38e10d9a15bc9ec9d02f8b7f472c896694fdace48cafabdaec6c8b9eff374206

Analysis

max time kernel
35s
max time network
81s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lord.py
Size

387B
MD5

792794f3d219878a8f68abeab200f6d8
SHA1

ef55b5ada4bdfb3519c51a70bb19013159451994
SHA256

38e10d9a15bc9ec9d02f8b7f472c896694fdace48cafabdaec6c8b9eff374206
SHA512

aabe0acf2801e56607e9553898e8385c1b097031c810c6ae4d7a4df3d7695fb83e6fc926a90bf0ab2ef74a37542f375a9cba7102ff918f6d4244fd55299e07c7

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2956 chrome.exe
2956 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

3040 rundll32.exe

pid	process
3040	rundll32.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe
Token: SeShutdownPrivilege	2956	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe
2956	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2704 AcroRd32.exe
2704 AcroRd32.exe

pid	process
2704	AcroRd32.exe
2704	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exerundll32.exechrome.exe

description	pid	process	target process
PID 2932 wrote to memory of 3040	2932	cmd.exe	rundll32.exe
PID 2932 wrote to memory of 3040	2932	cmd.exe	rundll32.exe
PID 2932 wrote to memory of 3040	2932	cmd.exe	rundll32.exe
PID 3040 wrote to memory of 2704	3040	rundll32.exe	AcroRd32.exe
PID 3040 wrote to memory of 2704	3040	rundll32.exe	AcroRd32.exe
PID 3040 wrote to memory of 2704	3040	rundll32.exe	AcroRd32.exe
PID 3040 wrote to memory of 2704	3040	rundll32.exe	AcroRd32.exe
PID 2956 wrote to memory of 2952	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 2952	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 2952	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1636	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1860	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1860	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 1860	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 2204	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 2204	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 2204	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 2204	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 2204	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 2204	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 2204	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 2204	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 2204	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 2204	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 2204	2956	chrome.exe	chrome.exe
PID 2956 wrote to memory of 2204	2956	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\lord.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\lord.py
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\lord.py"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6379758,0x7fef6379768,0x7fef6379778
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:2
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1428 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1552 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1612 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:2
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1368 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3412 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:8
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1372 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3528 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3552 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3540 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4316 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:1
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2740 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2412 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2404 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3564 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3800 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:8
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1236 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3596 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:8
  2⤵
  PID:2948
- C:\Users\Admin\Downloads\python-3.12.3-amd64.exe
  "C:\Users\Admin\Downloads\python-3.12.3-amd64.exe"
  2⤵
  PID:532
- - C:\Windows\Temp\{0E683267-E394-473C-B580-A98D8DF2B9EE}\.cr\python-3.12.3-amd64.exe
    "C:\Windows\Temp\{0E683267-E394-473C-B580-A98D8DF2B9EE}\.cr\python-3.12.3-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.12.3-amd64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3116 --field-trial-handle=1228,i,16041870858770125281,17841220103562168142,131072 /prefetch:8
  2⤵
  PID:1160

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d4937dfceabf4cf943007c4567b77e2b

SHA1
7d5f7f7eebae526139f7fc10fbd5a452e7d319e6

SHA256
c53ad7e22b693094345f93f2e1e4840de5edf314ffd7da77ce5f8050a60eecdf

SHA512
2d02fb652e56e549ec86aef0f329f07cb984196a841979fcceb9721741b132e88adbead40748dfb5d03e9f15f6089782e68f3fe19aedd8d0d44fdde6330af636

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6654454e954f89095d6ec246ec25951a

SHA1
f3d864e555438b84c834dd9ee040a30e9a1ea130

SHA256
8714a37001e06de4731a1241a1bd5e268a83053075f5b314dbb8ab62b8d36a54

SHA512
f8d8d068c272ec2724cbe5c947674d3da5b811ea4c66bcbdfe34fc5575c7e2e6d100b7ac0112f2449e734c104e92d26013f7b0541728f1da3d0e10eec0991bd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
32KB

MD5
b582b2eca79a750948dbb3777aeaaadb

SHA1
bf0ea1c8a7b4a55779cbb3df1f1d75cc19910e9f

SHA256
04c7f19e1ae294cc641f6c497653b5c13c41b258559f5f05b790032ccca16c82

SHA512
35cfd88afe4e4e8091d3a5c53f0f3e2dcd92aa58b7544b94d4d9d7cdf508d429c5292aa97b813c9c8ad18e4d121d4e6595c49f5ddafbeab7b39f3a7c9d0b58dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
66KB

