c62bf66fbefa93ed91e76e92d0ac1f46a1307260f07dbc4f8da2dc1d9d9ed1e0

Analysis

max time kernel
423s
max time network
427s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rel/data/install-python.bat
Size

4KB
MD5

05525205f01645c56a9429dac23e9901
SHA1

b5e490ed908b263b9a89ef7305b4e20585f6aaa0
SHA256

c3a0c979f4f3f3c2dca28ff6cd584c3a0af7c6e3026864b7013f76bcff084b99
SHA512

4e66775e5caadd914d744330f5ea1ca65a7638b0e12f37bb8bbcf5410aa51c338edd9d8b13b2521e066b73075a896850abd2709b23e31d53f0051701fd1f45e2
SSDEEP

96:Wy0OhxKWYpV8TCKzCpzTqd2L0VhZEjAoN2bj:Zf1K7L0aZc

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2980	python.exe
4112	python.exe

Loads dropped DLL 3 IoCs

pid	Process
1124	MsiExec.exe
2980	python.exe
4112	python.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
37	1888	msiexec.exe
39	1888	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
61	bitbucket.org
63	bitbucket.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\python27.dll	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB2E.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241229165336337.0\msvcr90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241229165336400.0\9.0.21022.8.cat	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241229165336337.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.manifest	msiexec.exe
File opened for modification	C:\Windows\Installer\{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}\python_icon.exe	msiexec.exe
File created	C:\Windows\Installer\e57d620.msi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241229165336400.0	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d61c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID968.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241229165336337.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241229165336400.0\9.0.21022.8.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241229165336337.0	msiexec.exe
File created	C:\Windows\Installer\e57d61c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241229165336337.0\msvcm90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241229165336337.0\msvcp90.dll	msiexec.exe
File created	C:\Windows\Installer\{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}\python_icon.exe	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\SourceList\Media\3112 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\rel\\data\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.py\ = "Python.File"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\Edit with IDLE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\Edit with IDLE\command\ = "\"C:\\Python27\\pythonw.exe\" \"C:\\Python27\\Lib\\idlelib\\idle.pyw\" -e \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.NoConFile\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5FD4CC3C5A9372041B63B2E3F1A56B2E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5FD4CC3C5A9372041B63B2E3F1A56B2E\Documentation = "DefaultFeature"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pyc	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\open\command\ = "\"C:\\Python27\\python.exe\" \"%1\" %*"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\Version = "34019334"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pyw\Content Type = "text/plain"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pyo	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\ = "Compiled Python File"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shellex\DropHandler	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\open\command\ = "\"C:\\Python27\\pythonw.exe\" \"%1\" %*"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.CompiledFile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shellex	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.CRT,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 510072007d00770067006f0059005a005d0038007a00560048007d003700370025005500720071005300680061007200650064004300520054003e00690063003f00670029004f0026005200530034002500710035005d0056004c00510072005b00530000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.File\shell\Edit with IDLE\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\Edit with IDLE\command\ = "\"C:\\Python27\\pythonw.exe\" \"C:\\Python27\\Lib\\idlelib\\idle.pyw\" -e \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.File	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shellex	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shellex\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\SourceList\PackageName = "python-2.7.6.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pyw\ = "Python.NoConFile"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shellex\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\SourceList\Media\3099 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pyo\ = "Python.CompiledFile"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.NoConFile\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\Edit with IDLE\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5FD4CC3C5A9372041B63B2E3F1A56B2E\Tools = "DefaultFeature"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\84ED6E56853AD434AAF4A47FD24B17F8\5FD4CC3C5A9372041B63B2E3F1A56B2E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5FD4CC3C5A9372041B63B2E3F1A56B2E\SharedCRT	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5FD4CC3C5A9372041B63B2E3F1A56B2E\Testsuite = "DefaultFeature"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.File\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\Edit with IDLE	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.File\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\DefaultIcon\ = "C:\\Python27\\DLLs\\py.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shellex\DropHandler	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rel\\data\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.py	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shell\open\command\ = "\"C:\\Python27\\python.exe\" \"%1\" %*"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\DefaultIcon\ = "C:\\Python27\\DLLs\\py.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.File\shellex\DropHandler	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.CRT,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 510072007d00770067006f0059005a005d0038007a00560048007d003700370025005500720071005300680061007200650064004300520054003e004600420042006f0063004b005700470031003800280071002d004e003d007500590077007100370000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\DefaultIcon\ = "C:\\Python27\\DLLs\\pyc.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shellex\DropHandler	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5FD4CC3C5A9372041B63B2E3F1A56B2E\Extensions = "DefaultFeature"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1888	msiexec.exe
