7e190e48165cf7c72173ce84e0f0b164fbe794d3e45069408055ba7496da1497

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FastAimX64.exe
Size

36.9MB
MD5

132db3303d3b0cfbc12a578688c581fd
SHA1

198d5010e04c9ad0670c7a54a942cf4eba416aee
SHA256

7e190e48165cf7c72173ce84e0f0b164fbe794d3e45069408055ba7496da1497
SHA512

f2c2568745a46920453ba6b500e02e078bc4fc45264dbb3df8451b38524f2765465a4cdc6a70b61dce554c1d3b41c44b32934d9a1f8a87109a0223ae1af7ae57
SSDEEP

786432:FYpCWvC8TK4HxoCoZjzlBeTV+WreWniTuzVVqGlQdEon/x3Ol5IPEWz:FhWvC8wrJBmV1eWniTmVV9lcLx3u5I8M

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exemsiexec.exe

flow pid process

32 4700 powershell.exe
66 4500 msiexec.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4700 powershell.exe
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

python-installer.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation python-installer.exe
Executes dropped EXE 3 IoCs

Processes:

python-installer.exepython-installer.exepython-3.10.9-amd64.exe

pid process

2312 python-installer.exe
1392 python-installer.exe
3780 python-3.10.9-amd64.exe
Loads dropped DLL 1 IoCs

Processes:

python-installer.exe

pid process

1392 python-installer.exe

flow	pid	process
32	4700	powershell.exe
66	4500	msiexec.exe

pid	process
4700	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	python-installer.exe

pid	process
2312	python-installer.exe
1392	python-installer.exe
3780	python-3.10.9-amd64.exe

pid	process
1392	python-installer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

python-installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{e8531749-5517-4937-a722-a4052cb2d75e} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{e8531749-5517-4937-a722-a4052cb2d75e}\\python-3.10.9-amd64.exe\" /burn.runonce"	python-installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 6 IoCs

Processes:

FastAimX64.execurl.exe

description	ioc	process
File created	C:\Program Files (x86)\MyApp\install_python.bat	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\install.bat	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\creal.exe	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\blx.exe	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\Automatic_converter_rff_to_mp4.exe	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\python-installer.exe	curl.exe

Drops file in Windows directory 30 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e59c226.msi	msiexec.exe
File created	C:\Windows\Installer\e59c213.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAC9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID28B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2792.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC77C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e59c218.msi	msiexec.exe
File created	C:\Windows\Installer\e59c227.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\e59c213.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F115E5B8-9719-4BDF-8B0D-551809BB677D}	msiexec.exe
File opened for modification	C:\Windows\Installer\e59c21d.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0CBB496F-1D15-42F1-AA45-C01C95196EC8}	msiexec.exe
File opened for modification	C:\Windows\Installer\e59c20e.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9802C929-A3F0-480D-A4B2-DAD129F2236E}	msiexec.exe
File created	C:\Windows\Installer\e59c212.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1F097B66-81E9-46FB-BBAC-315C5F50CF94}	msiexec.exe
File opened for modification	C:\Windows\Installer\e59c222.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}	msiexec.exe
File created	C:\Windows\Installer\e59c21d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE7D9.tmp	msiexec.exe
File created	C:\Windows\Installer\e59c222.msi	msiexec.exe
File created	C:\Windows\Installer\e59c20e.msi	msiexec.exe
File created	C:\Windows\Installer\e59c218.msi	msiexec.exe
File created	C:\Windows\Installer\e59c221.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e59c227.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e59c217.msi	msiexec.exe
File created	C:\Windows\Installer\e59c21c.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies registry class 43 IoCs