MD5
33411bb179575dfc40cc62c61899664f

SHA1
d03c06d5893d632e1a7f826a6ffd9768ba885e11

SHA256
274befc7b39609fed270e69335bc92b3d8251545594636eb408d5d93e0ae1a4f

SHA512
dc830766c928ac84df16d094fc92586b9c2c25f819123dc9b5ec259220b4b1c45e2af28c89a710f047c00c9dcf7df8dd859a9a7a2d2228703f616df13caef2c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
734eaffdee76c1915d701fd874ec27ca

SHA1
64042f4ab35bdc2c96ef3f64b3b5903124c2f624

SHA256
85a36c91868de72f50e5010121fbdeccec04202ba360113ec6ae8afa82f9ea35

SHA512
7ea3290745eb84cdfe75651069f0d61c4648343343dc24c450988240199e67009dde9252c18c7ac70f958ec1aa00918a354e4a3ba4b8e81c1380fbe89b0ea387

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dda49dea93667b0576a09985dd869067

SHA1
efa621b5ac225025e05a74d22f46c4cf676abb81

SHA256
7c1c413f3071a5189af644df7608e57bbc1fc4ca5f5c5a4b6376e9cf60da5d05

SHA512
86b28c7ae310ddc877d822caa838212330fd66ecd568a58b42cb5754d6dbd9b69617bb7dc7ced8447d9fa4b5131a981ccdd664733286aa5d84a5c2daf2a25caa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1fb36173ce03ca1bfbf0b7cbf3dc6531

SHA1
2c8986fd9e40642013380dab6d3782c6e8c78319

SHA256
db189b5880b6bb9e8246805263d201a0511710496f55a06513ed07a20ca7f272

SHA512
f1fd6194972be80ca50feda797a48c128b9a9e26217d034e41bfc8146a04213ef010d9ce6b9a036abd86148243a0ae3f5e64453d3602534501de3d41244ea2a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d03ff20b32a5f54158666770fd1b69bc

SHA1
73b0d78157c96b0d97b3c65f4fb1174accba05ca

SHA256
3d310f9ed91f78e76c071b3d1fe34cac5bc294141322f353c457707a7e20f737

SHA512
cccf4d1b1c08a3b857ffc0f0261330eb65166d7472f6a2b2e5aeb8377b190145a4d3904965768a0daaaf1ed3270e1c5b16e847d0f89a55511071ad34367538c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
82KB

MD5
02eefdae0bdfb204cf8b150f6d7de8e9

SHA1
29cf3cdfcb026fc3ac6453425ae36c42c6174024

SHA256
601fe2b26555e8c8e3bd36a42b54bcf966472c8322df7e542de50e4ff9849fe3

SHA512
1f5144a16a2ab61a9cf6e387ad0dea753659bda07e137358065e62c19daae0bd10f4ab39b5e3d5066d8544e0f5dd1ce4fa5a44ee5454e3bf377bac23296d7a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7457.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar74E7.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\Downloads\python-3.12.3-amd64.exe

Filesize
25.5MB

MD5
c86949710e0471a065db970290819489

SHA1
b1207fba545a75841e2dbca2ad4f17b26414e0c1

SHA256
edfc6c84dc47eebd4fae9167e96ff5d9c27f8abaa779ee1deab9c3d964d0de3c

SHA512
0e19181bc121518b5ef154fecc57a837e73f36143b9cb51114bd3f54056bc09977abc1e4ef145a03344d9ad2b8e49faa483b4ef70e4176af2bc17a8e5a3cd4ac

Download Submit
C:\Windows\Temp\{7901EDB0-4254-422A-B57E-6A86A1D88DB9}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
\??\pipe\crashpad_2956_GBGMXIZRYXRTVYKD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\Temp\{0E683267-E394-473C-B580-A98D8DF2B9EE}\.cr\python-3.12.3-amd64.exe

Filesize
858KB

MD5
d6958b9b90d2667936691080102ecc18

SHA1
c8e252d4926c81b4143aaeb89957662464eb3cd4

SHA256
ebee7043423bc83b3e8c8dde159e660cf15b376e248c3f8385b5076b85083614

SHA512
f49059a69df60cf3f6fb22787ff02809e5a8190777fa81c8672c14f9f104b2b7b1cb339a2773facb6dc450bcb51c4a0f80099fb0e992f7226c9ebcc56cf040e5

Download Submit
\Windows\Temp\{7901EDB0-4254-422A-B57E-6A86A1D88DB9}\.ba\PythonBA.dll

Filesize
675KB

MD5
74bbd9179465851bc0145bf1ca37c73a

SHA1
09fdc7061d81f2a2fa548169f2239cdc2e76979d

SHA256
17e381ff07daf726967a8c4c66eeb4e8e2a56f9b722bde953827ce7971460e0b

SHA512
d5b99d4264c39740fcfad886168054070f7b0144cd1dad9bf858e8b72c6fef90a07da8ae1a4e9554645da84dd69e823a6259a0c30214b343b4e48ab81fa382d4

Download Submit