1888	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3984	msiexec.exe
Token: SeSecurityPrivilege	1888	msiexec.exe
Token: SeCreateTokenPrivilege	3984	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3984	msiexec.exe
Token: SeLockMemoryPrivilege	3984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3984	msiexec.exe
Token: SeMachineAccountPrivilege	3984	msiexec.exe
Token: SeTcbPrivilege	3984	msiexec.exe
Token: SeSecurityPrivilege	3984	msiexec.exe
Token: SeTakeOwnershipPrivilege	3984	msiexec.exe
Token: SeLoadDriverPrivilege	3984	msiexec.exe
Token: SeSystemProfilePrivilege	3984	msiexec.exe
Token: SeSystemtimePrivilege	3984	msiexec.exe
Token: SeProfSingleProcessPrivilege	3984	msiexec.exe
Token: SeIncBasePriorityPrivilege	3984	msiexec.exe
Token: SeCreatePagefilePrivilege	3984	msiexec.exe
Token: SeCreatePermanentPrivilege	3984	msiexec.exe
Token: SeBackupPrivilege	3984	msiexec.exe
Token: SeRestorePrivilege	3984	msiexec.exe
Token: SeShutdownPrivilege	3984	msiexec.exe
Token: SeDebugPrivilege	3984	msiexec.exe
Token: SeAuditPrivilege	3984	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3984	msiexec.exe
Token: SeChangeNotifyPrivilege	3984	msiexec.exe
Token: SeRemoteShutdownPrivilege	3984	msiexec.exe
Token: SeUndockPrivilege	3984	msiexec.exe
Token: SeSyncAgentPrivilege	3984	msiexec.exe
Token: SeEnableDelegationPrivilege	3984	msiexec.exe
Token: SeManageVolumePrivilege	3984	msiexec.exe
Token: SeImpersonatePrivilege	3984	msiexec.exe
Token: SeCreateGlobalPrivilege	3984	msiexec.exe
Token: SeBackupPrivilege	3064	vssvc.exe
Token: SeRestorePrivilege	3064	vssvc.exe
Token: SeAuditPrivilege	3064	vssvc.exe
Token: SeBackupPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3984	msiexec.exe
3984	msiexec.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 3920	4124	cmd.exe	83
PID 4124 wrote to memory of 3920	4124	cmd.exe	83
PID 4124 wrote to memory of 3984	4124	cmd.exe	85
PID 4124 wrote to memory of 3984	4124	cmd.exe	85
PID 1888 wrote to memory of 2036	1888	msiexec.exe	104
PID 1888 wrote to memory of 2036	1888	msiexec.exe	104
PID 1888 wrote to memory of 1124	1888	msiexec.exe	109
PID 1888 wrote to memory of 1124	1888	msiexec.exe	109
PID 1888 wrote to memory of 1124	1888	msiexec.exe	109
PID 4124 wrote to memory of 1620	4124	cmd.exe	112
PID 4124 wrote to memory of 1620	4124	cmd.exe	112
PID 4124 wrote to memory of 1568	4124	cmd.exe	113
PID 4124 wrote to memory of 1568	4124	cmd.exe	113
PID 4124 wrote to memory of 744	4124	cmd.exe	114
PID 4124 wrote to memory of 744	4124	cmd.exe	114
PID 4124 wrote to memory of 4892	4124	cmd.exe	118
PID 4124 wrote to memory of 4892	4124	cmd.exe	118
PID 4124 wrote to memory of 2980	4124	cmd.exe	120
PID 4124 wrote to memory of 2980	4124	cmd.exe	120
PID 4124 wrote to memory of 2980	4124	cmd.exe	120
PID 4124 wrote to memory of 2668	4124	cmd.exe	121
PID 4124 wrote to memory of 2668	4124	cmd.exe	121
PID 4124 wrote to memory of 4112	4124	cmd.exe	123
PID 4124 wrote to memory of 4112	4124	cmd.exe	123
PID 4124 wrote to memory of 4112	4124	cmd.exe	123
PID 4124 wrote to memory of 1284	4124	cmd.exe	124
PID 4124 wrote to memory of 1284	4124	cmd.exe	124
PID 4124 wrote to memory of 3876	4124	cmd.exe	125
PID 4124 wrote to memory of 3876	4124	cmd.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rel\data\install-python.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\system32\curl.exe
  curl -L -O http://python.org/ftp/python/2.7.6/python-2.7.6.msi
  2⤵
  PID:3920
- C:\Windows\system32\msiexec.exe
  msiexec.exe /qb /i python-2.7.6.msi ALLUSERS=1 ADDLOCAL=ALL
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3984
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /f /v PATH /t REG_EXPAND_SZ /d "C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;;c:\Python27;c:\Python27\Scripts"
  2⤵
  PID:1620
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /f /v LOCALAPPDATA /t REG_SZ /d "c:\Python27\AppData"
  2⤵
  PID:1568
- C:\Windows\system32\curl.exe
  curl -L -O "http://downloads.sourceforge.net/project/pywin32/pywin32/Build%20218/pywin32-218.win32-py2.7.exe"
  2⤵
  PID:744
- C:\Windows\system32\curl.exe
  curl -O https://bitbucket.org/pypa/setuptools/raw/bootstrap/ez_setup.py
  2⤵
  PID:4892
- \??\c:\Python27\python.exe
  python ez_setup.py
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Windows\system32\curl.exe
  curl -O https://raw.github.com/pypa/pip/master/contrib/get-pip.py
  2⤵
  PID:2668
- \??\c:\Python27\python.exe
  python get-pip.py
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y"
  2⤵
  PID:1284
- C:\Windows\system32\cacls.exe
  cacls c:\Python27\Lib\site-packages\*.* /T /E /G BUILTIN\Users:R
  2⤵
  PID:3876

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2036
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 536D9D374BD929AD99CC47E8B2BBCAF1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d61f.rbs

Filesize
171KB

MD5
cf40da41423267bf3c172547312d5b03

SHA1
14fd327639a7e5f5cde0aacecde8121b13f57340

SHA256
16bb782255e5351914cc05d736a5aa1cc59521c9ecb1b12b409d9485d12b67d2

SHA512
c90f40c8cbf73845d5e720f3d7d8f730972eb6ca4c37649f60db2f710ad296472e1de45a3ba29615dff85e57fb4ec0acf7dc6a18e284bdb19c49f74b79b029a9

