amd64.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
169	2000	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI5A6B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7857.tmp	msiexec.exe
File created	C:\Windows\Installer\e595847.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7BFF8368-33A0-4DB3-9442-F5C881FE1B4D}	msiexec.exe
File opened for modification	C:\Windows\Installer\e595842.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E26.tmp	msiexec.exe
File created	C:\Windows\Installer\e595846.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e59583d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5BD3.tmp	msiexec.exe
File created	C:\Windows\Installer\e59584c.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{AC669800-A797-444D-A450-A5109BBC74DE}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6710.tmp	msiexec.exe
File created	C:\Windows\Installer\e59584b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e59584c.msi	msiexec.exe
File created	C:\Windows\Installer\e59583d.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{754A267E-52AE-4A9F-AFF4-F67EDC4B3610}	msiexec.exe
File created	C:\Windows\Installer\e595841.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e595838.msi	msiexec.exe
File created	C:\Windows\Installer\e59583c.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4F815F87-CE9F-45CF-AEDE-EDF03728F8E6}	msiexec.exe
File created	C:\Windows\Installer\e595842.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e595847.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{62DD7DAF-6279-46FA-A06B-C4A541244045}	msiexec.exe
File created	C:\Windows\Installer\e595838.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\python-3.12.4-amd64.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.4-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.4-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.4-amd64.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673838610112546"	chrome.exe

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{7BFF8368-33A0-4DB3-9442-F5C881FE1B4D}	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{7BFF8368-33A0-4DB3-9442-F5C881FE1B4D}\ = "{7BFF8368-33A0-4DB3-9442-F5C881FE1B4D}"	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{4F815F87-CE9F-45CF-AEDE-EDF03728F8E6}	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{754A267E-52AE-4A9F-AFF4-F67EDC4B3610}\Dependents\{fb355cb0-c07e-4095-85a7-81c5a2838da6}	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{7BFF8368-33A0-4DB3-9442-F5C881FE1B4D}\Version = "3.12.4150.0"	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{7BFF8368-33A0-4DB3-9442-F5C881FE1B4D}\Dependents\{fb355cb0-c07e-4095-85a7-81c5a2838da6}	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{AC669800-A797-444D-A450-A5109BBC74DE}\DisplayName = "Python 3.12.4 Test Suite (64-bit)"	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents\{fb355cb0-c07e-4095-85a7-81c5a2838da6}	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{4F815F87-CE9F-45CF-AEDE-EDF03728F8E6}\Version = "3.12.4150.0"	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{4F815F87-CE9F-45CF-AEDE-EDF03728F8E6}\DisplayName = "Python 3.12.4 Core Interpreter (64-bit)"	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{4F815F87-CE9F-45CF-AEDE-EDF03728F8E6}\Dependents\{fb355cb0-c07e-4095-85a7-81c5a2838da6}	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{754A267E-52AE-4A9F-AFF4-F67EDC4B3610}\Dependents	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{62DD7DAF-6279-46FA-A06B-C4A541244045}\Version = "3.12.4150.0"	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{62DD7DAF-6279-46FA-A06B-C4A541244045}\Dependents\{fb355cb0-c07e-4095-85a7-81c5a2838da6}	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{AC669800-A797-444D-A450-A5109BBC74DE}\ = "{AC669800-A797-444D-A450-A5109BBC74DE}"	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{754A267E-52AE-4A9F-AFF4-F67EDC4B3610}\ = "{754A267E-52AE-4A9F-AFF4-F67EDC4B3610}"	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{7BFF8368-33A0-4DB3-9442-F5C881FE1B4D}\DisplayName = "Python 3.12.4 Development Libraries (64-bit)"	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\CPython-3.12\DisplayName = "Python 3.12.4 (64-bit)"	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{754A267E-52AE-4A9F-AFF4-F67EDC4B3610}	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{754A267E-52AE-4A9F-AFF4-F67EDC4B3610}\DisplayName = "Python 3.12.4 Executables (64-bit)"	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{62DD7DAF-6279-46FA-A06B-C4A541244045}\Dependents	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{AC669800-A797-444D-A450-A5109BBC74DE}	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\CPython-3.12	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\CPython-3.12\ = "{fb355cb0-c07e-4095-85a7-81c5a2838da6}"	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{754A267E-52AE-4A9F-AFF4-F67EDC4B3610}\Version = "3.12.4150.0"	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{7BFF8368-33A0-4DB3-9442-F5C881FE1B4D}\Dependents	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{62DD7DAF-6279-46FA-A06B-C4A541244045}\DisplayName = "Python 3.12.4 Standard Library (64-bit)"	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{4F815F87-CE9F-45CF-AEDE-EDF03728F8E6}\Dependents	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{62DD7DAF-6279-46FA-A06B-C4A541244045}\ = "{62DD7DAF-6279-46FA-A06B-C4A541244045}"	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\CPython-3.12\Version = "3.12.4150.0"	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{4F815F87-CE9F-45CF-AEDE-EDF03728F8E6}\ = "{4F815F87-CE9F-45CF-AEDE-EDF03728F8E6}"	python-3.12.4-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{62DD7DAF-6279-46FA-A06B-C4A541244045}	python-3.12.4-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Installer\Dependencies\{AC669800-A797-444D-A450-A5109BBC74DE}\Version = "3.12.4150.0"	python-3.12.4-amd64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\python-3.12.4-amd64.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
2000	msiexec.exe
2000	msiexec.exe
2000	msiexec.exe
2000	msiexec.exe
2000	msiexec.exe
2000	msiexec.exe
2000	msiexec.exe
2000	msiexec.exe
2000	msiexec.exe
2000	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe
Token: SeShutdownPrivilege	4948	chrome.exe
Token: SeCreatePagefilePrivilege	4948	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4904	python-3.12.4-amd64.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe
4036	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1048	4948	chrome.exe	90
PID 4948 wrote to memory of 1048	4948	chrome.exe	90
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 1136	4948	chrome.exe	91
PID 4948 wrote to memory of 4480	4948	chrome.exe	92
PID 4948 wrote to memory of 4480	4948	chrome.exe	92
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93
PID 4948 wrote to memory of 4260	4948	chrome.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Builder.bat"
1⤵
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc4576cc40,0x7ffc4576cc4c,0x7ffc4576cc58
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,2620395837441053786,13464409980469177545,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1808,i,2620395837441053786,13464409980469177545,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2024 /prefetch:3
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,2620395837441053786,13464409980469177545,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1936 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,2620395837441053786,13464409980469177545,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,2620395837441053786,13464409980469177545,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3692,i,2620395837441053786,13464409980469177545,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4928,i,2620395837441053786,13464409980469177545,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4592,i,2620395837441053786,13464409980469177545,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:4712
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff6b06f4698,0x7ff6b06f46a4,0x7ff6b06f46b0
    3⤵
    - Drops file in Program Files directory
    PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3840,i,2620395837441053786,13464409980469177545,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=836,i,2620395837441053786,13464409980469177545,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3700,i,2620395837441053786,13464409980469177545,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:1400

