Analysis
-
max time kernel
1801s -
max time network
1775s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
22/03/2022, 18:16
Static task
static1
Behavioral task
behavioral1
Sample
Test.py
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
Test.py
Resource
win10v2004-20220310-en
General
-
Target
Test.py
-
Size
128KB
-
MD5
31ccc463d2d0e26c29ef7d666039f11c
-
SHA1
ccbbbfba471f35760632eafd4577df0913e4ebab
-
SHA256
b8861b968bb930b800d7d51bd04355f7312144ee51d91c332ab36c7b845050dc
-
SHA512
da321017f0b4eaaab3baa2c6e67f3cfa635b7ce6b5423aa9c9e25d8f3c4b3f5390b3c7c196ce86eee97ef9a47aa980a30660862362f0dd230c74db2cb565fd02
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4480 created 2348 4480 SystemSettings.exe 40 -
Blocklisted process makes network request 1 IoCs
flow pid Process 243 4572 msiexec.exe -
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
pid Process 1372 python-3.10.3-amd64.exe 2000 python-3.10.3-amd64.exe 4940 python-3.10.3-amd64.exe 580 python.exe 2292 python.exe 2316 pythonw.exe 2288 py.exe 6088 python.exe 5760 py.exe 2260 python.exe 5776 py.exe 5808 python.exe 3860 pythonw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation python-3.10.3-amd64.exe -
Loads dropped DLL 64 IoCs
pid Process 2000 python-3.10.3-amd64.exe 1412 MsiExec.exe 580 python.exe 580 python.exe 580 python.exe 580 python.exe 580 python.exe 580 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2292 python.exe 2316 pythonw.exe 2316 pythonw.exe 6088 python.exe 6088 python.exe 6088 python.exe 6088 python.exe 6088 python.exe 6088 python.exe 6088 python.exe 6088 python.exe 6088 python.exe 6088 python.exe 6088 python.exe 6088 python.exe 6088 python.exe 2260 python.exe 2260 python.exe 2260 python.exe 2260 python.exe 2260 python.exe 2260 python.exe 2260 python.exe 2260 python.exe 2260 python.exe 2260 python.exe 2260 python.exe 2260 python.exe 2260 python.exe 5808 python.exe 5808 python.exe 5808 python.exe 5808 python.exe 5808 python.exe 5808 python.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce python-3.10.3-amd64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{a5de448a-5723-4bc4-a20d-26f83f96e00f} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{a5de448a-5723-4bc4-a20d-26f83f96e00f}\\python-3.10.3-amd64.exe\" /burn.runonce" python-3.10.3-amd64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 579 api.ipify.org 549 api.ipify.org 550 api.ipify.org 561 api.ipify.org 562 api.ipify.org 578 api.ipify.org -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8261D867-F3AD-4ADA-81F3-4A2A09E48C1B}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{800A6F77-FC1E-44FD-9E41-157DA8CA6F01}.catalogItem svchost.exe -
Drops file in Windows directory 60 IoCs
description ioc Process File created C:\Windows\Installer\1d04d0c.msi msiexec.exe File created C:\Windows\Installer\1d04d10.msi msiexec.exe File created C:\Windows\Installer\SourceHash{0E222A50-70D1-440A-BC74-10158262BC44} msiexec.exe File opened for modification C:\Windows\Installer\1d04d25.msi msiexec.exe File opened for modification C:\Windows\Installer\{90E2CFF3-9887-4445-8E43-FF6F323776A6}\ARPIcon msiexec.exe File opened for modification C:\Windows\Installer\1d04d29.msi msiexec.exe File created C:\Windows\Installer\1d04d05.msi msiexec.exe File opened for modification C:\Windows\Installer\1d04d05.msi msiexec.exe File created C:\Windows\Installer\SourceHash{48DDC543-0D8E-4367-A04E-405665C6070D} msiexec.exe File opened for modification C:\Windows\Installer\MSI516A.tmp msiexec.exe File created C:\Windows\Installer\1d04d09.msi msiexec.exe File opened for modification C:\Windows\Installer\1d04d1d.msi msiexec.exe File created C:\Windows\Installer\SourceHash{47F4BC1B-055D-4B6A-87DC-686AD8E49837} msiexec.exe File created C:\Windows\Installer\1d04d14.msi msiexec.exe File created C:\Windows\Installer\1d04d15.msi msiexec.exe File created C:\Windows\Installer\1d04d20.msi msiexec.exe File created C:\Windows\Installer\1d04d24.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5544.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{9ECE9691-5C18-47E7-BC38-3A78E32BA47B} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\1d04d18.msi msiexec.exe File created C:\Windows\Installer\SourceHash{F3D911AB-9754-4EF5-B3C4-1060BA8B4B16} msiexec.exe File created C:\Windows\Installer\1d04d08.msi msiexec.exe File created C:\Windows\Installer\1d04d1d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAD7B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5A08.tmp msiexec.exe File opened for modification C:\Windows\Installer\1d04d19.msi msiexec.exe File created C:\Windows\pyshellext.amd64.dll msiexec.exe File created C:\Windows\pyw.exe msiexec.exe File created C:\Windows\Installer\1d04d28.