Download Submit
C:\Python27\python.exe

Filesize
26KB

MD5
a71a2319cf8c74a89501eb80acd04fe6

SHA1
f7f0e1816ffb734ab32c49b9808a38bb3f8cf6a0

SHA256
5496a7774966d99e23204834a4aeedf3e34f4c0dca6f5b72c25fc6dc5501007f

SHA512
7e8c5075a7b1e447002db1c85dc556657d240c033d06a8fe06c03ecfe05165736bccb10ace814933f70262222232d7680eddf4bfd78ea1cb07531ffa11dd63dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rel\data\ez_setup.py

Filesize
14KB

MD5
a1db49b23bd855872ef2417c84cdcaf5

SHA1
b8929e65d2fc4d217998ea45c1a3c6c3a5e45167

SHA256
24f549fe4536048a7bebbe7cc5e42f98813db8c9ce68179eacaf8048663e505f

SHA512
8f2a80c637262f057f8a66f2c023796a4f902e49ea31ee903cdfe82ef9cd6f948178c538ba411d27b25ebbbb83b58791a93a8b672cd66dfbab3ab45e05ccd3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rel\data\python-2.7.6.msi

Filesize
15.5MB

MD5
ac54e14f7ba180253b9bae6635d822ea

SHA1
c5d71f339f7edd70ecd54b50e97356191347d355

SHA256
cfa801a6596206ec7476e9bc2687fcd331c514b3dd92ffc3cd7d63e749ba0b2f

SHA512
81d673386382e27a9a479972b28102ff183e7c07891ee9cb44b9df1325a15ec9963a4c52c329c447fa861874da78355cc7168acb836742e3b426970ac25704a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rel\data\pywin32-218.win32-py2.7.exe

Filesize
6.4MB

MD5
16e178ac18b49fa0d27ba0be90f460af

SHA1
af2e516431269806084694e0d48aff9438e2c263

SHA256
dd665cca88cb059fec960516ed5f29474b33fce50fcb2633d397d4a3aa705c16

SHA512
e12082f75ae3198625b48197f57efde4369e0f2aab3ba4d229617520002c336512b48bc2cc73c01f5b06e86c309e4e14c0f1ff99d0080abce4f6a6d798304958

Download Submit
C:\Windows\Installer\MSID968.tmp

Filesize
40KB

MD5
8a3e5fbee27198975884d25e5df7a69b

SHA1
8e389374594ecceeea547825a83cd397339acdcf

SHA256
9356b41a0129c4de9257c659a5c70fa2c66dcafadf5785b18eece45b792b5857

SHA512
4ea8570cef7fe45cb5b9c28f95819a7ee827a83888d3cbac2eda8e27d7bdb389fe6691af8dca8bce15529e7d14f056f404b0243c8bbd4d29b6f20eebe867d729

Download Submit
C:\Windows\SysWOW64\python27.dll

Filesize
2.3MB

MD5
240427b66844c7ba41b5deb15a67073a

SHA1
292cb9216e39ed7da9ca8767c540e9100ddcd08f

SHA256
658f58869e1a2cc135b2c0af2b4ac5dc3d14be395cb2a2aa8359173477442c8b

SHA512
4e314e3aff8491e34f2afc49493f0a1d4c448f8ba7adbd4826b5007b78ebf16b4bcee71435bec25123db775d6658c4c8b7c32ec8fbb7ef3f096610c7eaa36a5c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
65193d016dadac12e356d6ed547be3fa

SHA1
45507597ea0ab2ee8fd3860050a86f405877d74b

SHA256
6d963182af1e263e540b8933762ab52b724de35e1a0e3b78fde8c65299ccad2a

SHA512
cf8a398c542b65fa30dd95d4c1f250ab67d1d26ae14b7c424bc98cb3b27cbfd44598818f8d61a351dce2b2519261d87fa003267d8a288cb5c016160aedf10168

Download Submit
\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cd71609a-97d7-4a56-adb2-ff130ba703af}_OnDiskSnapshotProp

Filesize
6KB

MD5
6b9c4a259ed940ca0a08ae22370432b1

SHA1
7dd266f544606332913af016326969eef80f9558

SHA256
3db663673845cb079bb09a30cdbd8dc86e4b517318f2017adbac8c0290529c74

SHA512
ecbea07800a57a8691ed46d519207e819c628b588b435d7dc304d76182a84c07664d1091fe5b1855b4d79fe9ea459d5e65d156eb7baa5c415dd919fc0ca5a07b

Download Submit
\??\c:\Python27\Lib\site-packages\README.txt

Filesize
121B

MD5
15acb038b5c2e03d56f5b588a077bf22

SHA1
09a1d643b7a3d233b047324c303e6295bfd93263

SHA256
1c99489111112d2150db0e18bbd474ff45f78fef80fa0e533dfd9ecfc6a3a480

SHA512
86006f3ef7bb88e46427d023a2229c63f6bd933d37ab1d7463ce6c6feb9021cbff17d5be1dfb36ccfcbbcfc53c29e5004c43c91dcd3b43ad831e1fac06a546dc

Download Submit
\??\c:\Python27\lib\UserDict.py

Filesize
5KB

MD5
045b864c9570c68f2cf2e78c683bdfc8

SHA1
b7ed34758c2ea257f49380ff04af02e242c8d0f5

SHA256
87fdb040deeebe22d713ed98b492d7eff16cbab19beb86c746b11e349395d11f

SHA512
92e2ddbbc6083b96bdbf42b9bd080b2a11fad96ab76e4622e1a9913f5fa24dee03f28d780917f6d372553c1e63377895a1eb7d9d75c2f9c7491322138a28e1e5