Processes:

python-installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{9802C929-A3F0-480D-A4B2-DAD129F2236E}\DisplayName = "Python 3.10.9 Core Interpreter (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{F115E5B8-9719-4BDF-8B0D-551809BB677D}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{F115E5B8-9719-4BDF-8B0D-551809BB677D}\DisplayName = "Python 3.10.9 Executables (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{1F097B66-81E9-46FB-BBAC-315C5F50CF94}\Dependents	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\CPython-3.10\Version = "3.10.9150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\CPython-3.10\Dependents\{e8531749-5517-4937-a722-a4052cb2d75e}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{92CFA54C-9CE5-4284-83FD-1D0B8AB2AB69}\DisplayName = "Python 3.10.9 Tcl/Tk Support (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{0CBB496F-1D15-42F1-AA45-C01C95196EC8}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{92CFA54C-9CE5-4284-83FD-1D0B8AB2AB69}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{9802C929-A3F0-480D-A4B2-DAD129F2236E}\ = "{9802C929-A3F0-480D-A4B2-DAD129F2236E}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{9802C929-A3F0-480D-A4B2-DAD129F2236E}\Dependents\{e8531749-5517-4937-a722-a4052cb2d75e}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{9802C929-A3F0-480D-A4B2-DAD129F2236E}\Dependents	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{F115E5B8-9719-4BDF-8B0D-551809BB677D}\Dependents	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}\Version = "3.10.9150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}\DisplayName = "Python 3.10.9 Development Libraries (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\CPython-3.10	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{9802C929-A3F0-480D-A4B2-DAD129F2236E}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{1F097B66-81E9-46FB-BBAC-315C5F50CF94}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{1F097B66-81E9-46FB-BBAC-315C5F50CF94}\DisplayName = "Python 3.10.9 Utility Scripts (64-bit)"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{92CFA54C-9CE5-4284-83FD-1D0B8AB2AB69}\Version = "3.10.9150.0"	python-installer.exe
Key created	\Registry\User\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\CPython-3.10	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{0CBB496F-1D15-42F1-AA45-C01C95196EC8}\ = "{0CBB496F-1D15-42F1-AA45-C01C95196EC8}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{F115E5B8-9719-4BDF-8B0D-551809BB677D}\Dependents\{e8531749-5517-4937-a722-a4052cb2d75e}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{F115E5B8-9719-4BDF-8B0D-551809BB677D}\Version = "3.10.9150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}\ = "{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}\Dependents	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{0CBB496F-1D15-42F1-AA45-C01C95196EC8}\DisplayName = "Python 3.10.9 Standard Library (64-bit)"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{1F097B66-81E9-46FB-BBAC-315C5F50CF94}\Version = "3.10.9150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\CPython-3.10\ = "{e8531749-5517-4937-a722-a4052cb2d75e}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{9802C929-A3F0-480D-A4B2-DAD129F2236E}\Version = "3.10.9150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}\Dependents\{e8531749-5517-4937-a722-a4052cb2d75e}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{0CBB496F-1D15-42F1-AA45-C01C95196EC8}\Version = "3.10.9150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{0CBB496F-1D15-42F1-AA45-C01C95196EC8}\Dependents\{e8531749-5517-4937-a722-a4052cb2d75e}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{1F097B66-81E9-46FB-BBAC-315C5F50CF94}\ = "{1F097B66-81E9-46FB-BBAC-315C5F50CF94}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{1F097B66-81E9-46FB-BBAC-315C5F50CF94}\Dependents\{e8531749-5517-4937-a722-a4052cb2d75e}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{92CFA54C-9CE5-4284-83FD-1D0B8AB2AB69}\ = "{92CFA54C-9CE5-4284-83FD-1D0B8AB2AB69}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{F115E5B8-9719-4BDF-8B0D-551809BB677D}\ = "{F115E5B8-9719-4BDF-8B0D-551809BB677D}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\CPython-3.10\Dependents	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\{0CBB496F-1D15-42F1-AA45-C01C95196EC8}\Dependents	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Installer\Dependencies\CPython-3.10\DisplayName = "Python 3.10.9 (64-bit)"	python-installer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exemsiexec.exe

pid process

4700 powershell.exe
4700 powershell.exe
4500 msiexec.exe
4500 msiexec.exe
4500 msiexec.exe
4500 msiexec.exe
4500 msiexec.exe
4500 msiexec.exe
4500 msiexec.exe
4500 msiexec.exe
4500 msiexec.exe
4500 msiexec.exe

