d10cf685acdb897e304693c2d7e7f78805a134b206d292eac4ed63ed80393077

Analysis

max time kernel
1800s
max time network
1764s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Neptune-main.zip
Size

3KB
MD5

a748ab36470d217e4b670569e11cc133
SHA1

7d892521f607668b77a07600bd0566111abe6881
SHA256

d10cf685acdb897e304693c2d7e7f78805a134b206d292eac4ed63ed80393077
SHA512

69d3155e2d986e6b3cd85af60c1acc6064886b5d52895b891327cc13d8a515db23bfec363dd6dae402d09a1df3e1069a5e9a2537e4fa9186f0dd94b0ccd1905a

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1416	python-3.12.2-amd64.exe
1960	python-3.12.2-amd64.exe

Loads dropped DLL 2 IoCs

pid	Process
1416	python-3.12.2-amd64.exe
1960	python-3.12.2-amd64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 320	1836	chrome.exe	33
PID 1836 wrote to memory of 320	1836	chrome.exe	33
PID 1836 wrote to memory of 320	1836	chrome.exe	33
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	35
PID 1836 wrote to memory of 2808	1836	chrome.exe	36
PID 1836 wrote to memory of 2808	1836	chrome.exe	36
PID 1836 wrote to memory of 2808	1836	chrome.exe	36
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37
PID 1836 wrote to memory of 1900	1836	chrome.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Neptune-main.zip
1⤵
PID:1540

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6339758,0x7fef6339768,0x7fef6339778
  2⤵
  PID:320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:2
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2132 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2148 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1400 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:2
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3276 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3680 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1672 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3460 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2184 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2496 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3956 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3964 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3980 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4060 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4000 --field-trial-handle=1188,i,1876667927037752382,17995008599546554437,131072 /prefetch:8
  2⤵
  PID:1408
- C:\Users\Admin\Downloads\python-3.12.2-amd64.exe
  "C:\Users\Admin\Downloads\python-3.12.2-amd64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1416
- - C:\Windows\Temp\{796B641F-85C3-4991-B113-985AD317D82D}\.cr\python-3.12.2-amd64.exe
    "C:\Windows\Temp\{796B641F-85C3-4991-B113-985AD317D82D}\.cr\python-3.12.2-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.12.2-amd64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec8126e1cbe2723bb1610ef200b1421a

SHA1
0d0217e4f78455a921be8c9d77853af1bb58d982

SHA256
7984ed026011b06a96214697a337b5608ee1de72f90ac3043a4c65cbce818490

SHA512
caf61d192fb571219f44379be6207edfa9beac33708d7572756f5fbd4b1a69223de3baec85247a72c733a5ed5e923d88d4b986eb63c7ae09185401280eee22e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
36a419b5ae7af9c320eac7d16eb2d33d

SHA1
8987f1ba4753155aacab68854128568a1ca19c66

SHA256
1df2a53244c282b38cfdb29aadc9791149f115f657992c100c793d5a50236d75

SHA512
be10a35ab1fd0f9fcd998848195ab2491efbece492889edfff608d077da2d7227f136c23c0a021df6820acd9ccc5367c11eb134e508cf141286eb68bd16abc2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00599d5d7ddd8c8abb8b781d251d7037

SHA1
adc41e0eb993da9619b0c2c55069776f8be22c18

SHA256
f128e79d73dece4d2dbce35ed0915fc41c5b3367ba0aee33e851ec6561dd3d27

SHA512
a585536eb53d751d08a6a88e4166b8178ad45070be8a11e530d8d0eeb6cc4a2d89be3763955998e96a43af8c8d0ef296d77393c84a119141b8fb0f654fa3435f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c5551f70a3d8075aa59e2ea72f71893d

SHA1
21c49fbc55a72daaaaa1b3d7eb43e5df61bb8418

SHA256
b2dbc3aa2f238ac98f61443e16ffdc731787f731f750cf9c084cf0bd2265a528

SHA512
67e11d8469cd35f9feb5c511e7c7053b780f62c16303101b30d72ec7c0d739fdca3529fc8afe561002a5f00221d9cfed8bb3208f9ae23aa91d445147a2ee41b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
194KB

MD5
ac84f1282f8542dee07f8a1af421f2a7

SHA1
261885284826281a99ff982428a765be30de9029

SHA256
193b8f571f3fd65b98dc39601431ff6e91ade5f90ee7790bfc1fba8f7580a4b0

SHA512
9f4f58ab43ddadad903cea3454d79b99a750f05e4d850de5f25371d5bec16fc312015a875b8f418154f1124c400ae1c82e2efd862870cd35c3f0961426c8cd82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
ec792ccd4b304e233bfcd24587c5718f

