nanocore | 15455df49778d6e1154d788f37171e2e73abc52db4c0b78cde050ad054a23bf7

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

37.9MB
MD5

2879823979f8b16f80483eb80f38dcaa
SHA1

83846ac4df07519a2fab9952d43ee9be2fdb5794
SHA256

15455df49778d6e1154d788f37171e2e73abc52db4c0b78cde050ad054a23bf7
SHA512

3470ac73d739c805d52ed452bc463f92977d8b606fd4f83e0aab9546e01d55bac27e9faffb20d3f617b6f48476296588e354453d74a32459225c22d716a205b2
SSDEEP

786432:YRrD3/04fhQJc9LUwSwLzL60o48fyEodlWPy1WGTO7icRS7:YRrT04yJzwR60v8fyEoqPyjt

Score

10^/10

nanocore discovery evasion execution keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3636	powershell.exe
3340	powershell.exe
4880	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	app.exe

Executes dropped EXE 4 IoCs

pid	Process
4484	app.exe
3296	App2.exe
1536	python-installer.exe
4596	python-installer.exe

Loads dropped DLL 2 IoCs

pid	Process
4484	app.exe
4596	python-installer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsvc.exe"	App2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\app = "C:\\ProgramData\\Update.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\\python-3.12.6-amd64.exe\" /burn.runonce"	python-installer.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
32	60	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	App2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
4428	cmd.exe
3500	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Pe6fVRYjqu.txt	app.exe
File opened for modification	C:\Windows\System32\Pe6fVRYjqu.txt	app.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2436	tasklist.exe
2100	tasklist.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DHCP Service\dhcpsvc.exe	App2.exe
File opened for modification	C:\Program Files (x86)\DHCP Service\dhcpsvc.exe	App2.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICD33.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ca59.msi	msiexec.exe
File created	C:\Windows\Installer\e57ca55.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ca55.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{901B913C-FA63-48D2-9842-7D7676739378}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Installer	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Installer\Dependencies	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Installer\Dependencies\CPython-3.12\DisplayName = "Python 3.12.6 (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Version = "3.12.6150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Installer\Dependencies\CPython-3.12	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Installer\Dependencies\CPython-3.12\ = "{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Installer\Dependencies\CPython-3.12\Version = "3.12.6150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\ = "{901B913C-FA63-48D2-9842-7D7676739378}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\DisplayName = "Python 3.12.6 Core Interpreter (64-bit)"	python-installer.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3296	App2.exe
3296	App2.exe
3296	App2.exe
3636	powershell.exe
3636	powershell.exe
1328	powershell.exe