pid	process
4700	powershell.exe
4700	powershell.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exevssvc.exepython-installer.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeBackupPrivilege	4428	vssvc.exe
Token: SeRestorePrivilege	4428	vssvc.exe
Token: SeAuditPrivilege	4428	vssvc.exe
Token: SeShutdownPrivilege	1392	python-installer.exe
Token: SeIncreaseQuotaPrivilege	1392	python-installer.exe
Token: SeSecurityPrivilege	4500	msiexec.exe
Token: SeCreateTokenPrivilege	1392	python-installer.exe
Token: SeAssignPrimaryTokenPrivilege	1392	python-installer.exe
Token: SeLockMemoryPrivilege	1392	python-installer.exe
Token: SeIncreaseQuotaPrivilege	1392	python-installer.exe
Token: SeMachineAccountPrivilege	1392	python-installer.exe
Token: SeTcbPrivilege	1392	python-installer.exe
Token: SeSecurityPrivilege	1392	python-installer.exe
Token: SeTakeOwnershipPrivilege	1392	python-installer.exe
Token: SeLoadDriverPrivilege	1392	python-installer.exe
Token: SeSystemProfilePrivilege	1392	python-installer.exe
Token: SeSystemtimePrivilege	1392	python-installer.exe
Token: SeProfSingleProcessPrivilege	1392	python-installer.exe
Token: SeIncBasePriorityPrivilege	1392	python-installer.exe
Token: SeCreatePagefilePrivilege	1392	python-installer.exe
Token: SeCreatePermanentPrivilege	1392	python-installer.exe
Token: SeBackupPrivilege	1392	python-installer.exe
Token: SeRestorePrivilege	1392	python-installer.exe
Token: SeShutdownPrivilege	1392	python-installer.exe
Token: SeDebugPrivilege	1392	python-installer.exe
Token: SeAuditPrivilege	1392	python-installer.exe
Token: SeSystemEnvironmentPrivilege	1392	python-installer.exe
Token: SeChangeNotifyPrivilege	1392	python-installer.exe
Token: SeRemoteShutdownPrivilege	1392	python-installer.exe
Token: SeUndockPrivilege	1392	python-installer.exe
Token: SeSyncAgentPrivilege	1392	python-installer.exe
Token: SeEnableDelegationPrivilege	1392	python-installer.exe
Token: SeManageVolumePrivilege	1392	python-installer.exe
Token: SeImpersonatePrivilege	1392	python-installer.exe
Token: SeCreateGlobalPrivilege	1392	python-installer.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

python-installer.exe

pid process

1392 python-installer.exe
1392 python-installer.exe

pid	process
1392	python-installer.exe
1392	python-installer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

FastAimX64.execmd.execmd.exepython-installer.exepython-installer.exe

description	pid	process	target process
PID 4188 wrote to memory of 5112	4188	FastAimX64.exe	cmd.exe
PID 4188 wrote to memory of 5112	4188	FastAimX64.exe	cmd.exe
PID 4188 wrote to memory of 5112	4188	FastAimX64.exe	cmd.exe
PID 5112 wrote to memory of 2620	5112	cmd.exe	cmd.exe
PID 5112 wrote to memory of 2620	5112	cmd.exe	cmd.exe
PID 5112 wrote to memory of 2620	5112	cmd.exe	cmd.exe
PID 2620 wrote to memory of 4700	2620	cmd.exe	powershell.exe
PID 2620 wrote to memory of 4700	2620	cmd.exe	powershell.exe
PID 2620 wrote to memory of 4700	2620	cmd.exe	powershell.exe
PID 5112 wrote to memory of 3392	5112	cmd.exe	curl.exe
PID 5112 wrote to memory of 3392	5112	cmd.exe	curl.exe
PID 5112 wrote to memory of 3392	5112	cmd.exe	curl.exe
PID 5112 wrote to memory of 2312	5112	cmd.exe	python-installer.exe
PID 5112 wrote to memory of 2312	5112	cmd.exe	python-installer.exe
PID 5112 wrote to memory of 2312	5112	cmd.exe	python-installer.exe
PID 2312 wrote to memory of 1392	2312	python-installer.exe	python-installer.exe
PID 2312 wrote to memory of 1392	2312	python-installer.exe	python-installer.exe
PID 2312 wrote to memory of 1392	2312	python-installer.exe	python-installer.exe
PID 1392 wrote to memory of 3780	1392	python-installer.exe	python-3.10.9-amd64.exe
PID 1392 wrote to memory of 3780	1392	python-installer.exe	python-3.10.9-amd64.exe
PID 1392 wrote to memory of 3780	1392	python-installer.exe	python-3.10.9-amd64.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe
"C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MyApp\install_python.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
3⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\SysWOW64\curl.exe
curl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.9/python-3.10.9-amd64.exe
3⤵
- Drops file in Program Files directory
PID:3392

