d4bd3928bc8a16c9377fdebf15da360c6c5c6b07871c7590d43a58a465857558

Analysis

max time kernel
57s
max time network
83s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-09-2024 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

source_prepared.exe
Size

76.8MB
MD5

bf4c26a1f9c449ba0cdc0dfcef64da56
SHA1

99815b5bb549e6719a4c0c5968a21700c224054d
SHA256

d4bd3928bc8a16c9377fdebf15da360c6c5c6b07871c7590d43a58a465857558
SHA512

83dca20749b0464355f394a01fde09b80f728df8794e05e5820b16d2dfbdb329df3e4ad044786492282f2ca950dce9e4e101644ac7f3169be19274e718b04878
SSDEEP

1572864:+vHcRl3WdmSk8IpG7V+VPhqYdfzE7tlhTgiYweyJulZUdg1herRdETV37U:+vHcR50mSkB05awcf2LVpuxherD4o

Score

8^/10

discovery upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2468	python-3.12.6-amd64.exe
2976	python-3.12.6-amd64.exe

Loads dropped DLL 3 IoCs

pid	Process
1772	source_prepared.exe
2468	python-3.12.6-amd64.exe
2976	python-3.12.6-amd64.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000020a04-1366.dat	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.6-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.6-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2516	notepad.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 1772	2800	source_prepared.exe	30
PID 2800 wrote to memory of 1772	2800	source_prepared.exe	30
PID 2800 wrote to memory of 1772	2800	source_prepared.exe	30
PID 2564 wrote to memory of 2776	2564	chrome.exe	32
PID 2564 wrote to memory of 2776	2564	chrome.exe	32
PID 2564 wrote to memory of 2776	2564	chrome.exe	32
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1824	2564	chrome.exe	34
PID 2564 wrote to memory of 1340	2564	chrome.exe	35
PID 2564 wrote to memory of 1340	2564	chrome.exe	35
PID 2564 wrote to memory of 1340	2564	chrome.exe	35
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36
PID 2564 wrote to memory of 2200	2564	chrome.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\source_prepared.exe
  "C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"
  2⤵
  - Loads dropped DLL
  PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7389758,0x7fef7389768,0x7fef7389778
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:2
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1140 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:2
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1452 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3476 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3600 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:8
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3724 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3876 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3628 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3012 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4028 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3012 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4208 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4200 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:8
  2⤵
  PID:620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4336 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4356 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4204 --field-trial-handle=1312,i,9249924119278703259,17936700703712630040,131072 /prefetch:8
  2⤵
  PID:1116
- C:\Users\Admin\Downloads\python-3.12.6-amd64.exe
  "C:\Users\Admin\Downloads\python-3.12.6-amd64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2468
- - C:\Windows\Temp\{5ABD0A22-6FEC-46A5-811B-D65E17690145}\.cr\python-3.12.6-amd64.exe
    "C:\Windows\Temp\{5ABD0A22-6FEC-46A5-811B-D65E17690145}\.cr\python-3.12.6-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.12.6-amd64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2976
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20240929135416.log
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:2516

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2244

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2592

C:\Users\Admin\Downloads\python-3.12.6-amd64.exe
"C:\Users\Admin\Downloads\python-3.12.6-amd64.exe"
1⤵
PID:3012
- C:\Windows\Temp\{3313E6B3-C8C1-40E2-A7A3-DBCAD92AE506}\.cr\python-3.12.6-amd64.exe
  "C:\Windows\Temp\{3313E6B3-C8C1-40E2-A7A3-DBCAD92AE506}\.cr\python-3.12.6-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.12.6-amd64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4773b97b611fb3c2e5d5da19f4ca452

SHA1
f2bfc5fb7dbb9d6c7c2180c693a007a8ef42f7fa

SHA256
57726fe9fb843c80597316e14d7fef5bd3763002332a73a5e4c3bd4a567cf8ba

SHA512
1df19b59ffdeee9f1bed00d94236f8b897c4c7344fba19da782cdc651c196b7ecfccf18e8e92f848ae1e90b2e822de553db0bf65566b7b90376eb2f194f2f151

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a91c41ea0924c5135f62a37c77f1f330

SHA1
f4f66bc4425234193429e6b9e5629a14ccd341c1

SHA256
f0717b889cce8cb69e0b313bbe99d638607b7d0b86af95b3c549805de1b85ec0

SHA512
ffc04c3b71d7136de31c581f49c59bce658a69241088555c042fdbb5a52265eff7e256e6e5aa43e2df76711de44d612d2c3a939630dcdfcc5f293d9409aea8b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b32c87d6fe6e5a391b1a0f9d35e5174

SHA1
c4703b975539702068aefb01230483157d9525b4

SHA256
28c41dad0bf406c84fc88bf58c56242b6baaf35ca1dadd92710a3d7cca08b818

SHA512
4d733d07c239971400b1a6328e67f581e9fb78e197dcd69167847b005765cb7d2d96c306278a0f9494c2c4ad68df19f1dd3d5b9d7b32e5c3c6d756976f46bd7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07140d0254cd97927cc64c6d62f706db

SHA1
b5817a775b4835399cf6a9b3dd2d190055247a56

SHA256
a5c00920d7c9d818a5bdfb4c0f5e748abf104da0a2580c85702cdb44ea73b21d

SHA512
6346fee7173a45f569a4e1aff65da979ba070e8a44a27ec4030fd77b05aff2976ad75e830b67561c6e2e881d15be691dc0c6e772d2aedfdfc85a419d217e8514

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
7971b7c39a9fce13d45eb5dd6d211a7b