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2544
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {34056390-0def-42c7-a8b7-9b486037b308} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" gpu
    3⤵
    PID:2200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e34af6f2-c874-4424-827c-ff8711fedb19} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" socket
    3⤵
    PID:2376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3008 -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 3016 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36786b62-8b8f-4365-a007-42bbd08987dd} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" tab
    3⤵
    PID:3672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3700 -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3028 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f23e276-76f4-4644-a2cc-a3883d72c224} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" tab
    3⤵
    PID:3092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4720 -prefMapHandle 4724 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {892bd7fb-9196-46ba-9227-725a5acd3190} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" utility
    3⤵
    - Checks processor information in registry
    PID:5008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 3 -isForBrowser -prefsHandle 5180 -prefMapHandle 5284 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e76742e-8240-4e97-ad83-7eb3d6ecb211} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" tab
    3⤵
    PID:2736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5456 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a73532e4-88e9-4d36-ab44-8c71449ab510} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" tab
    3⤵
    PID:3320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5632 -childID 5 -isForBrowser -prefsHandle 5640 -prefMapHandle 5644 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4598c956-23c1-4a57-ad3a-d287b1d34e1e} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" tab
    3⤵
    PID:5096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6276 -childID 6 -isForBrowser -prefsHandle 6240 -prefMapHandle 6284 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ced6f9a-1ef7-4a9a-b546-2cdc83ef3e9c} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" tab
    3⤵
    PID:1660
- - C:\Users\Admin\Downloads\python-3.12.4-amd64.exe
    "C:\Users\Admin\Downloads\python-3.12.4-amd64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2724
  - - C:\Windows\Temp\{AC2B9BE7-4ED6-42ED-BCFD-43BB529B7446}\.cr\python-3.12.4-amd64.exe
      "C:\Windows\Temp\{AC2B9BE7-4ED6-42ED-BCFD-43BB529B7446}\.cr\python-3.12.4-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.12.4-amd64.exe" -burn.filehandle.attached=728 -burn.filehandle.self=732
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:4904
    - - C:\Windows\Temp\{253B9BF3-7901-4B19-A451-C8F4A8DCE76E}\.be\python-3.12.4-amd64.exe
        
        "C:\Windows\Temp\{253B9BF3-7901-4B19-A451-C8F4A8DCE76E}\.be\python-3.12.4-amd64.exe" -q -burn.elevated BurnPipe.{9D2A468C-CE4C-43BE-AA57-4FD82E1A877C} {94A93F7F-E243-4455-A089-4244EE284784} 4904
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4384