1328	powershell.exe
1736	powershell.exe
1736	powershell.exe
3340	powershell.exe
3340	powershell.exe
3340	powershell.exe
4880	powershell.exe
4880	powershell.exe
3296	App2.exe
3296	App2.exe
3296	App2.exe
60	msiexec.exe
60	msiexec.exe
3296	App2.exe
3296	App2.exe
3296	App2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3296	App2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3296	App2.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeIncreaseQuotaPrivilege	3264	WMIC.exe
Token: SeSecurityPrivilege	3264	WMIC.exe
Token: SeTakeOwnershipPrivilege	3264	WMIC.exe
Token: SeLoadDriverPrivilege	3264	WMIC.exe
Token: SeSystemProfilePrivilege	3264	WMIC.exe
Token: SeSystemtimePrivilege	3264	WMIC.exe
Token: SeProfSingleProcessPrivilege	3264	WMIC.exe
Token: SeIncBasePriorityPrivilege	3264	WMIC.exe
Token: SeCreatePagefilePrivilege	3264	WMIC.exe
Token: SeBackupPrivilege	3264	WMIC.exe
Token: SeRestorePrivilege	3264	WMIC.exe
Token: SeShutdownPrivilege	3264	WMIC.exe
Token: SeDebugPrivilege	3264	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3264	WMIC.exe
Token: SeRemoteShutdownPrivilege	3264	WMIC.exe
Token: SeUndockPrivilege	3264	WMIC.exe
Token: SeManageVolumePrivilege	3264	WMIC.exe
Token: 33	3264	WMIC.exe
Token: 34	3264	WMIC.exe
Token: 35	3264	WMIC.exe
Token: 36	3264	WMIC.exe
Token: SeDebugPrivilege	2436	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3264	WMIC.exe
Token: SeSecurityPrivilege	3264	WMIC.exe
Token: SeTakeOwnershipPrivilege	3264	WMIC.exe
Token: SeLoadDriverPrivilege	3264	WMIC.exe
Token: SeSystemProfilePrivilege	3264	WMIC.exe
Token: SeSystemtimePrivilege	3264	WMIC.exe
Token: SeProfSingleProcessPrivilege	3264	WMIC.exe
Token: SeIncBasePriorityPrivilege	3264	WMIC.exe
Token: SeCreatePagefilePrivilege	3264	WMIC.exe
Token: SeBackupPrivilege	3264	WMIC.exe
Token: SeRestorePrivilege	3264	WMIC.exe
Token: SeShutdownPrivilege	3264	WMIC.exe
Token: SeDebugPrivilege	3264	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3264	WMIC.exe
Token: SeRemoteShutdownPrivilege	3264	WMIC.exe
Token: SeUndockPrivilege	3264	WMIC.exe
Token: SeManageVolumePrivilege	3264	WMIC.exe
Token: 33	3264	WMIC.exe
Token: 34	3264	WMIC.exe
Token: 35	3264	WMIC.exe
Token: 36	3264	WMIC.exe
Token: SeDebugPrivilege	2100	tasklist.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeIncreaseQuotaPrivilege	3256	WMIC.exe
Token: SeSecurityPrivilege	3256	WMIC.exe
Token: SeTakeOwnershipPrivilege	3256	WMIC.exe
Token: SeLoadDriverPrivilege	3256	WMIC.exe
Token: SeSystemProfilePrivilege	3256	WMIC.exe
Token: SeSystemtimePrivilege	3256	WMIC.exe
Token: SeProfSingleProcessPrivilege	3256	WMIC.exe
Token: SeIncBasePriorityPrivilege	3256	WMIC.exe
Token: SeCreatePagefilePrivilege	3256	WMIC.exe
Token: SeBackupPrivilege	3256	WMIC.exe
Token: SeRestorePrivilege	3256	WMIC.exe
Token: SeShutdownPrivilege	3256	WMIC.exe
Token: SeDebugPrivilege	3256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3256	WMIC.exe
Token: SeRemoteShutdownPrivilege	3256	WMIC.exe
Token: SeUndockPrivilege	3256	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 4484	4700	Launcher.exe	86
PID 4700 wrote to memory of 4484	4700	Launcher.exe	86