SHA1
fe8dc1dfd3e41902ff0f3751234cdd6d009ab7a9

SHA256
b79e049c18ef2f0679efa156ee1cc7cc74f807b945dbdb91991e64a18173594e

SHA512
23eb8928c4ba52b0c81fe8365c117a9f9ffa4db88f9ae35cec9bbb3d80f2c4364b1a246d09e087eac553f3cee5085a413941b5af938bc98c64ddbf1325367a84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
29c5aa6e79835b254ee05a21c1585113

SHA1
0ef2352b153088ff73593395083ed02f466c4cdd

SHA256
23095def8fd012e9ee105eead9bfc65c811f3e27ed4d55e6a76492ad054dba56

SHA512
1f2c4581c6758ecab4a9af10815119c579d4bb94c3653aee1a17c95d8f9e32dd87f6d4942d73373a8835afc4fa46e25d2751c3036de4f0f32fbca50dedf12c4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d4029b8cd36e419d0846a94dfb12b9c4

SHA1
a0878f90b1db48408b675dae2fb4eb535dc85d10

SHA256
23f44831bce94532f0de84a8b68031f1a090d767fec155d77aac466a08080de5

SHA512
ab6d00b84286e1e707920edab75ad3b59c10cc407d9b8ed77abfee34f7872d4628e33c5a65af124fe8579d7aa4aea3506bd7eeec03c40f3ddda1693d9f690e39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
20496d57fe0035bfce846495c0eace2c

SHA1
f5b10063c0d07090122b748ebfa6f1cb0c5dd060

SHA256
804c65f8cbd0298ca5f7d2856cb48bb1ebe6b5191f14be6538ceb2146e328dac

SHA512
e64cc0e3e5888efe6b84ce9b6d2ad5e353d1a48d578ad28b90276aeca53e165a6cf840776b41613b00f35348ad47bb4f78e272e5ba2b8becbd511eb77c6df259

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b62cfa5a8093db10fd8aaf6a3615fa9c

SHA1
3017fe2907507a5e1eea6867f238e5a2c0b21671

SHA256
a23fae6cf510468c750ef72c390a984019a9a223f2cdba46bbacae4cd869f0c2

SHA512
7b9034a4bb99499c92372ed35038c81f7db4d7849f37c0ad3d90ba7e0e34f247b5ab991960e723a2cfaebb4030be29ab769e422844eff16a130d190c803e052b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD51C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20240929135416.log

Filesize
6KB

MD5
a6cc36c7658f4a9438a7540a0c595139

SHA1
8f7468fb7fbf2225e2d601195a4fbb4117d26fe7

SHA256
bb746426c0a23c3332a848f8c77fb129708bfbdb90842c9a60e30c7012c410df

SHA512
89514dc285f995096d6476a220c1a810b94a861f01db8583d0ac743f00df48b9e98eaaa40866f3bec6449c208a3767aca90194e962502f65ca892bf8cb469f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD5BB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28002\python312.dll

Filesize
1.7MB

MD5
36e9be7e881d1dc29295bf7599490241

SHA1
5b6746aedac80f0e6f16fc88136bcdcbd64b3c65

SHA256
ebef43e92267a17f44876c702c914aafa46b997b63223ff46b12149fd2a2616e

SHA512
090d4e9092b7fe00180164b6f84b4bd1d1a1e12dc8fea042eaa0e75cc08bb9994c91c3853bedec390208db4ef2e3447cd9be20d7dc20c14e6deb52a141d554cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28002\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28002\setuptools\_vendor\jaraco.functools-4.0.1.dist-info\LICENSE

Filesize
1023B

MD5
141643e11c48898150daa83802dbc65f

SHA1
0445ed0f69910eeaee036f09a39a13c6e1f37e12

SHA256
86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741

SHA512
ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28002\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL

Filesize
92B

MD5
43136dde7dd276932f6197bb6d676ef4

SHA1
6b13c105452c519ea0b65ac1a975bd5e19c50122

SHA256
189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714

SHA512
e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

Download Submit
C:\Users\Admin\Downloads\python-3.12.6-amd64.exe

Filesize
25.3MB

MD5
d8548aa7609a762ba66f62eeb2ca862d

SHA1
2eb85b73cab52693d3a27446b7de1c300cc05655

SHA256
5914748e6580e70bedeb7c537a0832b3071de9e09a2e4e7e3d28060616045e0a

SHA512
37fa7250b10b0c03b87d800bf4f920589649309cb4fbd25864475084bb7873d62b809a4fdeabd06c79f03f33614218eb7e01a9bd796de29dd3b141f1906d588c

Download Submit
C:\Windows\Temp\{1AEEE6BB-8CD9-4B2A-A4A6-E1705FCFB769}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{5ABD0A22-6FEC-46A5-811B-D65E17690145}\.cr\python-3.12.6-amd64.exe

Filesize
858KB

MD5
931227a65a32cebf1c10a99655ad7bbd

SHA1
1b874fdef892a2af2501e1aaea3fcafb4b4b00c6

SHA256
1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d

SHA512
0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507

Download Submit
\Windows\Temp\{1AEEE6BB-8CD9-4B2A-A4A6-E1705FCFB769}\.ba\PythonBA.dll

Filesize
675KB

MD5
8c8e5a5ca0483abdc6ad6ef22c73b5d2

SHA1
9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc

SHA256
edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43

SHA512
861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157

Download Submit
memory/1772-1368-0x000007FEF6160000-0x000007FEF6825000-memory.dmp

Filesize
6.8MB

Download