Download Submit
\??\c:\Python27\lib\UserDict.pyc

Filesize
8KB

MD5
633433e92d7df5d4b37aac775b517da5

SHA1
5777f4d22ed3e7bd5a460fcc35736ec010016368

SHA256
e246a3768adbbbd8aaed2015c60551f24f514ec3cb354f75b0ff5c57aeed67c3

SHA512
c18c12e73736f9002649a070fefbb50996e18b7eb6257bf0c0d30450097ee6842e7537e96e414193ab6bf7a58fb8cdb08e5443762575f5faa2903c663e791575

Download Submit
\??\c:\Python27\lib\_abcoll.py

Filesize
18KB

MD5
65d47727803249ceedc60042677b3efa

SHA1
e84f4d02aa4eda86d0ec25475018cd2b6d6ea838

SHA256
01ace83bf6085c98ed1f36ff043046c0c60cc608886e83d7dc9f5c811ae866dc

SHA512
ae1206d3cf466bdbfe9b82cb78a39afb656ab24c40a5cea827e617fe234d094bd996e4abea6fa4274822cd3ed7010d181a368169303da161740b63a4b1aa4c2b

Download Submit
\??\c:\Python27\lib\_abcoll.pyc

Filesize
23KB

MD5
76cf109fa466a901230b5385bbe8e5fc

SHA1
85ebb282b0eb09d352544ab89402fee098a62f78

SHA256
06f57f68a1e067befb444f5e3ef4d53266727bd2b8cedcac00b762713d728e33

SHA512
5595c8b943f52d326f109df863a36730aaff4fcee414248e947d4f8d7b0a275b2c17b7338a344840c680edc8d2c2cffb937fa36e076295dde212cb9339f263da

Download Submit
\??\c:\Python27\lib\_weakrefset.py

Filesize
5KB

MD5
99e678ce622947ea1654a1ca76a473b3

SHA1
82d97338a8f86ef80cdf0654a0b310115fceab46

SHA256
e1f9d95479254ee22659060244f357e388a1f241122095f0a2f020140dc63789

SHA512
93f8fe56e652ff80abf1301b042d15ba17ddd85f900d5c2296fecbdc9c233dda45bfcc6eaaa81ead92339b010d1d2ea07da19c2e5578555fbdcf6b64c3de9d14

Download Submit
\??\c:\Python27\lib\_weakrefset.pyc

Filesize
9KB

MD5
6cefa84e79031b7f59906e77d0e207a4

SHA1
6ef16917a28303dd222627dedd39c7276eb95ce5

SHA256
c52a12602b119168d4af734ada69593fec5dd7aac7b0f1abf0289be9bf28339e

SHA512
e1d13f7ea8f8463cf2954d7078ecdd918c99af434306c54fea6dad007c216f994fe6c5a11b76a3e7941cbf751298dfe916fb7f903f62cbda3c0c42bd8119751a

Download Submit
\??\c:\Python27\lib\abc.py

Filesize
7KB

MD5
3eec8ec2b7e61e888f3132b329ba484f

SHA1
9db960cce866983717f91cae0bc5eb455a60fa5e

SHA256
005b3bdb4127f0d2485ca6e03f43e3894cc1f3e3d2d9d0672c469c1e7a042841

SHA512
790a0db637b26a361ed77dbc939fae6b46658dcdb3f62cf6d7e6975362866aadc64b463f183a1004f220a345987717345b5ee1fcc726486288fc98c2e2f3058c

Download Submit
\??\c:\Python27\lib\abc.pyc

Filesize
5KB

MD5
ca769f9b32ae5cf3b054a85934924faf

SHA1
8cbef68c896cb22402e61efed75b152630c3bb64

SHA256
a52512eebed2f86b13441c411361798622e48978cd1da2ee25e64a51ba6467d8

SHA512
abedc215b23eb7c3af6afa90a1ac4a04d91230348669571c5e1db90e3bd8f6350abdf517e222a653ebc2c754770cec0b5e81650856d52c313f9dd59aff8ada0a

Download Submit
\??\c:\Python27\lib\codecs.py

Filesize
35KB

MD5
b74e33136cdd4467f6833744c461ca10

SHA1
77b1fa2e806a76cd83dc1f342852083ea2e4c2a8

SHA256
22e2dd120850e29e5ca064eb5d1725cd59580176a30b59dee19e2d4ed63140c1

SHA512
9107f569f4f228a140a02bbad7205a830eee478964210e65b819f3593b07097fa89ee64d8d07c2152740fe7c677094ee8d841d0a338e576c3194f37533f2f8f2

Download Submit
\??\c:\Python27\lib\codecs.pyc

Filesize
35KB

MD5
8c087340e7375cc7b1745c505e0ddffd

SHA1
662cd98f037019625f97909260b36d454f99d75a

SHA256
cb423213f1f774cb7b4dee37334f4d44dc258e054cee1574393cff3e48f38051

SHA512
847d39f880e86df45dc06ffa4b6e8881c4971d8db7a529d53135714da4d402d9d5b032176e6168f339d82d5831e81f447dc8f3158b0c2c72c1d2b5ad3e9e645b

Download Submit
\??\c:\Python27\lib\copy_reg.py

Filesize
6KB

MD5
4cfa21d80ae469843b82eaf605a84d06

SHA1
c8ce2362dae84a1a8c50d5f8441e6e5f4087f5fd

SHA256
1ba8ac296fc56971c7fb34daa73e6e97771f6ed662b53f849de504ff4ca050ec

SHA512
c7cc36eb74447eca557bfd411a25a83d8bfbeb6476f27856cd14f6a1f3bb5bc5f802521a8d74f98723d116c17caceb00ed116f9fa63da31e4db55ea72f56be75