PID 4700 wrote to memory of 3296	4700	Launcher.exe	88
PID 4700 wrote to memory of 3296	4700	Launcher.exe	88
PID 4700 wrote to memory of 3296	4700	Launcher.exe	88
PID 4484 wrote to memory of 1700	4484	app.exe	89
PID 4484 wrote to memory of 1700	4484	app.exe	89
PID 1700 wrote to memory of 3636	1700	cmd.exe	90
PID 1700 wrote to memory of 3636	1700	cmd.exe	90
PID 3636 wrote to memory of 3544	3636	powershell.exe	94
PID 3636 wrote to memory of 3544	3636	powershell.exe	94
PID 3544 wrote to memory of 2776	3544	csc.exe	96
PID 3544 wrote to memory of 2776	3544	csc.exe	96
PID 4484 wrote to memory of 1492	4484	app.exe	97
PID 4484 wrote to memory of 1492	4484	app.exe	97
PID 4484 wrote to memory of 1820	4484	app.exe	98
PID 4484 wrote to memory of 1820	4484	app.exe	98
PID 1492 wrote to memory of 3264	1492	cmd.exe	99
PID 1492 wrote to memory of 3264	1492	cmd.exe	99
PID 1820 wrote to memory of 2436	1820	cmd.exe	100
PID 1820 wrote to memory of 2436	1820	cmd.exe	100
PID 4484 wrote to memory of 4472	4484	app.exe	101
PID 4484 wrote to memory of 4472	4484	app.exe	101
PID 4484 wrote to memory of 4428	4484	app.exe	102
PID 4484 wrote to memory of 4428	4484	app.exe	102
PID 4472 wrote to memory of 2100	4472	cmd.exe	103
PID 4472 wrote to memory of 2100	4472	cmd.exe	103
PID 4428 wrote to memory of 1328	4428	cmd.exe	104
PID 4428 wrote to memory of 1328	4428	cmd.exe	104
PID 4484 wrote to memory of 3500	4484	app.exe	105
PID 4484 wrote to memory of 3500	4484	app.exe	105
PID 3500 wrote to memory of 1736	3500	cmd.exe	106
PID 3500 wrote to memory of 1736	3500	cmd.exe	106
PID 4484 wrote to memory of 4496	4484	app.exe	107
PID 4484 wrote to memory of 4496	4484	app.exe	107
PID 4496 wrote to memory of 3208	4496	cmd.exe	108
PID 4496 wrote to memory of 3208	4496	cmd.exe	108
PID 4484 wrote to memory of 2408	4484	app.exe	109
PID 4484 wrote to memory of 2408	4484	app.exe	109
PID 4484 wrote to memory of 4700	4484	app.exe	110
PID 4484 wrote to memory of 4700	4484	app.exe	110
PID 4484 wrote to memory of 3240	4484	app.exe	111
PID 4484 wrote to memory of 3240	4484	app.exe	111
PID 2408 wrote to memory of 3256	2408	cmd.exe	112
PID 2408 wrote to memory of 3256	2408	cmd.exe	112
PID 4700 wrote to memory of 532	4700	cmd.exe	113
PID 4700 wrote to memory of 532	4700	cmd.exe	113
PID 3240 wrote to memory of 3340	3240	cmd.exe	114
PID 3240 wrote to memory of 3340	3240	cmd.exe	114
PID 4484 wrote to memory of 3508	4484	app.exe	115
PID 4484 wrote to memory of 3508	4484	app.exe	115
PID 3508 wrote to memory of 4880	3508	cmd.exe	116
PID 3508 wrote to memory of 4880	3508	cmd.exe	116
PID 4484 wrote to memory of 680	4484	app.exe	117
PID 4484 wrote to memory of 680	4484	app.exe	117
PID 4484 wrote to memory of 1880	4484	app.exe	118
PID 4484 wrote to memory of 1880	4484	app.exe	118
PID 4484 wrote to memory of 2936	4484	app.exe	119
PID 4484 wrote to memory of 2936	4484	app.exe	119
PID 680 wrote to memory of 4352	680	cmd.exe	120
PID 680 wrote to memory of 4352	680	cmd.exe	120
PID 1880 wrote to memory of 3248	1880	cmd.exe	121
PID 1880 wrote to memory of 3248	1880	cmd.exe	121
PID 4484 wrote to memory of 1800	4484	app.exe	122