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE73C.tmp msiexec.exe File opened for modification C:\Windows\Installer\1d04d09.msi msiexec.exe File created C:\Windows\Installer\1d04d0d.msi msiexec.exe File created C:\Windows\Installer\1d04d11.msi msiexec.exe File created C:\Windows\Installer\{90E2CFF3-9887-4445-8E43-FF6F323776A6}\ARPIcon msiexec.exe File created C:\Windows\Installer\SourceHash{53DF49EB-7DDD-480C-8947-CCBD9E28F8E6} msiexec.exe File opened for modification C:\Windows\Installer\1d04d21.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB972.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{90E2CFF3-9887-4445-8E43-FF6F323776A6} msiexec.exe File created C:\Windows\Installer\1d04d29.msi msiexec.exe File opened for modification C:\Windows\Installer\1d04d0d.msi msiexec.exe File created C:\Windows\Installer\1d04d1c.msi msiexec.exe File created C:\Windows\Installer\1d04d25.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE6DD.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\1d04d11.msi msiexec.exe File opened for modification C:\Windows\Installer\1d04d15.msi msiexec.exe File created C:\Windows\Installer\1d04d19.msi msiexec.exe File created C:\Windows\Installer\1d04d2c.msi msiexec.exe File created C:\Windows\Installer\SourceHash{198AE6B9-9F59-47C8-8147-65DEFBDA8AF4} msiexec.exe File opened for modification C:\Windows\Installer\MSI6728.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{2DA27E5B-F889-4FD1-B168-DECC92E8A1CB} msiexec.exe File opened for modification C:\Windows\Installer\MSIE43D.tmp msiexec.exe File created C:\Windows\rescache\_merged\1910676589\1186399007.pri compattelrunner.exe File created C:\Windows\Installer\SourceHash{3E14D489-CB72-4198-AC28-B1256B64A158} msiexec.exe File created C:\Windows\Installer\1d04d21.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI89D4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA973.tmp msiexec.exe File created C:\Windows\py.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 11 IoCs
pid pid_target Process procid_target 3736 5920 WerFault.exe 250 4064 3152 WerFault.exe 258 4948 5536 WerFault.exe 266 5372 2856 WerFault.exe 269 60 5380 WerFault.exe 272 60 3992 WerFault.exe 281 4408 3880 WerFault.exe 290 1344 3508 WerFault.exe 293 5208 5352 WerFault.exe 296 2468 5692 WerFault.exe 300 3592 6008 WerFault.exe 304 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SystemSettings.exe -
Enumerates system info in registry 2 TTPs 34 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS SystemSettings.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe -
Modifies data under HKEY_USERS 38 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.ECApp_8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CallingShellApp_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoftWindows.Client.CBS_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.BioEnrollment_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.creddialoghost_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CImmersiveControlPanel%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FilePicker_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.XGpuEjectDialog_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CWindows.CBSPreview_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppResolverUX_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CPrintDialog%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FileExplorer_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AsyncTextService_8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shell msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE0A86B13DD4431548E03758B480361F msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1044" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2864" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Installer\Dependencies\{2DA27E5B-F889-4FD1-B168-DECC92E8A1CB} python-3.10.3-amd64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shellex msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConArchiveFile\shell msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1077" SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\.pyzw msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEA218D2-6950-497B-9434-61683EC065FE} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FFC2E0978895444E834FFF62373676A\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1077" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1077" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Python.ArchiveFile msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Installer python-3.10.3-amd64.