Download Submit
\??\c:\Python27\lib\copy_reg.pyc

Filesize
4KB

MD5
02d04cadcd588872655caa336c92a6a4

SHA1
8ea2ff29f07ba79147cfd68ea93d12ff01243978

SHA256
63545308e876e1364b8287241bd9c45a31e04ce805a2d53bbdf56c88ec94caf6

SHA512
65675be5d62389fce82107932301253626897d0903e794a825bb71bb03db7d71fcd5154759d0e364a68bb176792d76c8e9fa80bc8772f2107262014f478887e0

Download Submit
\??\c:\Python27\lib\encodings\__init__.py

Filesize
5KB

MD5
32d9c7b821008e2c3a4ef24611cf8693

SHA1
a573a088036931c2df4386136b85c6cb6cd7e902

SHA256
5db410eaafd54e7c976e6badff7fe6b10af3ebc3c05c66f6b3dbfa633172b046

SHA512
960569e0a596233c89b5ad0d61320fcb9ac7ab02bc2ab6d39043de5db0b3ff13a19e223036812f91f8c5d4eba62c98bb7b739a7c57ddcd71075e89df30495ebe

Download Submit
\??\c:\Python27\lib\encodings\__init__.pyc

Filesize
4KB

MD5
392a8359e81ac33ff20512d645074c18

SHA1
4351196237a7ab014a7941f4a07c29ba49ab18af

SHA256
611307e55dfa08c92e0f08ce69c961d55d3839d1bb917c17f1c3b6a3714631b8

SHA512
118cf0f82ec280327b55898e84dfd5ec9f642ded7feddc4dc2625935568e4c2802c92228846905a00edc089278b5d65d9adf364334cd4b4bf6514b1c65c583e1

Download Submit
\??\c:\Python27\lib\encodings\aliases.py

Filesize
15KB

MD5
a523e165572f60f48556acc92e11bf6f

SHA1
8d6a84d364d6395c319f50c711edc2c23ee5ab11

SHA256
c209880470a8e746de5f9ffb30d02b7fbfde1803c907d0f30308ce966826a168

SHA512
1f4af61c3a47734320251ec19ea281f955df62da60de38a3d8a0a3903b7d9f192ea217a7ab76fc52b48d94050ae533035792dff553b4079b8ea5dbeef8b22545

Download Submit
\??\c:\Python27\lib\encodings\aliases.pyc

Filesize
8KB

MD5
8cdc1da4545b9baaae8b9aba34292fe4

SHA1
4c741c3b29e1d1e96173ddeab59c3aa284eae3f2

SHA256
6b73653886583683170a333824b1c4d82ee549df38dd8717a47d3c34e849f475

SHA512
5b5a8576dd17646736398cbef0d0bdc8c5d39287a6fa9dd673c8e5764ba775f987c9b333db27baba97fbddeb309eb77ce5b86c078dd72ea0111e9cfae986d487

Download Submit
\??\c:\Python27\lib\encodings\cp1252.py

Filesize
13KB

MD5
d4fe4154de42a598c6e39c78344eca5a

SHA1
409d4e54e0a66710cb57893e16097601b5fdd577

SHA256
f0491cff77c7107ab3e68945e2aa549864a7832a7449c55a816a0d21f5a001fd

SHA512
1d44a46ada671d58ead1d55e3dabe46fc304107a85a1264403ae3165121d313c522d8fe275d5bd152a0a743d71ff1e7cf5a9bdb871d477aff3eed773063b0719

Download Submit
\??\c:\Python27\lib\encodings\cp1252.pyc

Filesize
2KB

MD5
3e29f729acd779cd8cd1291d503521d6

SHA1
99329c02c284a82a1f7cd2473d9ee9ef878dd3da

SHA256
8fe14e74e9107b14d2b4779b49c39ba2591652e030c2e41b6b4ceb6511fb04e0

SHA512
6a2c91f4b9f6b1ccd82e5e4eed972389e05eddab5461c6bc10fda4bc8286404e6b690231390dd94728bf05d0091399f9bebc2eea35f1e9667b1e3507c9b30bdb

Download Submit
\??\c:\Python27\lib\functools.py

Filesize
4KB

MD5
23c0150c63a0c069b61d6d8d0d5083e2

SHA1
d5875aa00e2de53820d3a80aa2cdb3fa956fbd58

SHA256
16c0bfa42b7d1336ea4b0e7d19dc324459fd3fec6e417ca63985261fed7953d2

SHA512
07ec4365dfc1dc1115ae885814715d26c3f9e17efe8f1f51520bc2c07bbe7eca93e2b087683ff5297e3a751934bb1eaaedae2433686d9e42d3dfd790a1c475ac

Download Submit
\??\c:\Python27\lib\functools.pyc

Filesize
5KB

MD5
e0dd7c339ab0e430d5b4399d754d6eca

SHA1
74b1d3ee6c9bb0045545a49bccdda2c9ae01f335

SHA256
cf4225bfa9a303e249d1ebfe86f77e158634f8f0e2da1ac159ddcc5aafd4aa1a

SHA512
44544f0cc6193cbb0afcab3724c62c118211d74322c89913490d0826dd26e79f7f7e17718cccd425405d197fc2666fddcab24a20b3a6e5e4f8494ebccf950a2c

Download Submit
\??\c:\Python27\lib\genericpath.py

Filesize
3KB

MD5
86859824841d6b65a61446a0eac18c2d

SHA1
3f8e98db8dc9971ce79767a1416df3a307618077

SHA256
ee52bba63c61e9cfe4ceb301e84850e485012c899752cc7e8fe2790f3392b8ac

SHA512
234f4bc89dd87d95cb7a66254795d02c64f25348f3870e59d901513471621b09705caa57ceaeb863da450523730887fb9d1c7deb20892c54f0203dc223a8aba7