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4700
- C:\ProgramData\app.exe
  "C:\ProgramData\app.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\VroGe5dLzq.ps1""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\VroGe5dLzq.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3636
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1blc0baq\1blc0baq.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3544
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F9B.tmp" "c:\Users\Admin\AppData\Local\Temp\1blc0baq\CSC8228A99EBF4F4C489A584C6DF9A37A6B.TMP"
        6⤵
        
        PID:2776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,66,231,219,169,103,49,218,64,139,104,254,14,213,176,162,70,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,17,141,105,189,67,247,135,201,50,215,222,151,58,60,188,117,112,189,73,14,224,136,252,255,91,72,126,12,20,230,186,214,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,166,35,110,243,4,32,177,93,172,126,42,88,249,114,204,15,178,221,185,61,208,253,193,65,11,222,226,209,21,39,199,30,48,0,0,0,135,241,178,70,215,91,74,56,225,68,152,157,101,187,249,233,166,74,11,96,74,125,173,165,125,149,102,16,212,152,13,166,219,146,57,228,213,205,69,193,186,196,237,80,165,1,39,217,64,0,0,0,17,135,211,41,8,145,116,13,8,203,74,186,215,58,69,136,73,33,141,170,41,51,37,144,153,69,144,47,102,17,162,132,165,71,209,175,119,168,69,223,135,151,111,247,16,20,164,104,152,238,121,27,153,107,111,232,204,217,86,23,9,100,18,87), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,66,231,219,169,103,49,218,64,139,104,254,14,213,176,162,70,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,17,141,105,189,67,247,135,201,50,215,222,151,58,60,188,117,112,189,73,14,224,136,252,255,91,72,126,12,20,230,186,214,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,166,35,110,243,4,32,177,93,172,126,42,88,249,114,204,15,178,221,185,61,208,253,193,65,11,222,226,209,21,39,199,30,48,0,0,0,135,241,178,70,215,91,74,56,225,68,152,157,101,187,249,233,166,74,11,96,74,125,173,165,125,149,102,16,212,152,13,166,219,146,57,228,213,205,69,193,186,196,237,80,165,1,39,217,64,0,0,0,17,135,211,41,8,145,116,13,8,203,74,186,215,58,69,136,73,33,141,170,41,51,37,144,153,69,144,47,102,17,162,132,165,71,209,175,119,168,69,223,135,151,111,247,16,20,164,104,152,238,121,27,153,107,111,232,204,217,86,23,9,100,18,87), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,66,231,219,169,103,49,218,64,139,104,254,14,213,176,162,70,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,121,97,89,186,171,248,236,84,232,172,167,162,81,214,253,154,246,60,149,90,245,172,109,251,50,225,168,201,76,62,1,2,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,206,227,42,89,126,123,6,131,243,140,227,112,37,110,98,91,81,99,209,142,48,15,129,141,201,10,197,237,123,215,103,153,48,0,0,0,223,224,111,223,202,12,192,81,76,13,179,71,177,47,131,240,41,63,38,163,157,51,26,92,46,241,227,192,93,58,1,218,181,4,159,2,2,219,107,225,240,244,63,182,203,211,107,31,64,0,0,0,104,38,225,6,153,57,144,131,219,157,18,235,185,120,44,74,93,8,172,122,200,69,40,60,183,250,254,130,7,41,154,37,182,191,37,24,37,216,115,142,34,35,213,123,219,214,21,206,57,107,249,238,91,118,21,164,186,161,208,103,20,125,139,116), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,66,231,219,169,103,49,218,64,139,104,254,14,213,176,162,70,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,121,97,89,186,171,248,236,84,232,172,167,162,81,214,253,154,246,60,149,90,245,172,109,251,50,225,168,201,76,62,1,2,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,206,227,42,89,126,123,6,131,243,140,227,112,37,110,98,91,81,99,209,142,48,15,129,141,201,10,197,237,123,215,103,153,48,0,0,0,223,224,111,223,202,12,192,81,76,13,179,71,177,47,131,240,41,63,38,163,157,51,26,92,46,241,227,192,93,58,1,218,181,4,159,2,2,219,107,225,240,244,63,182,203,211,107,31,64,0,0,0,104,38,225,6,153,57,144,131,219,157,18,235,185,120,44,74,93,8,172,122,200,69,40,60,183,250,254,130,7,41,154,37,182,191,37,24,37,216,115,142,34,35,213,123,219,214,21,206,57,107,249,238,91,118,21,164,186,161,208,103,20,125,139,116), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:3208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v app /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v app /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
      4⤵
      Adds Run key to start application
      PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.ZfKLWaNDKC""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.ZfKLWaNDKC"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
    3⤵
    PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
    3⤵
    PID:1800
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_computersystemproduct get uuid
      4⤵
      PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
    3⤵
    PID:5116
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Description,PNPDeviceID
      4⤵
      PID:4332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
    3⤵
    PID:1780
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:1472
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
    3⤵
    PID:4068
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get processorid
      4⤵
      PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
    3⤵
    PID:344
  - - C:\Windows\system32\getmac.exe
      getmac /NH
      4⤵
      PID:4772
- - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
    C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1536
  - - C:\Windows\Temp\{AFFB677F-CB6D-44AE-90E4-7B78D1BA846F}\.cr\python-installer.exe
      "C:\Windows\Temp\{AFFB677F-CB6D-44AE-90E4-7B78D1BA846F}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=528 -burn.filehandle.self=536 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "pip install pyperclip"
    3⤵
    PID:4772
- C:\ProgramData\App2.exe
  "C:\ProgramData\App2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3296