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59583b.rbs

Filesize
8KB

MD5
231a41920e7146e65f01094f64cf8954

SHA1
6d63fd519cf3b461cea827f802714efdbc539164

SHA256
8bfb79cd0941c81fbdc0fcabd86752f131cc1c03ef491922158459313a45a854

SHA512
cdc8178ef7ca53aaa8cb02c1ca1a1223a8c9bdf93d4df9a53e5e8bdd0d6ee7be782382fa65758debeeb9391868740a1b4831731a3e2e69b580b135bf8a2adfd0

Download Submit
C:\Config.Msi\e595840.rbs

Filesize
12KB

MD5
1de17cd16aa7ead54ae62f48a10d62f2

SHA1
f33ed983c92f781ddcbd12b767b0c2495a971e8d

SHA256
169898164f25b27ba6120fbeabbc23e5e24f963f9b9a1f99c2d478a142a2f67d

SHA512
ed8f5abc7de87805784e1b2e95e4dba55d15fe53231ca4e3c99d8599671024636432232d75faecd92fcd8a946a32ef92a67bf75d54e6ee10764048dafa3c91d5

Download Submit
C:\Config.Msi\e595845.rbs

Filesize
50KB

MD5
902256b0eb69a1290dc32dd6ea4bcfe1

SHA1
8a3f7b8fd6be803a726f77867d80f6a1d8ed6328

SHA256
5b75458afb80c1fca4bab185e33ed4837ff3e42a1aa1e49e888cfb0dd344d597

SHA512
5730ddb9681316af2120c6d82f90c259f21f978e1cfe488ef718707135b1f1a62c1cfbc1a030f993edb7cdd7e3dbcc8966aafe792b14b7f866afaaa723555427

Download Submit
C:\Config.Msi\e59584a.rbs

Filesize
138KB

MD5
5f6ad04f817eee46f6edcff713f6bf39

SHA1
7184c2dfed3bd45ebaf54727f768f651aad237ae

SHA256
d76dca4754567ccc4c56620924d55d8b80cc84c222a828284e8064120776bd7b

SHA512
d3152dbbf156d6487bae0c933bed8f179080f98dbb85432d1fc1e7317b8800bdb24bd41ca8f6b3b73e76d517f2f8245b4e34eb477bbd273a1edaa047f6aca7bd

Download Submit
C:\Config.Msi\e59584f.rbs

Filesize
348KB

MD5
0d22e3121fe0314531997f9520b6977a

SHA1
e716713aaf6c0c695eed4232166d5574f254959b

SHA256
d466c92fc592c5ab73984ea081483a2d43b620ba78b01ad072f377592fc9ebee

SHA512
08d99b07d02a8b1778908fb12e9db449477a189980789adc11a835ec812382569d5244b721a2f60cf936496f7108472a6f25d66fabebaa328749fffb48be6525

Download Submit
C:\Config.Msi\e595854.rbs

Filesize
130KB

MD5
283f324f787fbd6d5d8faaad3ca3c5b1

SHA1
7b6ceaf72116be40e1f3c0758c448e63155c1135

SHA256
5ed4cf8244377e3dc3906a0d6df61fce394e6cb2821a09682525c349a12df136

SHA512
1a90276b821005d0cd666c661050f62514d9864ff51de148af06a905d3e372226d6cec58dbc7a5da206e9441d313fff2d3f83ce68c93954b7228d4af84a418a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0035e810-0eb7-4f2b-a386-dfe09f1a1aa6.tmp

Filesize
195KB

MD5
9a05dd57c8a2648a7ab42d828dc136aa

SHA1
cf889d6b9ee1fe3425c9fae90fc4dfd62d8a2a7d

SHA256
42924eed0ef3e6d708f1753c2cc54325ef87b67efe3bff47c54f1eb90e6d37e1

SHA512
3b86463d69fc5d883f04ef1ad1588101592b157433642f0138aecb6d071d000363681dbbf9b87ddef8d3f74272d8d0afb2541a3a1c4903af7ba82817e26f6724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
490884eb05c48bd6ed9f2f92916a2353

SHA1
830cef4defe7ce82cefe313e7f82d92d2e3f8e88

SHA256
3ce67a531a440557bc168615eabe58e959cfbc29c9d46cd32ba862676a3a0baa

SHA512
cb93e4cb74f9932823829075420016a8dbf3f471e6c5b9a16aafeb53ea089527ee215e56e686cd515b3353a55440fcd39014a0fcff2c4cf351d6e64731ecb621

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
a9c32c9fdd06d8840f4f602e5a43eca7

SHA1
1c4b65a3e92eaac7d156e1fb5da3491d14a37458

SHA256
25ab9b57bef888e4493d792714fd7c826ceb546bef4b1e691872017ef39aca5f

SHA512
b23529b4b843f0c8e6467d285dcccf240904b82875c008fd5861d60e4340f0b42001da16eca20f2f3e33ce2e69089ac133d49669fc856963fec62a09bf740d90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
75e7befdd1d8c1fd54a346438a0b7e93