Download Submit
\??\c:\Python27\lib\genericpath.pyc

Filesize
3KB

MD5
2c96534bc1e5b7a66acfdfe6eea72e7f

SHA1
76f0381a49954248bd1021f33b4e84cc87210db4

SHA256
0e51032a45f8fbdb273b1ec4767601fb79bca148858ec1fdbf8125eadab48789

SHA512
0963554daa982710ca39797c253be29d2f3323963814e721182e01118ace96ae38a0245ed2cb337ba45261e38f3674e6b0b0fa14b2cb8ed87251b90fea872086

Download Submit
\??\c:\Python27\lib\linecache.py

Filesize
4KB

MD5
4f6abaa91b5d2352963003d9a382fdea

SHA1
45a88a7ac431380eff6c95f853a6ddf97c7a0899

SHA256
95f59e4f9b7d3d0d0530234f8687c19f7bcd4b2ed1b5912778a145e85ddbd0e7

SHA512
60a7252342b095202afa36db4680493eae3aae811353ac5d3922f75537c6eeade9c8e8a9c8ca8e011c6841e594b54bdd1debc3b54fd6ff01384eb37c564a4205

Download Submit
\??\c:\Python27\lib\linecache.pyc

Filesize
3KB

MD5
5a878a3ee13f0284a94a35fa97cd047d

SHA1
04076a1fd8f688dafbba92c63a45cf2258379a45

SHA256
ecb5d5871e9b44b8396a6c03732a7b58f54990cf53f99617875ed0e7265197c6

SHA512
68f00e600e83ef9bad77dbed816c8d5826ff128bfa5c7f887a9719efcedc4fc9d0af4444901cdd0fd0b379b7b3418852a05f19f1b6a070ffc493e4e7ed048849

Download Submit
\??\c:\Python27\lib\locale.py

Filesize
89KB

MD5
f8ee9d0fe5701fd77ea8c6d2983374cb

SHA1
fb4b58056e9f656f77589fde782bef35f4a6bdc3

SHA256
06c2c5cbee839bf1e0f95270292f5b20e8a1d2896d31c229597f36003cf1792b

SHA512
aa0ca16226c1569672fe9b90e80bf58664e49bfdf67d7f79afc29055950a8f54519f2a11974fc19caff2d9e528676b2a0138be0535bc8a4a8405a94535975e34

Download Submit
\??\c:\Python27\lib\locale.pyc

Filesize
48KB

MD5
0405698f2e90caf3d1e8098a98d21b70

SHA1
c3debea3e10a137a97c5d156da7d58878881d35d

SHA256
ebbbe389796c149bd8715035bb4146a60c4e2cf36626e47e2bda262c1c82089a

SHA512
4b1d7ca92665ff92c10c38a127ebf5beef7adc51ea9d3ceba2b536182e2dad9340ac3b4758d1a5349a5aa9aebc10277b31ff857970de0940fc206ded564d3082

Download Submit
\??\c:\Python27\lib\ntpath.py

Filesize
18KB

MD5
a35938c3818e9c0162d443e5001a0ce1

SHA1
aa33ec0d8cf2d6d940686773d75543b03dec8ec6

SHA256
35f70d733631506296750c8fc08231cd2862a3311e1c4561a39ddd947ca303a5

SHA512
91e5c0a22582276a0237bd7279f894c1092b58442b92bfcfd91a923068410d8b51e5487021062eddc7679164d06647f77bed40b0a1ac88667e81cc43b34686aa

Download Submit
\??\c:\Python27\lib\ntpath.pyc

Filesize
11KB

MD5
c55202d4398a65852668e429f747ce8f

SHA1
ef790d52e12fb896a34e4a18be402c21afa18479

SHA256
2209c18eb888966e087943ac4e5ae33e4b83fe181579dd4910b64e19d81cd65e

SHA512
221a6d566973e380585dde5159211eb3dd0fcd43973813255c919db520b224c72097b68d6f581262e06dfb887b78b79968e11c729541fb344c46cb4cdf9670b1

Download Submit
\??\c:\Python27\lib\os.py

Filesize
25KB

MD5
1801c28e1ee935b21b86440177097974

SHA1
a3b8ee3d2b1a6a779af56ecea76fae0548694473

SHA256
86593c0869606080613b46263c8e4ec7aff9652248bfdbb68b8d8d60d28633b2

SHA512
5e6fcc1dd5d9286753a7f5366c0617162a880620a0fe39260565da45b0e0b2c75d3cbc69a268696a7e9123af79bb2716ee59f6ffb77888cf6fd7f9cf61c810e2

Download Submit
\??\c:\Python27\lib\os.pyc

Filesize
24KB

MD5
f103278b7b7d6809e3477e587f067f41

SHA1
91b1d49a02920a3c3a6b613f269706a6d0be4ef1

SHA256
7335481303fc75a57b2671f0aede24dda5e0635a22ce8f8c557fef183c2a37b0

SHA512
501a30a27d53ade6f4d17064b6df80388bbea409ec7425496fa74ffe7050aad77958aa437df97e4abd84ed0c5533e42b1090f567a10222f327d38a651bfff27d

Download Submit
\??\c:\Python27\lib\re.py

Filesize
12KB

MD5
9e49ebc6a2f3d85d1e487aceb52879b0

SHA1
2ff220fef4a287e5301e778c07b9791a20e09820

SHA256
6ff82b8e1b6368d1aa881096fc1a4375cdda10d0e2daa03ed64f7cc24234034b

SHA512
f6b9db37241560f9e3eb93258d5b1d53daa3c952861a9f5484280aa0f92875228ebf1eda4be62de65bda314c02ff8708dbe8839767ebf6f935ef0c6617744139