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Installer\Dependencies\{0E222A50-70D1-440A-BC74-10158262BC44} python-3.10.3-amd64.exe Key created \REGISTRY\MACHINE\Software\Classes\Python.CompiledFile msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Installer\Dependencies\{198AE6B9-9F59-47C8-8147-65DEFBDA8AF4}\DisplayName = "Python 3.10.3 Executables (64-bit)" python-3.10.3-amd64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Installer\Dependencies\{2DA27E5B-F889-4FD1-B168-DECC92E8A1CB}\Version = "3.10.3150.0" python-3.10.3-amd64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8844" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Installer\Dependencies\CPython-3.10\Version = "3.10.3150.0" python-3.10.3-amd64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Python.File\Shell\editwithidle\MUIVerb = "&Edit with IDLE" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Python.NoConFile msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.pyc msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pyo\ = "Python.CompiledFile" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\MuiCache SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2864" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "4685" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "3810" SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\Python.ArchiveFile\shell\open\command msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shell\open msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1077" SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FFC2E0978895444E834FFF62373676A\ProductIcon = "C:\\Windows\\Installer\\{90E2CFF3-9887-4445-8E43-FF6F323776A6}\\ARPIcon" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1077" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Installer\Dependencies\{198AE6B9-9F59-47C8-8147-65DEFBDA8AF4}\Version = "3.10.3150.0" python-3.10.3-amd64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Python.NoConArchiveFile\DefaultIcon msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1044" SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pyw\Content Type = "text/x-python" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pyd\ = "Python.Extension" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Python.NoConArchiveFile\shellex\DropHandler msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\MuiCache SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9052" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Installer\Dependencies\{47F4BC1B-055D-4B6A-87DC-686AD8E49837}\Dependents python-3.10.3-amd64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FFC2E0978895444E834FFF62373676A\SourceList\Media msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2864" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Python.ArchiveFile\shell\open msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FFC2E0978895444E834FFF62373676A\InstanceType = "0" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 4584 chrome.exe 4584 chrome.exe 1500 chrome.exe 1500 chrome.exe 2704 chrome.exe 2704 chrome.exe 1460 chrome.exe 1460 chrome.exe 4540 chrome.exe 4540 chrome.exe 1008 chrome.exe 1008 chrome.exe 4384 chrome.exe 4384 chrome.exe 4284 chrome.exe 4284 chrome.exe 1544 chrome.exe 1544 chrome.exe 4388 chrome.exe 4388 chrome.exe 2624 chrome.exe 2624 chrome.exe 2520 chrome.exe 2520 chrome.exe 2520 chrome.exe 2520 chrome.exe 4920 chrome.exe 4920 chrome.exe 4500 chrome.exe 4500 chrome.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4620 chrome.exe 4620 chrome.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 1708 chrome.exe 1708 chrome.exe 1984 msedge.exe 1984 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 57 IoCs
pid Process 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3532 control.exe Token: SeCreatePagefilePrivilege 3532 control.exe Token: SeSystemtimePrivilege 3284 rundll32.exe Token: 34 3284 rundll32.exe Token: 34 3284 rundll32.exe Token: SeBackupPrivilege 1984 vssvc.exe Token: SeRestorePrivilege 1984 vssvc.exe Token: SeAuditPrivilege 1984 vssvc.exe Token: SeShutdownPrivilege 2000 python-3.10.3-amd64.exe Token: SeIncreaseQuotaPrivilege 2000 python-3.10.3-amd64.exe Token: SeSecurityPrivilege 4572 msiexec.exe Token: SeCreateTokenPrivilege 2000 python-3.10.3-amd64.exe Token: SeAssignPrimaryTokenPrivilege 2000 python-3.10.3-amd64.exe Token: SeLockMemoryPrivilege 2000 python-3.10.3-amd64.exe Token: SeIncreaseQuotaPrivilege 2000 python-3.10.3-amd64.exe Token: SeMachineAccountPrivilege 2000 python-3.10.3-amd64.exe Token: SeTcbPrivilege 2000 python-3.10.3-amd64.exe Token: SeSecurityPrivilege 2000 python-3.10.3-amd64.exe Token: SeTakeOwnershipPrivilege 2000 python-3.10.3-amd64.exe Token: SeLoadDriverPrivilege 2000 python-3.10.3-amd64.exe Token: SeSystemProfilePrivilege 2000 python-3.10.3-amd64.exe Token: SeSystemtimePrivilege 2000 python-3.10.3-amd64.exe Token: SeProfSingleProcessPrivilege 2000 python-3.10.3-amd64.exe Token: SeIncBasePriorityPrivilege 2000 python-3.10.3-amd64.exe Token: SeCreatePagefilePrivilege 2000 python-3.10.3-amd64.exe Token: SeCreatePermanentPrivilege 2000 python-3.10.3-amd64.exe Token: SeBackupPrivilege 2000 python-3.10.3-amd64.exe Token: SeRestorePrivilege 2000 python-3.10.3-amd64.exe Token: SeShutdownPrivilege 2000 python-3.10.3-amd64.exe Token: SeDebugPrivilege 2000 python-3.10.3-amd64.exe Token: SeAuditPrivilege 2000 python-3.10.3-amd64.exe Token: SeSystemEnvironmentPrivilege 2000 python-3.10.3-amd64.exe Token: SeChangeNotifyPrivilege 2000 python-3.10.3-amd64.exe Token: SeRemoteShutdownPrivilege 2000 python-3.10.3-amd64.exe Token: SeUndockPrivilege 2000 python-3.10.3-amd64.exe Token: SeSyncAgentPrivilege 2000 python-3.10.3-amd64.exe Token: SeEnableDelegationPrivilege 2000 python-3.10.3-amd64.exe Token: SeManageVolumePrivilege 2000 python-3.10.3-amd64.exe Token: SeImpersonatePrivilege 2000 python-3.10.3-amd64.exe Token: SeCreateGlobalPrivilege 2000 python-3.10.3-amd64.exe Token: SeRestorePrivilege 4572 msiexec.exe Token: SeTakeOwnershipPrivilege 4572 msiexec.exe Token: SeBackupPrivilege 4772 srtasks.exe Token: SeRestorePrivilege 4772 srtasks.exe Token: SeSecurityPrivilege 4772 srtasks.exe Token: SeTakeOwnershipPrivilege 4772 srtasks.exe Token: SeRestorePrivilege 4572 msiexec.exe Token: SeTakeOwnershipPrivilege 4572 msiexec.exe Token: SeRestorePrivilege 4572 msiexec.exe Token: SeTakeOwnershipPrivilege 4572 msiexec.exe Token: SeRestorePrivilege 4572 msiexec.exe Token: SeTakeOwnershipPrivilege 4572 msiexec.exe Token: SeRestorePrivilege 4572 msiexec.exe Token: SeTakeOwnershipPrivilege 4572 msiexec.exe Token: SeRestorePrivilege 4572 msiexec.exe Token: SeTakeOwnershipPrivilege 4572 msiexec.exe Token: SeRestorePrivilege 4572 msiexec.exe Token: SeTakeOwnershipPrivilege 4572 msiexec.exe Token: SeRestorePrivilege 4572 msiexec.exe Token: SeTakeOwnershipPrivilege 4572 msiexec.exe Token: SeRestorePrivilege 4572 msiexec.exe Token: SeTakeOwnershipPrivilege 4572 msiexec.exe Token: SeRestorePrivilege 4572 msiexec.exe Token: SeTakeOwnershipPrivilege 4572 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4556 OpenWith.exe 5920 SearchApp.exe 3152 SearchApp.exe 5536 SearchApp.exe 2856 SearchApp.exe 5380 SearchApp.exe 3992 SearchApp.exe 4480 SystemSettings.exe 3880 SearchApp.exe 3508 SearchApp.exe 5352 SearchApp.exe 5692 SearchApp.exe 6008 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 3924 2588 chrome.exe 109 PID 2588 wrote to memory of 3924 2588 chrome.exe 109 PID 2704 wrote to memory of 968 2704 chrome.exe 110 PID 2704 wrote to memory of 968 2704 chrome.exe 110 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2588 wrote to memory of 1680 2588 chrome.exe 112 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111 PID 2704 wrote to memory of 2480 2704 chrome.exe 111
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault65b84859hbe51h433eha76ah2045dfd3f8a22⤵
- Enumerates system info in registry
PID:5496 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa3f0446f8,0x7ffa3f044708,0x7ffa3f0447183⤵PID:1096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,5473358884075486545,17958046945897949375,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:23⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,5473358884075486545,17958046945897949375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,5473358884075486545,17958046945897949375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:83⤵PID:5764
-
-
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Test.py1⤵PID:4468
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3932
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4556
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:2304