SHA1
d10abc283ac9cd395d4e2d88253b33aa3059d397

SHA256
4d36cfc6b00394ed7520dc3c171111c0d4b4e739a11ca08e35f191c9e8013d28

SHA512
546de996031458c5b9d3d65986515ae2bda928f4d1d8a20f60c6a8c4bd3735f983f23fa68b0c5eb2081386e994ec411be566a7a0a269eb783a023b80d481b20f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b2c82fc12b84118dd575da2a1761cf99

SHA1
743d30336a4a4bd60561e0a610087d8638ab01c3

SHA256
610480fb724b708e6cdab54cfd97bfe35cbaa7d3f32347f30b11ec45c153355e

SHA512
49976f54618bf05e0dbf7488c660ec4f5b15a07b8584297fbb78323c7fef66d23574c921e557d1a48aa8b262b94c60910731ac4e11c0eb7031f74a2a088a75cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
71d4900583690ddc868d6a8a2f384e28

SHA1
76453ca727f623ad1bc67fb4333cd1d6c9fd7f3f

SHA256
7f98aaee16bcd1ee76bb6953519b1d18b52eaee75f541d78ddb164c48018b0d3

SHA512
2b1b2088faabd21e0155923e8cf020daaf969d6a3b52538a7e29e212fc7a5b275b1178457c1728a92a7159bec057eb4968ce61779dd2e73d966f4e52e6d5f8b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
4d908f7c275ab7fdbfec00842db85490

SHA1
b564b0589a47abe3dd1d6e65f4fa3dc1c7054c93

SHA256
96390601e8ee72cf66c577ee515aecba7b67ea06b049c2e30f244455f620a355

SHA512
efc31788f9057f9d2f32613c1ae85328dbf99c80e38c81628caa4a54ca4d4b284f5f0fc9b6e600a643b16f7fefb06831121db725a9bf28fccbc462502f76de55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
0a488f578e1e0e8f5eec8fa052412992

SHA1
44096b4f72ce275541b6807d8ec0d765a20b68fb

SHA256
33aa81daff50ccd94b8ae57a04bb6767649b5636703d625e118710717ee9dcf2

SHA512
ee1f5e1ff7434281ed4dbf61fd3b9cf4c73bd86588a8423e3036cff3e4928d05a4015f1308d34ad37be3d97d68e2972706d59931feff3e4feb0dea0008d7ba5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
864fff297fba0e6b798e2673893e59bc

SHA1
ccfff283c147eeb4e2278d3642ebefc657cdba1b

SHA256
d9637cef53170cc6ddd849874123ea19a5f57f6595be83cb3b7164326073b1ed

SHA512
ef47bdab7d3aad7b7fc2a316fcd74969b7d980883a363864730020a3e40426e82abe49074f241980e9d928797d2c6c58cd8731c447cfc795eb16cfd012b626ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
391ed308e9cf080f36f55cb1c9007688

SHA1
acc384bf2ae482b4f8cbea0fca403632dbfc62a5

SHA256
f1d8233dd7d08687d7353d66ec0006c9248328d5879f07cd2a85535ac7357c62

SHA512
60739b6294531af1c3b7a2b9e656974827f9eb4ca20ea889074cdddbab7d0c755683288a6dfae153f7ab4c5bad3e6db661d412ac6cb7d37e48947bd079a257fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1015B

MD5
fec3cc26397a7082d8597857f3ac0675

SHA1
5d38dfd5c3a38c880e6006c1ccaeb3965d2651e2

SHA256
df2ec07f02f33abbe7b9dbe32d5d0d516e5eeffc0932a7d9c74cfe416b2d061e

SHA512
5fb5b88fa5cfd186e23a9a0bb2428392840710b2d144618742ddbb5154269c11e59b26d5c4cf0a04558e728333690177b1d40a9ea3e7fb42581eb3ccd9badf64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6a167e82db496048232d8f5530f17fb3

SHA1
d0ce530a076ec75116c5ac62f2582bb4afeaffd8

SHA256
e4cab23a780f917d22227eae739e6f3613af10d812df1832f0ceacc8de63668f

SHA512
99a9d241463f0bff9a11f36bb9e3ddbfc49751b59e7cba36888ec1867b6062504e4436a24d7a078c33157c2d62010bf177d2beaa47222a4acf5f0ab733ef3b12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7630bb79cf086dd88d156b9e112216b4