C:\Program Files (x86)\MyApp\python-installer.exe
python-installer.exe /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\Temp\{44BAE41B-50BF-47EE-9CF5-0FC8A8CA1D24}\.cr\python-installer.exe
"C:\Windows\Temp\{44BAE41B-50BF-47EE-9CF5-0FC8A8CA1D24}\.cr\python-installer.exe" -burn.clean.room="C:\Program Files (x86)\MyApp\python-installer.exe" -burn.filehandle.attached=552 -burn.filehandle.self=560 /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\Temp\{CBD32421-C4E1-480B-8A93-71CDA562A703}\.be\python-3.10.9-amd64.exe
"C:\Windows\Temp\{CBD32421-C4E1-480B-8A93-71CDA562A703}\.be\python-3.10.9-amd64.exe" -q -burn.elevated BurnPipe.{26768FDA-BB6C-490F-AA6A-8FE6356765A2} {4832029F-7DA8-43FC-ABB1-3FD37D73F6D6} 1392
5⤵
- Executes dropped EXE
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:2860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:4380

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdb9d09758,0x7ffdb9d09768,0x7ffdb9d09778
2⤵
PID:2480

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59c211.rbs
Filesize
8KB

MD5
3edd3655aed75db0f393ae681680fd20

SHA1
9a9f7c51876962986b152d8fb0a947ff68c2c380

SHA256
ef1fc15bc7bd68d817c3d60919ff129055a62bab30eae232b70a5bce1e0095cb

SHA512
cd0cfb4dcf02d55e7174ce6ada8e1cb5aed3e3903e21041fc639d6e989f348a611a0480865bc3d50f792de9f741412a63de9c94c8a4b67b45a51308018fd1a49

Download Submit
C:\Config.Msi\e59c216.rbs
Filesize
12KB

MD5
c8d547c2b3c0fa6228a3bcbe6aef7e6d

SHA1
646bf5131f4cf97f0e744a68e5a5b8b4d578794e

SHA256
243515709a39a04c3464a3eb46e767a80797392ac871d53f564679e45e794e6c

SHA512
92450a79588988f2a8f07e08a4e09848e59d3d7914397f9d6f33b20dcb782e9c00e9750df4494f6fb65dc0457374011d2bee626acfd191f94611acd8227b8277

Download Submit
C:\Config.Msi\e59c21b.rbs
Filesize
40KB

MD5
a7a03b030b9c462baaeeec83c3e7640a

SHA1
1c9a6c8588ffbc2e4a94191f5a33369006cf30e3

SHA256
aad798bfb7ea082b786c45a3f23d178769132a54cb56b64a11c7f70664dc9198

SHA512
d7f5c8cb56a8d13105f3569dbeff6fd409c0a6d02ff2ecab9fccc15a32b719950ab7e622852929064c6ed8088f0806582910bda0849d6f8acd5ee866dd3b5464

Download Submit
C:\Config.Msi\e59c220.rbs
Filesize
179KB

MD5
028147170997c3eab94aeec0403c5cca

SHA1
cdc38ae7c27437245a80a55e08707f741db8f623

SHA256
a0888673a903c51f0885b9d14786b1111eb8fba8915e4b72944bbd549f599d07

SHA512
b81e1b3a71b1d8799b2929fde07adf4e93e3eaeadc1c817e21138f409068a5d68dd7d97587cf2b6f16c8e2c38881406705ac43a24eb797c34d0eb09ff1c60b91