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffa39544f50,0x7ffa39544f60,0x7ffa39544f702⤵PID:968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1628 /prefetch:22⤵PID:2480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1928 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 /prefetch:82⤵PID:4052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:12⤵PID:2344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:12⤵PID:4676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:12⤵PID:3284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4440 /prefetch:82⤵PID:4656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:82⤵PID:2680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 /prefetch:82⤵PID:3288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 /prefetch:82⤵PID:3216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:82⤵PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵PID:2060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:12⤵PID:4572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5716 /prefetch:82⤵PID:3272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:82⤵PID:1680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5940 /prefetch:82⤵PID:2876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5728 /prefetch:82⤵PID:1868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5844 /prefetch:82⤵PID:4384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:82⤵PID:1340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3956 /prefetch:82⤵PID:3956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3816 /prefetch:82⤵PID:1316
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:12⤵PID:556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:12⤵PID:4692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:12⤵PID:2560
-
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DateAndTime2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\timedate.cpl3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4396 /prefetch:82⤵PID:3412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3648 /prefetch:82⤵PID:2748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:12⤵PID:4540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2948 /prefetch:82⤵PID:4500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2972 /prefetch:82⤵PID:3896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3588 /prefetch:82⤵PID:788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2944 /prefetch:82⤵PID:3128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3392 /prefetch:82⤵PID:4700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2236 /prefetch:82⤵PID:2360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3616 /prefetch:82⤵PID:4544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2892 /prefetch:82⤵PID:536
-
-
C:\Users\Admin\Downloads\python-3.10.3-amd64.exe"C:\Users\Admin\Downloads\python-3.10.3-amd64.exe"2⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\Temp\{4039F549-C230-40C0-841C-DCD6EA8B918D}\.cr\python-3.10.3-amd64.exe"C:\Windows\Temp\{4039F549-C230-40C0-841C-DCD6EA8B918D}\.cr\python-3.10.3-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.10.3-amd64.exe" -burn.filehandle.attached=560 -burn.filehandle.self=5563⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\Temp\{F97E91C2-DC29-4BA4-8F9A-F3AC593DA41A}\.be\python-3.10.3-amd64.exe"C:\Windows\Temp\{F97E91C2-DC29-4BA4-8F9A-F3AC593DA41A}\.be\python-3.10.3-amd64.exe" -q -burn.elevated BurnPipe.{619E3FCF-C815-4299-90E6-4BB280DF627E} {316237C3-4E03-4045-A125-E42FAA1DC8B5} 20004⤵
- Executes dropped EXE
PID:4940
-
-
C:\Users\Admin\AppData\Local\Programs\Python\Python310\pythonw.exe"C:\Users\Admin\AppData\Local\Programs\Python\Python310\pythonw.exe" -c "import winreg; winreg.SetValueEx(winreg.CreateKey(winreg.HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Control\FileSystem'), 'LongPathsEnabled', None, winreg.REG_DWORD, 1)"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3792 /prefetch:82⤵PID:3468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4772 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:12⤵PID:3920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2624 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2612 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:12⤵PID:3408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:82⤵PID:1796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:4464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:12⤵PID:4532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵PID:1560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:12⤵PID:1488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2628 /prefetch:12⤵PID:5012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:12⤵PID:3400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:12⤵PID:4148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6476 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:12⤵PID:4776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:12⤵PID:4704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:12⤵PID:4420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:12⤵PID:920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:12⤵PID:3752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:12⤵PID:4460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:1868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7440 /prefetch:12⤵PID:1204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:12⤵PID:788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:12⤵PID:3928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:12⤵PID:4812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵PID:872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:12⤵PID:3272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:12⤵PID:1560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8372 /prefetch:12⤵PID:1116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:12⤵PID:5012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8624 /prefetch:12⤵PID:3312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:12⤵PID:5200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:12⤵PID:5232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8892 /prefetch:12⤵PID:5288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8860 /prefetch:12⤵PID:5296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8400 /prefetch:12⤵PID:5304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8488 /prefetch:12⤵PID:5440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8448 /prefetch:12⤵PID:5432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8456 /prefetch:12⤵PID:5424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9636 /prefetch:12⤵PID:5596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9200 /prefetch:12⤵PID:5700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9284 /prefetch:12⤵PID:5832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8832 /prefetch:12⤵PID:5864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9272 /prefetch:12⤵PID:5856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:12⤵PID:5872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵PID:6004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:12⤵PID:5972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10388 /prefetch:12⤵PID:5392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7792 /prefetch:12⤵PID:5204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8152 /prefetch:12⤵PID:5244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9552 /prefetch:12⤵PID:5488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9544 /prefetch:12⤵PID:864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:12⤵PID:5060
-
-
C:\Windows\py.exe"C:\Windows\py.exe" "C:\Users\Admin\Downloads\Test.py"2⤵
- Executes dropped EXE
PID:2288 -
C:\Users\Admin\AppData\Local\Programs\Python\Python310\python.exeC:\Users\Admin\AppData\Local\Programs\Python\Python310\python.exe "C:\Users\Admin\Downloads\Test.py"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6088
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6640 /prefetch:82⤵PID:3644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=11656 /prefetch:82⤵PID:4364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:82⤵PID:3668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=976 /prefetch:82⤵PID:1344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 /prefetch:82⤵PID:1888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:82⤵PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7666855044337270177,2660865203344038143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5452 /prefetch:82⤵PID:3516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa39544f50,0x7ffa39544f60,0x7ffa39544f702⤵PID:3924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1584,13836367056779738415,9383613397410331532,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1596 /prefetch:22⤵PID:1680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1584,13836367056779738415,9383613397410331532,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1988 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4584
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1716
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:2536
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵PID:1148
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5048
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BA3D189CC71E7CB14AEE6776143767EA2⤵
- Loads dropped DLL
PID:1412 -