SHA1
3e0e890d01b417e9c44d34935b0a339a9e8c83be

SHA256
594f9fcdea664e9bb8fc18f1dcd3debbaa89e1f38395da749542a274864da81b

SHA512
4777f1992812f6c04a72380644897f9c17e7b0fc2fc58920a1fa95f7c1bc382e5b129f1969a78297f20da52e7e0307de146a6396d7284f18c562b1dc43502a93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7a8be997022e98393e7a98ec67b017fa

SHA1
362285fb61a4efb1b6a8cc1897092e4025572b1e

SHA256
cfa46819bd22d452387c5240661f62381dc92d9b244749168c5d62f41e9a144d

SHA512
f4a01894150bd191e18a34406256a335e1c68fe79d12b2e95cc3d81f48d1c19356727d815ce6122b01df250af595bfad85db85519d9f3731cf1c412ee8fa05b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b2de516bfad2db5d861871734287cd7f

SHA1
002f90550804ddbbf4f9d21c8c66351d8c9add5c

SHA256
b4cb473e74d214543e022857b99a6b60a0aa716089f56d14cc8b1159b6b56d91

SHA512
f22efa552afdb58d3c6e082e3cba2b830ae9ef6085d4a53dd2cc48fb452490a2bd772461e10b0beea26fc24f89b787bde5dce7bca781462812afbca035487483

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
dbc83797f54d2f53b143f592ef18f1d1

SHA1
bdf37c7f414837f6ca69f84f075567b2f78f6062

SHA256
44f2b99f47e535a21b8ecc1de1b0af623ad9668178a61444afd302eff33e5665

SHA512
3513eeadc3b7ebc5d6d5b0cb3e08ecd6c16679af64c7b0b41add6ccf4f5591fd1d8f3a9d5cad2134531b8b091e8f48c67be909c1aeb2cc6b7ee7b67691a2dff4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
90deb0256ecaa08786538c659692a1fd

SHA1
4eec9e73cd0055dd6abd477efbdcc637e3a602a7

SHA256
3f2e9351400bbdabd9bbf305c5297732c34ba176b668d1150b771edc2140554f

SHA512
aad7992411afd7c954815c366f39963f2b8af05e510bcb6099b486b657704474ed043183c24c920c3249b2e30a20f0275888a1e53b4def6aee5474792781163c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9cb0fcdd11c232ce1845f834f667d473

SHA1
8c19f4fe92487d010dd4075b89e9932a313f8fb3

SHA256
ed1281a9ed59c98bc9a0fb258af511260abd27012b93758aac5d5c2e261ecbb5

SHA512
ac8444fb5fec853940b701cc286b4456c30dbea37ed0c8881fb764ed0c25a2df2052cff4d48c8e954b784d68d59acafc15839324dd4568b8d47abdf04dee253d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3211357a1db30d46aa94fd75b151f244

SHA1
bd754993e76b2e67224b014090b71b992f034fc4

SHA256
1a415ce9342e41085d4ebaaa8b0f55e2314bbaff3d2d6d84588b5c31c214ff76

SHA512
8e6ea46804425d11f2314edf162011a7d1710f746d4d6186de2dd84634134c782b7516716671175e8741f74e5f4d673717d2ca1676f2afc1abdd1d6e09764d9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
921b72f6222ada84123df68b663c4fb8

SHA1
18ea229a139222c572363931a89fb8d3e28ad9d2

SHA256
a7c0913283fdfac7dc4216dd7c50f1ebbf9e8f8c0d84ffeb88e4ea9c2f5eaa83

SHA512
19a37f051e450376c4cb6ef224e5044af474506ab414621f9797c42e03f26a4de483bd70c1b853e957193fa0482fe7323a4437452ed17ee0b720e1070296946d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f1ddff264eefd9dc5b29e5c1635845bc

SHA1
5697c952c4cfdcac6de690ceeaf1344eac6fa003

SHA256
047f895abc12a762aa66518fbca7f2c024c08ba2060f4ac5d782065a72cd2bab

SHA512
8a4a247547c3976fb4fbb4cd279fcc6bb6f2d500bd90ad64c18820aaec4d6eae244236c2e72d0d450132f428f883f990f576ef398aae19e525570b1ae462587b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c868fb36a22e67d460d50502e441501

SHA1
a886d7db592aff89508420a6f343a36b63f5a2c4

SHA256
ef071aa7d6abfe30810070fa00bff31bf88f3bd0dde4a8f5e9d6327bc3d560cd

SHA512
1edcc6facfeadef9f9121d1a627373d862b8248340e0f63fb958305d243a79f85e844929a6dcc9851d43a3113324ab056542819c92fa3d997b8f3e324bcbd885

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5e057669bd5c28ac195a15383ea9fcfd