Download Submit
\??\c:\Python27\lib\re.pyc

Filesize
12KB

MD5
5af2043219a55037a638325dfc50d840

SHA1
c97854d9c37f43c26dd0fe472c0cc817a561ec90

SHA256
6c933a0adb63cbfb030941be6493a1b6b370279e28d903c4c6a4af224e6f227c

SHA512
1ca4cdfac898efefa184fa659500b0936c18193eb9de77c62db4337389352831d292a5bffab346985a2996133e310b187bcd816e107fc4c15cbacfd70347f2f5

Download Submit
\??\c:\Python27\lib\site.py

Filesize
19KB

MD5
4e312e252b3a85891f7f35d16a9334f1

SHA1
4a58d409cb6b2d65b8d0b8520a46e4b39a4d2210

SHA256
87e1d86f7932114f06bf536fd988b12d0860af40f3f420b8f69b9efb587134be

SHA512
de796ba092cd795025ee54d634bc86c2c29e0eefe58bed5239f32bf6f96acb2069cda1f2fbb8806e1fc0264bf0a3707e3ab4258ed2f158565520cedad9821b01

Download Submit
\??\c:\Python27\lib\site.pyc

Filesize
18KB

MD5
a2bc549aed8d151df42938ad561733dd

SHA1
0bff60750a77bbc182c89ca700e6a8dae03290dc

SHA256
333ee34f15225bf1e8884b3fee9db37510b91ab852123bf0cfefdb37e5898de7

SHA512
ebed0c49b0dcbb9f6cd5c8820162a7d3a1b6fc6de4557309b86e72ff975b563c9982d6c0ca85fa51b2f27953bd6addd12e94a623fb0223b0513a06757739294e

Download Submit
\??\c:\Python27\lib\sre_compile.py

Filesize
16KB

MD5
6514155bebd7177cdd8440f3a5001898

SHA1
741fa2b0deb6e80634dc0045b7b701f4a89d1800

SHA256
f14ffae5b0e88d623ad35f09bdf0c9e35bdb735cd41e965ec060a1def8b9bfa1

SHA512
ef63685ed60de0e5204b2b4ff47bfd8cb3364cf3e3a7d4ebe7bdd66598579e3ef2a27f80291da7add5ce52cc24dc6b561d29d31644c8255be1fea8f0c5a01102

Download Submit
\??\c:\Python27\lib\sre_compile.pyc

Filesize
10KB

MD5
f19848e6233aa17a30d66a3ffa6458b7

SHA1
216f2869eb35b18ce53fbf1915db3ccc2ec7dda4

SHA256
950a7457801316f547849b55c398d30828025c0e528db1dd32f1b6134a559f2e

SHA512
d563a84d0f846b6abd90c9ed23d62c5ba835aefcab35240b1d7b38a66ad09466598845c11aad719aaedcae48bbcca1bb4c51d53e81eaa18fc2ccfaa00a00ec32

Download Submit
\??\c:\Python27\lib\sre_constants.py

Filesize
7KB

MD5
93458c6372653ec0fd9610bd1020126c

SHA1
0e7b017c4371aeaf7f310f3b04f4c5c4342c4152

SHA256
864aea0330d6cbda91c64b846a874eed9c260cc8b060b43a4f7b62003b5b4b05

SHA512
1db1869234a0f30d099a387307318b6f0736b563c4469cdd69f3466f094c243ff8dd76d77a4894cf4c857eb61e59414aa03f4876c27adde6d86e810512158668

Download Submit
\??\c:\Python27\lib\sre_constants.pyc

Filesize
6KB

MD5
429736ed667f60767c102fce8be45058

SHA1
8c8276a6fa807de2aff664f9d0080b045d72fd96

SHA256
67b71f86fadc5d3d104470fa90dc5973e3f259ea690bf08fe5fa9a88d17d7eb8

SHA512
7507d5d70d777c42e60a2f29071a679dd8af9e22919880e91b3c4eb73981eca77e9d95beb6067d0444d50541e842798941e5e9078dc48fc02958e3eb0a6fdee3

Download Submit
\??\c:\Python27\lib\sre_parse.py

Filesize
27KB

MD5
0c21c75036686d61656b806c1d727ea0

SHA1
4a9d6d3ab382f7256f1c3131be9aa7feea7cf3a3

SHA256
89268919e52589c6531823d03909ef4bba589796c0679f5350230f262be60e99

SHA512
9f529f67c129ca81ad808cefa02b86af2e213d36bb8412a39cb65c973bd4b78f7eb2b19f18caee8ec2441fc293f6a2b7eb02a3fb69adc9be41957775cbf20c66

Download Submit
\??\c:\Python27\lib\sre_parse.pyc

Filesize
18KB

MD5
94ab50fa69d9f9cc79cb7a6bcdcf80e1

SHA1
3b44e5a6069e0f11055d82d1747855c9fa838325

SHA256
e335aa33596308576aa8dd900810faf79b3f3d859fc0663a4a9d1e7dca10c320

SHA512
90129a8f6eb0fa238201f7af643fcc36fef6870217d186ec2c39b584e9460e52351c825296b944a7bebe34ec154df5657b82c2227c91bd09436922ee389a3a51