C:\Users\Admin\AppData\Local\Programs\Python\Python310\python.exe"C:\Users\Admin\AppData\Local\Programs\Python\Python310\python.exe" -E -s -m ensurepip -U --default-pip3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Users\Admin\AppData\Local\Programs\Python\Python310\python.exeC:\Users\Admin\AppData\Local\Programs\Python\Python310\python.exe -W ignore::DeprecationWarning -c " import runpy import sys sys.path = ['C:\\Users\\Admin\\AppData\\Local\\Temp\\tmps34xqc6m\\setuptools-58.1.0-py3-none-any.whl', 'C:\\Users\\Admin\\AppData\\Local\\Temp\\tmps34xqc6m\\pip-22.0.4-py3-none-any.whl'] + sys.path sys.argv[1:] = ['install', '--no-cache-dir', '--no-index', '--find-links', 'C:\\Users\\Admin\\AppData\\Local\\Temp\\tmps34xqc6m', '--upgrade', 'setuptools', 'pip'] runpy.run_module(\"pip\", run_name=\"__main__\", alter_sys=True) "4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"5⤵PID:4324
-
-
-
-
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2432
-
C:\Windows\system32\werfault.exewerfault.exe /hc /shared Global\48c6381d929b429998853e362bd8f31b /t 3580 /p 35401⤵PID:3808
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5920 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5920 -s 40482⤵
- Program crash
PID:3736
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:6068
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 184 -p 5920 -ip 59201⤵PID:5444
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3152 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3152 -s 39482⤵
- Program crash
PID:4064
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 3152 -ip 31521⤵PID:3724
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4996
-
C:\Windows\py.exe"C:\Windows\py.exe" "C:\Users\Admin\Downloads\Test.py"1⤵
- Executes dropped EXE
PID:5760 -
C:\Users\Admin\AppData\Local\Programs\Python\Python310\python.exeC:\Users\Admin\AppData\Local\Programs\Python\Python310\python.exe "C:\Users\Admin\Downloads\Test.py"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5536 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5536 -s 26322⤵
- Program crash
PID:4948
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 5536 -ip 55361⤵PID:4012
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2856 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2856 -s 39242⤵
- Program crash
PID:5372
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 480 -p 2856 -ip 28561⤵PID:6112
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5380 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5380 -s 40202⤵
- Program crash
PID:60
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 5380 -ip 53801⤵PID:3724
-
C:\Windows\py.exe"C:\Windows\py.exe" "C:\Users\Admin\Downloads\Test.py"1⤵
- Executes dropped EXE
PID:5776 -
C:\Users\Admin\AppData\Local\Programs\Python\Python310\python.exeC:\Users\Admin\AppData\Local\Programs\Python\Python310\python.exe "C:\Users\Admin\Downloads\Test.py"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5808
-
-
C:\Users\Admin\AppData\Local\Programs\Python\Python310\pythonw.exe"C:\Users\Admin\AppData\Local\Programs\Python\Python310\pythonw.exe" -m idlelib "C:\Users\Admin\Downloads\Test.py"1⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"2⤵PID:3944
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3992 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3992 -s 44002⤵
- Program crash
PID:60
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 3992 -ip 39921⤵PID:6000
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc1⤵PID:5180
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3880 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3880 -s 41202⤵
- Program crash
PID:4408
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 528 -p 3880 -ip 38801⤵PID:3700
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3508 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3508 -s 41282⤵
- Program crash
PID:1344
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 580 -p 3508 -ip 35081⤵PID:5372
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5352 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5352 -s 41762⤵
- Program crash
PID:5208
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 5352 -ip 53521⤵PID:4972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5692 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5692 -s 39282⤵
- Program crash
PID:2468
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 5692 -ip 56921⤵PID:5820
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6008 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6008 -s 39922⤵
- Program crash
PID:3592
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 472 -p 6008 -ip 60081⤵PID:5168
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4700
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:5416
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
PID:2712