Download Submit
C:\Config.Msi\e59c225.rbs
Filesize
29KB

MD5
bca3ed2f2967a3c83f663cb562a78197

SHA1
681d39f16d05113273643f74d5da95ad9f1cd090

SHA256
a19439d3589b469d88eb2dacdfa756b781c031a5bda1395ec50aca1849d36682

SHA512
045fe9040f1899733f0e059e4ef05c854c881e6313a97d699d6feed757004a207e5e7ac78f13903a477af593e818b17c405022a8e274be2f39a2afa554ce2e26

Download Submit
C:\Program Files (x86)\MyApp\install_python.bat
Filesize
686B

MD5
f30718a354e7cc104ea553ce5ae2d486

SHA1
3876134e6b92da57a49d868013ed35b5d946f8fd

SHA256
94008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966

SHA512
601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874

Download Submit
C:\Program Files (x86)\MyApp\python-installer.exe
Filesize
27.6MB

MD5
dce578fe177892488cadb6c34aea58ee

SHA1
e562807ddd0bc8366d936ce72684ce2b6630e297

SHA256
b8c707fb7a3a80f49af5a51c94f428525a3ad4331c7b9e3b2e321caf5cb56d7d

SHA512
8858aa7e82ca8cf559eeb25c14d86d24637a86e64c8db7465c99d05558ce3c67cea18d68abdfbe3df08cdbedfca5f819aa7fd8e57beae2054a7f7a8a64c04b41

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe
Filesize
8.0MB

MD5
0894766b66bc93a0494a5a7073042a42

SHA1
ecda108f9f845c245d3e660fe075737ce7b1fb3c

SHA256
82863adf2f36198611da2238991d9c8032c6cf59c3d2dd125658358b6672f3ce

SHA512
3d1c9476e075eb2707e48cb957a0c428a467a3e6d84a31872bf6d88b8767006446ac2fa8c65194465301be9b25376343cd84db9ac729ad1b46c7727851dce5b1

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe
Filesize
3.4MB

MD5
78e6e0e8b315a0d7448bf5cb6de7dc09

SHA1
6a73d7443c4d220736a2700e71e14b8e0e9a3518

SHA256
eaf03e94a9f3421a69b9fd8a1f0723ebc4e59884f6c5b93f330d7fbc98d8940f

SHA512
9666c116423a2574d20cab637d6501d283292d87518836d449d1752929ba60296e10b1335f277e4e2108cb06ea564be70022c1828d1f2e207e1b59326b3e6516

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{1F097B66-81E9-46FB-BBAC-315C5F50CF94}v3.10.9150.0\tools.msi
Filesize
212KB

MD5
b71361f364fb14a1983257ac93a1c9b7

SHA1
2209de01d5f1f3c3c1fdbbc2d7959631dfd1d2b5

SHA256
0c32783b07c04ffb8a923ecd9c097061a693a9e882dfbb7cc9aedad7be486f76

SHA512
96b1ce7e72b791aeaa113ec6157364a60862a6a5097c96dbb8a9d3ac717e978dc8e41b36cc1723dcaf2ded54e25c638f83fee7995921d3588d2a5c5b65051843

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{9802C929-A3F0-480D-A4B2-DAD129F2236E}v3.10.9150.0\core.msi
Filesize
1.6MB

MD5
c531b4b6d0c44f4f718302f94bdc0de5

SHA1
f8a6d02012fad3b1f8cfaacca4eb6e068383bcee

SHA256
107453ad1bb2d97c4947ba12d91738e7e7aa43470f9a8f954383fa6eb483b707

SHA512
4b85223166679385b0bc788caa2a70052ee39e5ce8a775195e7a8803c9ba9f350a3a4f78d340b3f041e330396e587714d88a6d855e14c925bb73f9be0923beae

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}v3.10.9150.0\dev.msi
Filesize
300KB