SHA1
3e4ca70f8f87e778324e7ce5762cc24c6bd4115c

SHA256
7ff730011124fefc0aeeac83c79ae93e14978534230c18f8466b9d4e1afae517

SHA512
07b4d1154370a42116ff4dfd7623be83294894f81b818f893ea5ba90a0f0905b86bce9b64b0b0e9b26bcc8a98d25ed7c145993d6c8348066d84628b8a43c6205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
eaac38f2d6c142379aa416645996333a

SHA1
82146a02ea7319019db03963d40b663b25495719

SHA256
1524d6e08f4c8500d04fcba7ac209f91cefa45b152b03495e2983cd67d84fa67

SHA512
444beb8d5f6d29edb8a14a87e3a5dc52e30209da2c2c63ebc0cf1d27556c8f2d486ebf48866440fe889e4abb3371f822a878f9b4d16a5ac106586430c002be21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
77d58a0b428d4863ea2eb515adf7b1d1

SHA1
9288f0367dd8d382f34b5c589b9de369fd9fd9bb

SHA256
cfae814088f1dc26b6eaf26340ae35617f320eaf60d05a99f3b8b2f70760b08d

SHA512
88616a252f6e529d59d399af22405b6f069ee029ffdfcaa5bbc236c206e1d6fdcfa6953118b803a99cfdc9d0805debe7890f2dba3e8ab23f192f976152a18b63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
b6411ad08573e87b5aaa9c135c332835

SHA1
19b189b82f9d088d7c29a4359e7fcc359abde757

SHA256
eb2c70af8dfb477feeac8ae7b553020afea803828d2f6957466ab17ee969faa3

SHA512
440130ac2d8c47901fda1891c99fd2d04a8342110fa1970e8333a7e061751d0167e92d6176290d0f3596ddaf39a8a97b0bf8acbe26f58c1ec36b3157a89a5c36

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
bb2a275efce330141e5c8d99cf229bff

SHA1
d9e2f8f3255c8d882152be2660cae53158ab4bc2

SHA256
03a7d3fc3fad000c31c0f7024c78a845737f9274274edc6aefdf8cd378ea39fd

SHA512
84b71e32940bf31170071223ad7349ecd5e48fcb89ac6f77b08fd3f4c17e9dd1ed88b46bb6f1a0f8065d793994b3cfe56135b7aad213efb84615629bee5a32cf

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\doc_JustForMe

Filesize
5.5MB

MD5
d81b5f1043ece3954de5a7c9d7f930f8

SHA1
9d57a77752e2b54bb6947d92f33c97e37e251008

SHA256
190e5bdd4c77c164106728ba1818e5dee4da832ef40884c39deb73fcf3c63a32

SHA512
33134875864013c87b7a80338560b1e845c85064a947df0dffe09c5814fe02ad2009885ce0017f7cd0a1b1725b8b6860e8fbd2b2a30b4659b58652114c5478fc

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
7.3MB

MD5
43f337178c43edf715fbdf2e959e15d0

SHA1
b353117b01441b63fa40fb65ca07f30d501ef2b6

SHA256
4ff22c3f02870389ff042b3014847e8ed2dd49306bb61437967066fd524446d8

SHA512
994def9f953d8e33073c04ffb6d5b0e5eac38c7430616823d8cbccdd76f38aad2bd56784526d6bf6385cc385947591b207f095840535e5a477186e0732b9e755

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
e6d634b254c818bc36e0359538cb7ace

SHA1
02ec6b1121223b455b4672f850ca752ec7371c5a

SHA256
6a6200c6a8441d667d25c52750b0b7a3e48367c3b6343ed1e0d3edd5e43f8539

SHA512
1350dbfbdb2038ae22213cf643904f01150f3b89f226f20fdb72055e03766386464920086ce447c250f13a3a494aeb340626553b5acabedc1c63740c88d53859

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{4F815F87-CE9F-45CF-AEDE-EDF03728F8E6}v3.12.4150.0\core.msi

Filesize
1.9MB

MD5
922be790a111acce21e21dddb2b346a0

SHA1
44abc66e873d291d2123fcd54a98471267369ab9

SHA256
9e6da1e5d4cfcef4b6c463c2606473cd2a7b1cb3fb428857b39639c73e73ae4a

SHA512
36f9403beb2566e048aab3091052d52ac058c2152998ddb28de35b3ac0fd760c8027fbec0ad060d1f872fb79e1782ff35e4debc77e6268b4bffb6b9b8eedadea

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{754A267E-52AE-4A9F-AFF4-F67EDC4B3610}v3.12.4150.0\exe.msi

Filesize
720KB

MD5
74caed2618cab1c21fdd9746d688cb2a

SHA1
fa64f4fb6b82431171b0e725d9fab082f75c13e4

SHA256
a2a3db80d4c8d1ee9c52a3620df099ffb5e56eadbba010ac71d94588773e92f4

SHA512
d806199e2a5d852695c321ed56a79da6e583e8a877c41a9ef29ca9a76513fa388cc2058e539bc91b701e4de6191871c97fba8689ced14d6013180a3b5dae7b6a