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\0dd2b27e120c4154a4fc43c624b6f5b8 /t 3760 /p 38601⤵PID:4740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:2344
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:2652
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:1984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:3880
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:6096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD5821c1122f0d1d5d9da13bb3a9b2bbe19
SHA1f571758a82487d499a3a594073d5d03860002a97
SHA256496c5a4bf9c2b9f82d5eed099129e60fd705da43a30511b7f7ac1c02513013d0
SHA51206b00209546e4f13b569191dfc36334c114e0a4b6bc4375e18b4927360e47582900694a10f8de7914ca20090ddc5a688d0907a054579ae961d572c3b5c2b2a38
-
Filesize
40B
MD5821c1122f0d1d5d9da13bb3a9b2bbe19
SHA1f571758a82487d499a3a594073d5d03860002a97
SHA256496c5a4bf9c2b9f82d5eed099129e60fd705da43a30511b7f7ac1c02513013d0
SHA51206b00209546e4f13b569191dfc36334c114e0a4b6bc4375e18b4927360e47582900694a10f8de7914ca20090ddc5a688d0907a054579ae961d572c3b5c2b2a38
-
Filesize
40B
MD5821c1122f0d1d5d9da13bb3a9b2bbe19
SHA1f571758a82487d499a3a594073d5d03860002a97
SHA256496c5a4bf9c2b9f82d5eed099129e60fd705da43a30511b7f7ac1c02513013d0
SHA51206b00209546e4f13b569191dfc36334c114e0a4b6bc4375e18b4927360e47582900694a10f8de7914ca20090ddc5a688d0907a054579ae961d572c3b5c2b2a38
-
Filesize
69KB
MD592db333673e76da2820e3dce30b2b67e
SHA1ec2be0e499b5ae538d696abd0abc6a6a158d3e81
SHA256f0d1f8aa33f0ab94bb8ab3a5039a691935f72f507a91ca38d2eecf096b4c6376
SHA512edeee7f24cbaaae33f7965bfee4fb24f0bcb90f80770bd852540beb11b014736edd63ebfa2481f277e0542c2e4c76450b6103d7fb243e0e3bfd306231acf5efc
-
C:\Users\Admin\AppData\Local\Temp\chrome_BITS_2704_1446996795\gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.34.0_all_acb7qksdc2wjznjioir7p6lt3dwq.crx3
Filesize37KB
MD5c919be360bcc277412b08aaf36831db4
SHA17c33e8f1f9b245aec0e0e4168a54350615f52d9d
SHA25693823a4e71e764b932ee22dfcf84c24429867a440c5e480e55be527ac30de1ae
SHA512aa82748a902db51d80c6b4c0395d108e1067693d3ef031f599be6f7567bb80d2e76d66932c2e85a6708533e6d1fbbe45c514275be98069fbe887039037038a2c
-
C:\Users\Admin\AppData\Local\Temp\chrome_BITS_2704_886969075\obedbbhbpmojnkanicioggnmelmoomoc_20220222.432047118_all_ENUS500000_hbwjwk7bommr565nn72etjdnwe.crx3
Filesize5.1MB
MD5a75cd4f42d1c9dbdaf22b31e06c0fe44
SHA1dfea9712224315d809cf432b1d84128dfa11ada5
SHA256191e8d0245ef4a9e9fac8966c175ae9b3943d70cfe949de9e33d3c6a19b7c840
SHA512d7b54e94a2a42697a7b25fb287fae12d7342acde89a482dd00c37edbe5234f2c8f899732dd519a0fdff15c1f04cb21bbd618e78df4102e61878aad22a8826449
-
Filesize
27.1MB
MD59ea305690dbfd424a632b6a659347c1e
SHA1ebe0abda063d772ff812a2f07e7acccf52d7cd6b
SHA25648aea4b9f6315a6544f82480b2caf1e29fd6687abb5b756930ad98a1e9b9a847
SHA5127bbacee4fbe785597116edc93daf8ddbf52ccf6fb4806f90be8675149407b7853ca90315f79f8ef54aac7377666055611efb8a425f61ff2fce6af611d4a806b5
-
Filesize
27.1MB
MD59ea305690dbfd424a632b6a659347c1e
SHA1ebe0abda063d772ff812a2f07e7acccf52d7cd6b
SHA25648aea4b9f6315a6544f82480b2caf1e29fd6687abb5b756930ad98a1e9b9a847
SHA5127bbacee4fbe785597116edc93daf8ddbf52ccf6fb4806f90be8675149407b7853ca90315f79f8ef54aac7377666055611efb8a425f61ff2fce6af611d4a806b5
-
Filesize
848KB
MD512975d7249f9c5df0820b0a9ef3a7ea7
SHA11148bcf4bfe56455e275e044b815fd2d41955f9a
SHA256fd088482a4d7dcd1f3bea7a12e47d8474fc1699f164e538e5d2d5d56fe4fe38f
SHA512d5f7145ce1132b147319266806e6897fbaa18dad7140e4e453ddde89cf7610d529229d77fb55491e82fce375b077cde21a1636d9c1942baa12b65e27a681cf8e
-
Filesize
848KB
MD512975d7249f9c5df0820b0a9ef3a7ea7
SHA11148bcf4bfe56455e275e044b815fd2d41955f9a
SHA256fd088482a4d7dcd1f3bea7a12e47d8474fc1699f164e538e5d2d5d56fe4fe38f
SHA512d5f7145ce1132b147319266806e6897fbaa18dad7140e4e453ddde89cf7610d529229d77fb55491e82fce375b077cde21a1636d9c1942baa12b65e27a681cf8e
-
Filesize
663KB
MD5f0de7f1a8fcc825d5d32cf804e44a0dc
SHA135bdc53a3782e3f820c2ebd715009fb6a328cc3b
SHA256e9f560f381826f2ada40d1e9d422601b4e35fe293940be29e631be11e1c34c7a
SHA512dcb83fa0734614232ca0ff8c1cefadaf4902a0c945f793675afb7b08d0e594f71dfc643bbbd0c37c569be1cee7437b5b6aabe8859190654b2d99d61a2d446c7b
-
Filesize
848KB
MD512975d7249f9c5df0820b0a9ef3a7ea7
SHA11148bcf4bfe56455e275e044b815fd2d41955f9a
SHA256fd088482a4d7dcd1f3bea7a12e47d8474fc1699f164e538e5d2d5d56fe4fe38f
SHA512d5f7145ce1132b147319266806e6897fbaa18dad7140e4e453ddde89cf7610d529229d77fb55491e82fce375b077cde21a1636d9c1942baa12b65e27a681cf8e
-
Filesize
848KB
MD512975d7249f9c5df0820b0a9ef3a7ea7
SHA11148bcf4bfe56455e275e044b815fd2d41955f9a
SHA256fd088482a4d7dcd1f3bea7a12e47d8474fc1699f164e538e5d2d5d56fe4fe38f
SHA512d5f7145ce1132b147319266806e6897fbaa18dad7140e4e453ddde89cf7610d529229d77fb55491e82fce375b077cde21a1636d9c1942baa12b65e27a681cf8e