MD5
81ee9f87cc68e3b0a376a51a0c8d5ea0

SHA1
87e6aa14efad2ca0e175b3d1a4b5b86c91c769cf

SHA256
068163c992a1e372c8e23d69f8ad13e2a9e01be2649c9845d450aad5a7a6eff9

SHA512
d5aa43bdd4ab2edf39750b8714351a2bca3c59766d7e8c57454062f49d5026f376ca40b531ca07ece23f609a7fa02a99b208a8680d20bc1bdbb92c521c825053

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{F115E5B8-9719-4BDF-8B0D-551809BB677D}v3.10.9150.0\exe.msi
Filesize
608KB

MD5
742a4d07c915d5883454e8e87ce61566

SHA1
6425542f956cf785ac0db084afe6d2ddcbbe2dbd

SHA256
7a6715deb76123241816c77c6cc5dc4e6a881bb8de846c454f0d5cd833305cb2

SHA512
6a5929985dfa1cc3580ca1bd94a94887b092693d976026fc866a9d99558b886b8454398c420d635dccf65f42639f37c3539196da2560482eb04857a4c393602c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.9 (64-bit)_20240701060452_000_core_JustForMe.log
Filesize
1KB

MD5
15423b56366f1813e74a29993344089d

SHA1
fc47441a7fb8d755826c7e8c873bad89d61ee1e0

SHA256
53b1dedb6b21bb0345d4f6aff37015f4d2e1e4707c378137ffaba95bf6d20d18

SHA512
6439e638d9f88d3c0ea23ef75dd458b3980ac91ade04976ec08d3d6c587bb2ba492c9adec720e32262aba6ea89adaf065d32758a023eb6f6b40807acd162af0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.9 (64-bit)_20240701060452_001_exe_JustForMe.log
Filesize
1KB

MD5
e11fca81467c66b28bd29abfcf50de3f

SHA1
ebc95e081a096537c12b1c6f82e8f4f898ba443b

SHA256
7b2bc38f5abb49ca00bb9e036eb7a20f83d00a43e497a57dd2ad96aeee4dc036

SHA512
7ca2956b3ebefcbda93dffe6f7d0c4abf66a24ef8ceef479fc10a9342fb5e5c9ab36a86a2e36225f15f2494d822632e6410c327044aa6d9f0d242b59b7d5b73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.9 (64-bit)_20240701060452_002_dev_JustForMe.log
Filesize
1KB

MD5
21cfaebf1a1bbef59fc7aeb53eeee8f8

SHA1
09580ce46b191c90e0f95198cf02be03dffb044d

SHA256
b0a5a74f5e70e37e876312b46f13dfd4c1374d320ec47c2310af9ae86ada38df

SHA512
f66b8594e48f294cec883f338c44e1a0e3bad8599356cf4528b22557f352cd6a2594a527912724293f4f4bac26b26c681452f85f891d5bbc039d41112033130f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.9 (64-bit)_20240701060452_003_lib_JustForMe.log
Filesize
1KB

MD5
12a4a59f56136b137ebb651a0ffe17f4

SHA1
bec0b504e3fda6c3ef9288890fdb74ebff78d7d4

SHA256
9975c5bb6748d36a3e6aa7ed4ca35be63e0e32f2e7fab992f8d54a8b235d0288

SHA512
b631f0b7781b222108058e766712cad0f69f4c560512081819905b137953108f18ca64e3cbe22ace05b81c3551eeb71253e9cb59149bead2476360ef304c46df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.9 (64-bit)_20240701060452_004_tools_JustForMe.log
Filesize
1KB

MD5
fce89320654a468ed8e89a2752e5c339

SHA1
923edbd877cf18cfb677e11c1d5dcfd3d2d13bff

SHA256
5b862af57f18604c6ffd4d06e3534714e84f96bd3afd0a8d2ca07a9805031ded

SHA512
2d204b7a535a10d6af46ee84bf4242ae37232e0db3f7b1eb7d677a68b08c5b3ab5b24dffdda47e68e12f41c2ff7e9d68411c4432f9ca674b2c6e2094148395cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.9 (64-bit)_20240701060452_005_tcltk_JustForMe.log
Filesize
1KB