SHA1
4f1aa4cc4e2a16f4f1c82d975032ee35684dd628

SHA256
c831bf213ffa29fe262711ab49f93201b3d2ce4151bfea0f20b6b064e0e332e8

SHA512
a871c7323543d2c6ae44fbc922ba8dcdee0c540ac6e9bab707be5d1ffa248ff8f9622878802b6fe3abf07f95b213504750e349ff912c2a7bdd1b43eaac3dbe88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0c4cfe1308804af265157dcb99827854

SHA1
b22deaf5b6cdfdecd639e6366cd586cfbf81a1b1

SHA256
a59a9124023a61d7be399de17d8a9fb75a1a02718fd9fd19b91227310934521d

SHA512
5409302f32389bd19e0880966c85830556fb7e47813e0166e57a0feef1e510f79e6bb5178a0eb42255f3e4c96cb30b3499a3bb604eee75d63dd791c9e9f04d64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ba86ec0e1e81f10a9bb98c66b7af7685

SHA1
22d9db8116383e418ace89d387d80cc5a6381f93

SHA256
ba789cd98b102daaa0fd31033b861de002f075d878e1a3774e04541fb2bfecba

SHA512
d25e008f7c42665fed08c8969a511103a09bb17620b5b44ccac8f1736bc4f4ea757eb80abe996fbdd52b082598ce9b97ba5a237744904e32f7bb139f4301d6e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab286A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar28BB.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\Downloads\python-3.12.2-amd64.exe

Filesize
25.4MB

MD5
44abfae489d87cc005d50a9267b5d58d

SHA1
af778548383c17cb154530f1c06344c9cced9272

SHA256
b9314802f9efbf0f20a8e2cb4cacc4d5cfb0110dac2818d94e770e1ba5137c65

SHA512
e955f0bee350cd8f7e4da6a8e8f02db40e477b7465a77c8ecab46a54338c0a9d8acf3d22d524af2c45c25685df2468970ea1b70b83321c7f8e3fae230f3c7f16

Download Submit
C:\Users\Admin\Downloads\python-3.12.2-amd64.exe

Filesize
11.6MB

MD5
ad2daeccd3649e55bab4a28909fbfe6d

SHA1
4b518cc433235e32408d0d37b0175452e4ef5f69

SHA256
0d885e1b71431b6c84cf750f0214c300aa8133f9f7c2dcc6de1c0a4817d5692a

SHA512
6d0da1f837034e705370fd9943a7031bc81cd908249b2e1eab26ea265ccc7820b635bf1266c65c202e446d674558dc717b83cb616e74e23859a5659665823d94

Download Submit
C:\Users\Admin\Downloads\python-3.12.2-amd64.exe

Filesize
18.1MB

MD5
911ee436b67e6cd2b548be8b4d137542

SHA1
853cdd9c4eddb2c89907d3a8433ca2fbf017c2f2

SHA256
cb057fec50647f62a28262dbc6f18be8920d19b0383abcdcc497c4e9f052cc17

SHA512
cb9bc43df44e76c41aaef7b2213988b7127b22b0b797c0ef7270d1d8d7ecb7940fc1d078e22ba11daa04852d393fe694119b108386cf36850cacedcbfeb9efde

Download Submit
C:\Windows\Temp\{9DEC362E-54BF-4BF8-98A5-6A4A097F9C0D}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
\Windows\Temp\{796B641F-85C3-4991-B113-985AD317D82D}\.cr\python-3.12.2-amd64.exe

Filesize
858KB

MD5
ab21a1bea9e3eaab64a2c062ab613221

SHA1
310b1f7921af8edf125eacba71944b6e5356acdf

SHA256
1474dbd6a33da8f2f0b50007ba48f0c1ddb3e0e6f8c969722eed1e683a9af68a

SHA512
b39b5a24bb7b2d3ead8aed284452c94280398a9e4855f17a8e3593fe718e9b3573e88b15f1dd4659030827e754b17e7f918ba24803e4d522ad9601167fb70df4

Download Submit
\Windows\Temp\{9DEC362E-54BF-4BF8-98A5-6A4A097F9C0D}\.ba\PythonBA.dll

Filesize
675KB

MD5
8294dc8850dd596d0ce8455167496832

SHA1
5c75c685c95bee8c1a39187da8af46b6c7892757

SHA256
565f03893da383e5bec8c6eaa7c8fbb3e6db0b9bddd5a1399b0dec66fa44d64d

SHA512
21015ca201b64e3316f3d1ee32e4c562d0142111c1ed576f03aa078619fe656c56848b5998313af23aabb97293c5452be0e27d5c44878be5d90ac2d2d2f05851

Download Submit