Download Submit
\??\c:\Python27\lib\stat.py

Filesize
1KB

MD5
9d2a53c9253cc73616987dacd82f6e69

SHA1
55ffccb64c3edf478c7cd361409e07a7d36762e8

SHA256
215c43883e6c39d3288fa67569729ea43beb754a1df1e09db77db7d4edc35838

SHA512
59493673e383137b07586fe88686a61af5b82f793cb2950d6c9eb4d6400f561fb30d70b9a2f0568d4d4bc04bc5c41fd075ccebcc1c110d200da1e77bb1ad1342

Download Submit
\??\c:\Python27\lib\stat.pyc

Filesize
2KB

MD5
ac4164e8a6fdf93cbb09ca0f556817f7

SHA1
e7fe74bdc4855860bde3b63bec76f5f122e53f30

SHA256
f88515bec9c2e1ab39562471223f4fca09c30dbc1efc562aaed9c14e42fe068c

SHA512
d5349d25caa4ec4ec4ae428b671d41c7aad98b54ab524cd8a92afb99ff7685a90ea057cdc203ea23c48aef5b07a4db961e9d6bebccf1d5482fb0c57f30036193

Download Submit
\??\c:\Python27\lib\sysconfig.py

Filesize
22KB

MD5
2881845c07a5cce647a7e3ee5ab1c996

SHA1
69f6bed9d97813ccdf2e9d524c039ff64eb2d691

SHA256
7d50e1075d8dae6e040b04f5b80fed232e32282303edec9958ecb2895aab7a58

SHA512
1fa85e267c6af05d686cad65ac60a69635df55808cea164abece309b738fdca738b32bb75af04eb004060c28a5585a6de296c20465653ff478c4eec147ba77ee

Download Submit
\??\c:\Python27\lib\sysconfig.pyc

Filesize
16KB

MD5
d0958e1fe252f2e3de1ffe1b9afbbb52

SHA1
922f9dcba828bc3d1f077d6a0fbe81a0dc1310e3

SHA256
dbaf8806174f23ad62a2dce5d8774e64b188efe4d4bab111acd8a72675671f8d

SHA512
87ba86f931df0581f65b5f97f18705cc7ba877fe1a9290a04ffdd388f67d2900f5d6a41793b6c9cb73361f6cc06954fefc7091bd09dc48ece188f19e46e4936a

Download Submit
\??\c:\Python27\lib\traceback.py

Filesize
11KB

MD5
2f24ea20a173201b4a24d706e18d20cf

SHA1
1619c0123d26d583ffe6ff70367461bd2aa7d735

SHA256
177a932c8afdc1972e3dee486102241d760e7afc063d992ab33f75434039f43a

SHA512
f72368e9c53b6693e588504f6e2517da2c9722e67b4fce67691f14587b6cf3b62606dbe6877997c917ba438521923741b2165121f43cde6c612a6e32fb1a1019

Download Submit
\??\c:\Python27\lib\traceback.pyc

Filesize
11KB

MD5
957694efaa1c51a95f34c1a6d5714c9e

SHA1
9ab08da1b287e8ff2700839173554b9db0516b99

SHA256
0e1a35ce523bad92887813735ec3210e03f082e09f1cd3510fdad5f98c2c228a

SHA512
967db752d3cb0dd4b07b927cc72b96b5266bbc0b77c62d7a026a1975c31d104d6928d35686cc75e84886a965f089a9ad8e6bac7c6ad67f98093d328fc2aeccd8

Download Submit
\??\c:\Python27\lib\types.py

Filesize
2KB

MD5
c1f19f31b1c4ab87d24ebb1dae5997d8

SHA1
b620769244ab3fb0ace8d971d4c2bf1007fdd998

SHA256
e280a7c46460ff827def20f58eb5b15a8f7e4bd165c1eab69d0ce6d94dd0f625

SHA512
016cb5dc870b3880cd01477fe3090107c7a16a672db617568e134a65a057a1592c92b7c832656c38a89772e8b373280dea87d09ce1b2184d275581c2eb32f4f8

Download Submit
\??\c:\Python27\lib\types.pyc

Filesize
2KB

MD5
f24b4eb838771d3a134b666add6b8698

SHA1
4ff5ebcabf613dc94d8124763de1c88595cbf221

SHA256
34c9cbd48567682f90c5f68560943a8babef7fcbd1f8fba840f4062a1a2cf4b9

SHA512
2657a8b3323bb4c902ccbafcfae3228f44e384975e53f72ca2f8d080955b741a9b36aae09ccc22055cc3b9a9b1c5955639abf193033b345f70644f1534d93a06

Download Submit
\??\c:\Python27\lib\warnings.py

Filesize
14KB

MD5
afc0033026b1aca515e395ee7af2559f

SHA1
d464d2f03358801f1e64598d05246cd54b6aa4d1

SHA256
c29ad554d4aa889a0dd1f627078ae243c236ab306cde12e2a87bb864fc386ea7

SHA512
99d16ac6432f21fd84350f28623fa9a5a2630a504f7c38f2217474698f3eafc22dfb4903c4a1f2fd50a41496666296610b2b7adecda98dd27426eab1610fe044

Download Submit
\??\c:\Python27\lib\warnings.pyc

Filesize
12KB

MD5
51deccd4f597e9baa482a5e9a7351507

SHA1
7b25541a3a41a4c162acdbdaad2d5144fa4197d5

SHA256
724f1709bf21e8870e93537dbb55eddd94d42cc9bcc0d0b3f587011fddca624b

SHA512
22614db34fa58c8507dfdf8aa8e70e3a55693e8a79c6ec6cbfc2c4ddc3e95a3ed0588d0e952cc0210f557c9158d0a38de8a1b38f52b5dd7d35f4f28c332f4d34

Download Submit