MD5
e7769632de57f3a7ffa9f2c69a552ffa

SHA1
63dce0b8bb46c9943f8835b6076be071f2b0d112

SHA256
6d422f2f5f06028fdf584f1338cdb72882a49ad79c14c86ccf4befe002f901e1

SHA512
a0ceaa2dde433bffe06f644b9fb7df6640761b185ea83ffebf797a96225de2651bb9976bb3f372af8e8a1d2333ba37ba66a0681559390bd57343f9e73bc8a207

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k4hblizl.n3z.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\{44BAE41B-50BF-47EE-9CF5-0FC8A8CA1D24}\.cr\python-installer.exe
Filesize
849KB

MD5
d988448411dc7548332378f7f61508a4

SHA1
34989539914256ea9f6d691236039d806be6f7ca

SHA256
ae5f3d9aaf871d4cf62b3106a7babb66a5c52fdf5ea9b93467c45bd047319c66

SHA512
eb631c340bebb6ce3a6100383fe5e5bd8d2b700ca2c9cd07c1bff4decb8b72a9223596786ef0e8040097135765d7af479f3bfa10957abba32143fc9c9b51ce97

Download Submit
C:\Windows\Temp\{CBD32421-C4E1-480B-8A93-71CDA562A703}\.ba\PythonBA.dll
Filesize
650KB

MD5
64d1e3b44bfce17b6a43e9ca200bfaa2

SHA1
2617a95208a578c63653b76506b27e36a1ee6bba

SHA256
c016025b6e3c1335eef8f544cb88a948d7c785fd5247b994c8ec91a4fce5f899

SHA512
002fcb10e7aec037eee5acdbdc20719f10147917330f769943e4342d99a9596df5f09c039be5a8daa871062bf4c7263ae4d6582f971ced570c85abcbea87cc77

Download Submit
C:\Windows\Temp\{CBD32421-C4E1-480B-8A93-71CDA562A703}\.ba\SideBar.png
Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{CBD32421-C4E1-480B-8A93-71CDA562A703}\launcher_AllUsers
Filesize
516KB

MD5
a6d0b9692be2bb42031d8dd3293c6fed

SHA1
3de1ce4eb9df47d40639ec24d740dae74f58ba1d

SHA256
d557952fdea4a50bd4901cf6152e17e46168fedb663080aaf438da80926921b7

SHA512
df4e7b9a0fcff4f6b29e1184ffc18a8eebd010dd500402f8d5d6e61a8d011ef2ae82bcac86355142b4f292105f878938e6f3673d108925611650561aa08ccfb4

Download Submit
memory/4700-26-0x0000000006170000-0x00000000061BC000-memory.dmp

Filesize
304KB

Download
memory/4700-14-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/4700-28-0x0000000007610000-0x0000000007C8A000-memory.dmp

Filesize
6.5MB

Download
memory/4700-27-0x0000000073AB0000-0x0000000074260000-memory.dmp

Filesize
7.7MB

Download
memory/4700-32-0x0000000073AB0000-0x0000000074260000-memory.dmp

Filesize
7.7MB

Download
memory/4700-25-0x0000000005940000-0x000000000595E000-memory.dmp

Filesize
120KB

Download
memory/4700-20-0x00000000059D0000-0x0000000005D24000-memory.dmp

Filesize
3.3MB

Download
memory/4700-29-0x0000000006420000-0x000000000643A000-memory.dmp

Filesize
104KB

Download
memory/4700-13-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/4700-12-0x0000000005810000-0x0000000005832000-memory.dmp

Filesize
136KB

Download
memory/4700-11-0x00000000050B0000-0x00000000056D8000-memory.dmp

Filesize
6.2MB

Download
memory/4700-10-0x0000000073AB0000-0x0000000074260000-memory.dmp

Filesize
7.7MB

Download
memory/4700-9-0x0000000073AB0000-0x0000000074260000-memory.dmp

Filesize
7.7MB

Download
memory/4700-8-0x0000000002920000-0x0000000002956000-memory.dmp

Filesize
216KB

Download
memory/4700-7-0x0000000073ABE000-0x0000000073ABF000-memory.dmp

Filesize
4KB

Download