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{7BFF8368-33A0-4DB3-9442-F5C881FE1B4D}v3.12.4150.0\dev.msi

Filesize
384KB

MD5
229230103408fb024f3b0202aa03b89d

SHA1
ac1c74602d0266c354b8aa9d5f80212f169a4e77

SHA256
99d874c055615ac8c7012ccaf4b6e12a6b469ddee1d3422d20fccb2041877fd7

SHA512
0c11122e94c363b97362eb331d1ef166e37ff55beee90c3bfb9f41cd70c9967ce0099d6d1d5020f5439dd13a71545abb94ccab4148dbd499ecafb191367d416b

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{AC669800-A797-444D-A450-A5109BBC74DE}v3.12.4150.0\test.msi

Filesize
5.3MB

MD5
12e9ecedd11898d5ab631466857dcbe2

SHA1
502c9f232f403f94721f1d0a0f87d2f9baaf5f29

SHA256
cb87751ac6ddd7cd61e84ccfb0f5b88fa5dd58e79fefe5b2d64ed0967d6a76a8

SHA512
6bf6e681fb55f7578cd1b28284fc06c9c5edc6c0093dc0214949bcdf3624e2598a93bafd200faf020cc3b5840acd60f46290f022036d852195571c6d040e61ca

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python312\Lib\test\test_importlib\extension\__init__.py

Filesize
147B

MD5
c3239b95575b0ad63408b8e633f9334d

SHA1
7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc

SHA256
6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225

SHA512
5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python312\Lib\test\test_importlib\frozen\__main__.py

Filesize
62B

MD5
47878c074f37661118db4f3525b2b6cb

SHA1
9671e2ef6e3d9fa96e7450bcee03300f8d395533

SHA256
b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216

SHA512
13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.4 (64-bit)_20240806021245_000_core_JustForMe.log

Filesize
1KB

MD5
4e009bf737f491ca2bafa76824902005

SHA1
b7c0ae207bf80f991bc03045fad54762f3867b42

SHA256
aff764fba1abc6a9be90618a45c2989d4c3acb87ddbb69362574bc4365f2fb3f

SHA512
4df5c46cf23ec4048a0ea491038b359adff399a4d56fc7cff64eb07d0d962bc2288fc53d1cf3bf0ffab4328b4fd5148e8acd4248207392444e6aa00bc7debe92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.4 (64-bit)_20240806021245_001_exe_JustForMe.log

Filesize
1KB

MD5
22265560afee7b8fbcfe89d1ff572d75

SHA1
e371a10f09aa07d5a4d7f99bdf68fc9d1f9c1eb9

SHA256
df99f7ce13b0c922b4ea401da46478b590d79825314da1f20d0788ec4ff73136

SHA512
b6d993864f6971259b0f2a9e4268b00d4dc07a439e1da949613cb9457207888bb132962f4893512ecaddf3cc127203de14b1ea11dc568e3b21b806b0533e147e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.4 (64-bit)_20240806021245_002_dev_JustForMe.log

Filesize
1KB

MD5
3e6c934e9f89874bda2ea48af45f4f23

SHA1
b27b9a1e7ce6dfee2ebdb28c7dc46ad5d3958d89

SHA256
0b94b3de12a64ec9bdde9b109e625dcf9d37d3b78234871bf862fc1bbcf6674f

SHA512
08b179183d55141639300b31770539a97c3bfddb62c236413a89a56104448303893a16570ad7b6b107f055d4f5862e292848e0c7fa1470a30bf133503406b75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.4 (64-bit)_20240806021245_003_lib_JustForMe.log

Filesize
1KB

MD5
e25f137742710759befe3c72b8d7ecbd

SHA1
d16a2fd3d50838f648fb8e3107cf0303db084d04

SHA256
dcbb678dbe7464738169bd89e648f2b0bf244f81fddd1eb88b82edfd04d503fa

SHA512
7a049ff24db359af8f0e7f149316c9f0f1e4585947703ca5b4de1181574f4d58db78135be0926659af7eb5f86b4db7195fdb4ac774cb4fce39fc658bf4e92bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.4 (64-bit)_20240806021245_004_test_JustForMe.log

Filesize
3KB

MD5
097a4ec6949527a66ddbb64b2ac0ec8a

SHA1
8a3b2f09de1a94dd3831797f4185ec17154d5bd0

SHA256
60809e467d86f7ff93cdf7678419bfff5b7a96649ac3878b497a541f15efc2a9

SHA512
4de0ed63df68690aeb523a564551725f59f67efd5b6bace8b35251624da0e8b4e09ff5e5f1fca253d70038419e114047f7630ef8e73b7357a750c9032fddb676