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ca58.rbs

Filesize
8KB

MD5
00bfc6ad8d2ef81ae0eb737eebd65d30

SHA1
8a0c17a31d8e0a3be242f5ba41395520983222f1

SHA256
1c67539e754c4934a6cc05fbe08455c3b5de3c14898fd719be655dd9247680e2

SHA512
47dffaf43172ddbd66121fd646d0a5d652b526b1682d681172aea5bb850a3777ab1fec59a9e1938b5159f8b267e3cf2a8e30ce87e84d03feb894176e3e6e634f

Download Submit
C:\ProgramData\App2.exe

Filesize
202KB

MD5
73f5733f76ac052b15335c1cd985f73f

SHA1
8c4be16301b9da6caa774f800104adf5731b55a4

SHA256
9cf5e2e0f424e7d3b206b17c262a538b29776c34b3fe11fa38222ce8cf7eaff3

SHA512
7acda28d83caf6f27535c0e5e465b6219ba178ad673b0e4af517894c537dd50b7f16d3e83b3ddb7c8c268835eb9fd962902b38e51083a35d0c778aa1600349f5

Download Submit
C:\ProgramData\Steam\Launcher\W8dDKxPDz9tz\EN-Utkbeblo\debug.log

Filesize
1KB

MD5
04e94bee9e2993e3769ce74696ffbc06

SHA1
a213521072512cf0c10ca337d0babc64ca4924a8

SHA256
2dafe84ffc50ee5d75a9de606b2caa8091e3d3daf4ddb02df6e83152e0e4350b

SHA512
377630c3229f263389f54174eeeef41243145fab7fc724f1312c6109d9fa96d6a9e586d4fe90d8df8b64437561a068f19c26c3d1eea759b73445d799e31334a7

Download Submit
C:\ProgramData\app.exe

Filesize
37.7MB

MD5
2b4e3d8483a38b3edb8c5fb6c4ae2377

SHA1
97b61d68ecb640b9c80417b6c5ee3940c1d4807f

SHA256
0bb4106d06534f26e4b1b74627129c7b614339cc9b0eb948200ae739f38321cb

SHA512
737deffa13732a97baa95809b3aa226580c21ad7ceb17ed245244ff7cda0db0e1f0a01a5a9966ea9867b3ef4c6c234b3be76bc90f5bb78c454dc458ced158ba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
16dde93bc505b360e966bc7b7bec4c9b

SHA1
c00fe22729f1e3e9783e988e0b9a0b2b36736c84

SHA256
e600d6d688ba7d9ff9d21d14e59fa57e3dc732b41f89fa0f99eb4788fd2b2397

SHA512
4ee75cb6d0f3c264bcf65627690d8ae7fc8297109e948d7f0a682e129bca1378a33e2dfde37b539462accb52d966cc6ac6814295f0ff50bf5c45abd08635ec11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
46d6c89b6a449ce91c1a3691c516e10e

SHA1
dedf2c05d83a8fc311e39fa86af575866f9f7ece

SHA256
f6841440d2949cf97fb621923a2f931fca567382856cb60fa4c8ce3f9b81e55f

SHA512
bd222cc430c28abe832787973ed2a7a07d58d92f34eed1ebfe69fc4cd8ed59443ed93799979fd39d1b76ef6ff247f3ceb12b3c537de09ffba72ebec748f3e1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
635d1f086c7bd55f3b7199200361729c

SHA1
0e3f3a670c9f3a05de55d772f3bb46aad82af21b

SHA256
61a8093333254f2a2566cbe99ae4c60e8faff85a095c4148111a473ef1003a4b

SHA512
56dd70bb8b10229ca726d97e81f01ed4c2d9b42a986bb25ecfca4071f8e0fed79e350236a506ce8516f1220fdf1da15017fff7eed6c9f49b9740a1108307c3ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
defda2a708a7ec57b4bf7976258b1720

SHA1
973bda621e45a43495256f8ae60a634e9cf92737

SHA256
6057fe297ac4182c2358f3205a12f9bd8eaaf54e2885944ae66ca8b891f4c6f6

SHA512
8cb692840c36ee4b8626a245f44689c5fc2a41afc53045e1ff60ebb0d6d804264c7d310dd274e2bde25407dc316e38a26d294d556efac4afbc50960d0b5b6134

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
7.1MB

MD5
f6ddadd0d817ce569e202e57863ae919

SHA1
3a2f6d81c895f573464d378ab3bcfb6d8a48eaf2

SHA256
63032d6386c94e83a3b7b7b9eefc23493f976bd435a10668aa263d1ca1cb22e1

SHA512
7d970e62e3b513b2fa98e8a83ce3080fc6652bba2b70a5127a46ca5c2b0dee8790e48fffef56d15bec2706a997ade5a3c05ff5df4c6be2b3632b6bf7aa6e9ef2

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
fd7e13f2c36fe528afc7a05892b34695

SHA1
14a9c4dfd12e1f9b1e64e110166500be1ef0abb1

SHA256
2a24729e58bce7c2abde7225dc2de32539b4c4ef3609b53b54f643955d01c4b0

SHA512
7b7060672f680c418f7ebbddf2ba693539b1284566ab756c8061b61a582d13537aa215dad03db5c803eeba2f6fcc7fad7ed2857931ea205048abd905afef1d4f

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{901B913C-FA63-48D2-9842-7D7676739378}v3.12.6150.0\core.msi

Filesize
1.9MB

MD5
d4c1f834f30032f220409a17e0f688cd

SHA1
61dc90b164c3797456a8ed775b353a087054fd0f

SHA256
675c023e78eaed980638a969feaaa07c52a5a604d89e81434e6c462f17eebc12

SHA512
b7e97a5fab185b5d9150e07e1707aca21285ae62d4a25997040349eab78a2ad2f9a555980bb221a3a91120651c04a5df0909387e8931e76094de41f7697b124f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1blc0baq\1blc0baq.dll

Filesize
3KB

MD5
c32e2261d9a3a9af7c1c8c3a1089859c

SHA1
b36f6f5d63b86c56c0553ad3ff2cc2094c43b17a

SHA256
827188ea16c53c9a9db1e565c374532acb1299e52b95f3ed6c56521bff1a6f6b

SHA512
99eabe62f9a20ab3db265abbe26492a53b264cc0e170a68c917c4f421fc98730df918e67b63cf60b1bdf512cbd880b415a34a82126aab50705c416986819dec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20241107212440_000_core_JustForMe.log

Filesize
3KB

MD5
22d296ecc34e125334fe01209a449d77

SHA1
c843d903039c2846592019dde955c0a608178310

SHA256
848da99520b472573ba7acdd7af117b261922934836bbd9cb8f636326ae0ac38

SHA512
816ee976dca9b760da1580608a3b3ca69c8fcc7bf81ab280f22291e462e06ab19702d3216c27dc2dcd9a527f70a46b352f7935e0728a2e8dd7e136e37b1d3567

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F9B.tmp

Filesize
1KB

MD5
3282a7b28c37e04a4ac933a80fb5e844

SHA1
88df2fbcd7499d2e2172ad4652d64cfb2f4dd7cd

SHA256
974fdb62ece710186067476b7629e3550d6059f8c3e03ebd5741c5719107d80a

SHA512
942c3939e7b9a28929bb03e6378480f59dcf7903247253bac0cf6aac894f2216556bad88452829ad3d0e1fb4bb6370e257f33c9cc81e997c5f5ea824bcbbaab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VroGe5dLzq.ps1

Filesize
380B

MD5
cbb9a56c9c8d7c3494b508934ace0b98

SHA1
e76539db673cc1751864166494d4d3d1761cb117

SHA256
027703af742d779f4dcde399ac49a3334f1b9e51b199215203e1f4b5e3251fe5

SHA512
f71e0a521c2b0aa034e0a2c9f0efd7d813d8408d118979f8e05ecd3aa6fb94c67793e2302ed9455aad9a63d43a53fa1ac2b3d45f7bdfa1cc8104c9a9ace84129