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.4 (64-bit)_20240806021245_005_doc_JustForMe.log

Filesize
3KB

MD5
0c25bf1303b18c88cfd07a5b352821ae

SHA1
5497922b9ed1dda47dd3c18535fe52219e5377da

SHA256
3320aba534b8628fc28218dccbdef942ac04a439528f9009352a970f18548912

SHA512
88c289f61c64ca7672434ea720596ca04cbf6ecea7ad0bd4c31f7fb7adaeafe5242af272304653240067d6b1e6d6fd07e15191cb3d6d73f4eb069920f77e4019

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.4 (64-bit)_20240806021245_006_tcltk_JustForMe.log

Filesize
3KB

MD5
ab134c884b6b055cece3604f50a363b7

SHA1
fee744d556dfd4246197898fa8b35208ebcfe773

SHA256
2d87fc672168a2303587e6cf46d61d1aa25cadfc11d11a707b73aa963c788f89

SHA512
9a50ab75b15bc873cc3522cbe7cbb583dbd25cb3ac533ac08ea0bd2a19a0f1d004b24066a688e38335976033c8cf9e1bf7fd69918cc16ef159ef00e43714cd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

Filesize
15KB

MD5
45519615738c732c095e78fed0cd69fe

SHA1
6771eb6d799ad1333501ecd8e2b5d8dd3fbe8a24

SHA256
ae64755c710e85bcc82a3ef76c31b264e4bc288d4f448684f4ea80c221fca428

SHA512
d12396b771510ef2e3ef806e7b1b2dc7bc94de4d6d45a1386eff14d3c3600827ee617ff505bf1b17c5606e7817798050023c7c11e52bd10122dcc037c388f31d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

Filesize
10KB

MD5
595e2f908f4bb872f39e64fa6543b90b

SHA1
a51abb2a0a5de2ab73393edea6e5b191dce9db94

SHA256
ddd3aedfd964cff650bb1c5f402b3a1b11b0bc003dcc1fb9c4aac0f8993f72d3

SHA512
fdf32280a5800e2cfadfed5b6994d08afd62aab3b0b9f26c465c10daa40b1c7b182430a3fb2cdb899dd5537e911b52e2d79dd94b7901c8ad505d78e262aec320

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
e77b4d68789ec24ff047a03d63f282d7

SHA1
bf84a1a0890c1743f9b1d1bc090a28a9478e9f1b

SHA256
462211aa09ed307e908327f2cc9a77d020b98050e60f7ba611711c57e4b46ec8

SHA512
10bc08372625a1b9e5a79bb09ad679d8214bf82b0efabaec83056d89456be51b1cdc46b80bd480bf253f0a33b232944af4aaec3c3694ad1614b7885aeeb8a486

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
ea9401e82218a009e8c0a65154230846

SHA1
cdd8ee15bdebaa312cd8abcded8372eaa999bd6c

SHA256
4a84062279ed30a3cd8301254e025c9c640fdd4e50c79a02cebef13368c66461

SHA512
0679709a49f4f12f4ef04c9d18c7ca6e56f248530780aedc683ff99e89bdf803d0bd0c40f7d907830d8e3349a40dee88362695f505391683df1aa1d86d3dff8a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\2e68efeb-71b0-4d80-a482-1266c3a87143

Filesize
982B

MD5
903afc7bcc341a9bca411c3c0632ff1f

SHA1
0c0ff13227168e896520da6c2951d7b8fcfb4d1e

SHA256
8e78834db60e2f20f438a75d4919a71cc4e7dac029568706fbae1bbd120b0afa

SHA512
faff1c8522f7ebe5232b9bde7c2ad8b715d6b2cb362382bef2be082bcecececdf697d75962c271d341c41ef2d6c64a1fd30ad42cd0f28213ae7489ef24041945

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\616d3f29-bcad-404d-97f8-f4d04a9cf3ff

Filesize
659B

MD5
187524891528b61b965724cb05ecfd63

SHA1
6f8665733c992166853b8a0cc0929010595868a1

SHA256
80ab01e17001f6ae29783d6e212bd1e348752f7358839a489a0f7ea2315ef47b

SHA512
33e6e39c6ddea23874a8a2873c57e3eb3e7c1e6002ec46d74dd211a6a2a381cd0c71fcbcec07c009efb872a563ffeb1cdb2a9893710c0db103ca73d443ab35e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

Filesize
11KB

MD5
27df64e90628054502e0e83343903f8f

SHA1
489595460ff4bac4fe0ce1499124741542c6fd9e

SHA256
b0ab4b3bfa05a057eb7e20c7a234531a96bdfbc00fee3f72280a61005d6c331f

SHA512
aecdc12277e24dc97f4989a3bdbe75729342e4bee7089920bcb38100b8fea2b0d5bc1951eba2a9c4c2d08e736b8c81d6fe60938aa547be7163ce54bcab442d80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