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svtohacq.jfh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-installer.exe

Filesize
25.3MB

MD5
d8548aa7609a762ba66f62eeb2ca862d

SHA1
2eb85b73cab52693d3a27446b7de1c300cc05655

SHA256
5914748e6580e70bedeb7c537a0832b3071de9e09a2e4e7e3d28060616045e0a

SHA512
37fa7250b10b0c03b87d800bf4f920589649309cb4fbd25864475084bb7873d62b809a4fdeabd06c79f03f33614218eb7e01a9bd796de29dd3b141f1906d588c

Download Submit
C:\Windows\Temp\{5F28C1CA-E04C-4068-97A3-8A92AF351512}\.ba\PythonBA.dll

Filesize
675KB

MD5
8c8e5a5ca0483abdc6ad6ef22c73b5d2

SHA1
9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc

SHA256
edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43

SHA512
861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157

Download Submit
C:\Windows\Temp\{5F28C1CA-E04C-4068-97A3-8A92AF351512}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{5F28C1CA-E04C-4068-97A3-8A92AF351512}\pip_JustForMe

Filesize
268KB

MD5
494f112096b61cb01810df0e419fb93c

SHA1
295c32c8e1654810c4807e42ba2438c8da39756a

SHA256
2a1f085a0ad75d5b332fb0fe9e1a40146c311e8e524e898a09ca40157619fa80

SHA512
9c8ec8fcc5d74b5022cd170677b62dfedbc187fde1dd296bdb9733bec03e18674a385928c8827a4ce1864433d50e8598228a6d2198aef2937c0dcc0d8f4ea704

Download Submit
C:\Windows\Temp\{AFFB677F-CB6D-44AE-90E4-7B78D1BA846F}\.cr\python-installer.exe

Filesize
858KB

MD5
931227a65a32cebf1c10a99655ad7bbd

SHA1
1b874fdef892a2af2501e1aaea3fcafb4b4b00c6

SHA256
1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d

SHA512
0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1blc0baq\1blc0baq.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1blc0baq\1blc0baq.cmdline

Filesize
369B

MD5
3a45ee2d4b5145e4f12d11b59d2d3bfd

SHA1
f45643cff612265c6b31691ff80d9e103d8a46ce

SHA256
b1779bdc917ed8eda5b308b0c0149111e5e986396d4075abba9e4496e1b41062

SHA512
1c702f68351808511732173accdfc8c8275c3d71e1e0c7ab6aaf4c36c370c06e75c1908ad077b037f72d02e0fc7c9c6d9a26ea16ff4bca80d561a5923d866e7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1blc0baq\CSC8228A99EBF4F4C489A584C6DF9A37A6B.TMP

Filesize
652B

MD5
318d96875de93be1331348d4830ee6f3

SHA1
663c58e26220d14e1121321248e51771d27f75c0

SHA256
9adeb7feb85d2f4f6ee92038c4e7868aed1e0ec6715903ecc4a21c2ff5f2812e

SHA512
67c1992f575034cd7b4761f893e637f2393ec1ca719314e523a0023708a30b96f580f83085e29ac08cea75fab81f054658b8e8404c7cbeb959f22c29b448507b

Download Submit
memory/1328-139-0x0000015665A80000-0x0000015665AD0000-memory.dmp

Filesize
320KB

Download
memory/3296-228-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/3296-231-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/3296-227-0x0000000074872000-0x0000000074873000-memory.dmp

Filesize
4KB

Download
memory/3296-23-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/3296-25-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/3296-21-0x0000000074872000-0x0000000074873000-memory.dmp

Filesize
4KB

Download
memory/3636-123-0x000001FF77E00000-0x000001FF77E08000-memory.dmp

Filesize
32KB

Download
memory/3636-109-0x000001FF7A2F0000-0x000001FF7A312000-memory.dmp

Filesize
136KB

Download
memory/4700-0-0x00007FFD417E3000-0x00007FFD417E5000-memory.dmp

Filesize
8KB

Download
memory/4700-1-0x0000000000E00000-0x00000000033F6000-memory.dmp

Filesize
38.0MB

Download