Filesize
11KB

MD5
324757882f17c9c1019726c7313411a4

SHA1
ce37dd7027152ef4317750678da3aa48b42febfc

SHA256
da373603659549de2a5653134c8860ff0bb66a58779954c65669f2baebefc95d

SHA512
6782c9a6f8e1e910398b7b9f7e4d680af3630d42c761f783fa6e89403941a76769765baa507928f3b5393374911b7f40f938d8072672ec799684da968a0542bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

Filesize
12KB

MD5
7dd7560af59e61022169eea7e0f57e36

SHA1
d90ded1d5f5bfd76a11e75db0d05a1925eab7ea6

SHA256
39178bf586732319fa6c97ad52f0594fbd4796d9538f53748405d5ce34fe0c6d

SHA512
2519dcc97b1201e7e8345332a0fdc2dcb18304801e8ab578c3816f809274b2350b65692ad5b84f2c874fba2fd5056118794f57b7df6fe1b2185ddd542b072ea9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
331e4fde2095ae44eaf8b7ccf423d21d

SHA1
cfccb58de3d0dc535e48380b123ee2e9f23bacb5

SHA256
1b59746371de006d073493b8fc2c60ea4b2e105ee26b0d5ad9c7ddbe1c1d3d61

SHA512
8cc938cbee31ac4584ace77cedc3b047f41e027076d8ec27b9b9da7b8035104559b7270fde32640df7dd0b4f37f6f2cb77740da74521c4db7d46d7883329f954

Download Submit
C:\Users\Admin\Downloads\python-3.12.4-amd64.exe

Filesize
25.5MB

MD5
f3df1be26cc7cbd8252ab5632b62d740

SHA1
3b1f54802b4cb8c02d1eb78fc79f95f91e8e49e4

SHA256
da5809df5cb05200b3a528a186f39b7d6186376ce051b0a393f1ddf67c995258

SHA512
2f9a11ffae6d9f1ed76bf816f28812fcba71f87080b0c92e52bfccb46243118c5803a7e25dd78003ca7d66501bfcdce8ff7c691c63c0038b0d409ca3842dcc89

Download Submit
C:\Windows\Temp\{253B9BF3-7901-4B19-A451-C8F4A8DCE76E}\.ba\PythonBA.dll

Filesize
675KB

MD5
e58bf4439057b22e6db8735be19d61ad

SHA1
415e148ecf78754a72de761d88825366aaf7afa1

SHA256
e3d3f38fd9a32720db3a65180857497d9064cffe0a54911c96b6138a17199058

SHA512
8d3523a12ee82123a17e73e507d42ae3248bd5c0aa697d5a379e61b965781bd83c0c97de41104b494b1f3b42127ab4b48ac9a071d5194a75c2af107016fc8c9c

Download Submit
C:\Windows\Temp\{253B9BF3-7901-4B19-A451-C8F4A8DCE76E}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{253B9BF3-7901-4B19-A451-C8F4A8DCE76E}\launcher_AllUsers

Filesize
540KB

MD5
9321731c44fb531cdceaefe14fd13489

SHA1
ddfd199d4cbef87439dab4add0ef4980fa272b77

SHA256
434f0b25b56b853c26bc04e365aa2eec3563a2d1e83a39b471c18a8cc2ddf5e3

SHA512
188712f7f6be4f2f6e381cebcec90e789a3207751bdf1e448ddbde4c77c0bf92a5c4f3556ed9d0dffe99964377aab54004e0176d8cfb7cf30afb526245a7ea61

Download Submit
C:\Windows\Temp\{253B9BF3-7901-4B19-A451-C8F4A8DCE76E}\pip_JustForMe

Filesize
268KB

MD5
79d86625b64b0fcfc62e65612f1d8f48

SHA1
8980df9ee6574cc2e9e2290d015a42023b8279ea

SHA256
0c79f5d2c62a344f0b7ea382d30912addff3fec3a6c8f905dbdc7de6e305d557

SHA512
2bcd9d3f8ac3139c946ca182b5697ab88926378e613140ec17d1e2c641fe6708acd3246376047a069282260aeae70fb22f0bee077e0799940ff9cc0fd31ba9ae

Download Submit
C:\Windows\Temp\{AC2B9BE7-4ED6-42ED-BCFD-43BB529B7446}\.cr\python-3.12.4-amd64.exe

Filesize
858KB

MD5
504fdaeaa19b2055ffc58d23f830e104

SHA1
7071c8189d1ecd09173111f9787888723040433f

SHA256
8f211f3b8af3a2e6fd4aff1ac27a1ad9cd9737524e016b2e3bfc689dfdad95fb

SHA512
01aa983cbddfe38e69f381e8f8e66988273ef453b095012f9c0eeae01d39e32deb0e6fb369363cbb5e387485be33a53ac3ec16d3de1f42bb2cde0cfa05ceb366

Download Submit