Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 08:57
Behavioral task
behavioral1
Sample
cch_blum_re.pyc
Resource
win10v2004-20240508-en
General
-
Target
cch_blum_re.pyc
-
Size
7KB
-
MD5
b3b9b54ddc84df18135852ee3ede2383
-
SHA1
6841a45353951cbbb8a9bb7a8489a1ab43ce4669
-
SHA256
b8e5ae90d66993923b851d0aeb26c0031b56f46a7151d71a0fee2b77bd9bf691
-
SHA512
86db3c0eba1533bbe3ca62c324106e199756c09aa5477ab90c0711c28cc01fade9f87f89ebba78117102775194b0a197f95f93c95a8e5ec7c3a0295d494dee68
-
SSDEEP
192:8w5Cpjqg1Bo123UpK/PIFwH7GSPFy0xg60GeA:sWmK23UpK/P/bG8aA
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632610770042719" chrome.exe -
Modifies registry class 63 IoCs
Processes:
NOTEPAD.EXEcmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5600310000000000a8586964100057696e646f777300400009000400efbe874f7748d35837472e00000000060000000001000000000000000000000000000000921d1a01570069006e0064006f0077007300000016000000 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000ac3bd29140a1da01fcec2e9540a1da013759fe9540a1da0114000000 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a00310000000000d3583747100053797374656d33320000420009000400efbe874f7748d35837472e000000b90c0000000001000000000000000000000000000000d5d77000530079007300740065006d0033003200000018000000 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" NOTEPAD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" NOTEPAD.EXE -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 1928 NOTEPAD.EXE 5468 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
chrome.exemsedge.exemsedge.exeidentity_helper.exechrome.exepid process 4608 chrome.exe 4608 chrome.exe 5172 msedge.exe 5172 msedge.exe 1932 msedge.exe 1932 msedge.exe 5656 identity_helper.exe 5656 identity_helper.exe 3344 chrome.exe 3344 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OpenWith.exeNOTEPAD.EXEpid process 224 OpenWith.exe 1928 NOTEPAD.EXE -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 660 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
Processes:
chrome.exemsedge.exepid process 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe Token: SeShutdownPrivilege 4608 chrome.exe Token: SeCreatePagefilePrivilege 4608 chrome.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
Processes:
chrome.exemsedge.exepid process 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
chrome.exemsedge.exepid process 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 4608 chrome.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe 1932 msedge.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
OpenWith.exeNOTEPAD.EXEpid process 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 224 OpenWith.exe 1928 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
OpenWith.exechrome.exedescription pid process target process PID 224 wrote to memory of 1928 224 OpenWith.exe NOTEPAD.EXE PID 224 wrote to memory of 1928 224 OpenWith.exe NOTEPAD.EXE PID 4608 wrote to memory of 4460 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 4460 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 1716 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3960 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3960 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe PID 4608 wrote to memory of 3288 4608 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cch_blum_re.pyc1⤵
- Modifies registry class
PID:2004
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cch_blum_re.pyc2⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1928
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f39cab58,0x7ff8f39cab68,0x7ff8f39cab782⤵PID:4460
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:22⤵PID:1716
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:82⤵PID:3960
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:82⤵PID:3288
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:12⤵PID:2384
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:12⤵PID:3920
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4236 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:12⤵PID:3968
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:82⤵PID:1752
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:82⤵PID:4032
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level2⤵PID:1788
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff623d9ae48,0x7ff623d9ae58,0x7ff623d9ae683⤵PID:384
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4676 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:12⤵PID:4140
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4424 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:12⤵PID:2192
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3228 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:12⤵PID:224
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4300 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:12⤵PID:3024
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3600 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:12⤵PID:4444
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4176 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:12⤵PID:3468
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4908 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:12⤵PID:4948
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3244 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:12⤵PID:180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3584 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:12⤵PID:180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 --field-trial-handle=1912,i,824309116249880398,4064638952654159784,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3344
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8e05646f8,0x7ff8e0564708,0x7ff8e05647182⤵PID:2140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,10609496778464666977,3941041133947125857,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵PID:5164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,10609496778464666977,3941041133947125857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5172 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,10609496778464666977,3941041133947125857,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:5252
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10609496778464666977,3941041133947125857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:12⤵PID:5424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10609496778464666977,3941041133947125857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:12⤵PID:5436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10609496778464666977,3941041133947125857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:12⤵PID:5792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10609496778464666977,3941041133947125857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:12⤵PID:5800
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,10609496778464666977,3941041133947125857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3908 /prefetch:82⤵PID:6112
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,10609496778464666977,3941041133947125857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3908 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5656 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10609496778464666977,3941041133947125857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:12⤵PID:5708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10609496778464666977,3941041133947125857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:12⤵PID:5512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10609496778464666977,3941041133947125857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:12⤵PID:5496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10609496778464666977,3941041133947125857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵PID:6008
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10609496778464666977,3941041133947125857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:12⤵PID:4568
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5372
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5416
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:3108
-
C:\Windows\System32\SystemSettingsBroker.exeC:\Windows\System32\SystemSettingsBroker.exe -Embedding1⤵PID:4968
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\cch_blum_re.pyc.txt1⤵
- Opens file in notepad (likely ransom note)
PID:5468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD55b4abe268c59fa0ecde5862ea46c851a
SHA1c2be6ed8047c193cd2b5952eef30e9ba171f37ee
SHA256098ac02bc03f672f617fd72dbdd5b889fb7c14b34d9b8b88262d4a45d4930ef4
SHA512aaa60a5893743a7b6bd20484c030c82a8572a377586961ebf1d29b27ad6c4b36e59392b9d4a8e6fe3a3f96f091a31d0cf65d8c0d0d86121029682acb5e440b8c
-
Filesize
7KB
MD5e20d62aad713179dfdb7a0c6cd5cc9e6
SHA12eac3eb057f10b0a88991d0c44a1b856aaf15557
SHA2562160aff04d0220d4573d94e3766e5e53135b703bc2d4d94d1a7d1c31ac5aad33
SHA512ca3fd4f36cb8f6d8331dc7f421387d8fc10739a41553fbaa3a4c97c2701d16b84db0571358752d69fb3a8c4ce9e39e37c6361c99a730b40d8452442ef8cff133
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e3590948-96ff-451a-b4a9-36bdadfa819c.tmp
Filesize7KB
MD53f247a06390dec0ebe422613ef318dc9
SHA1e8d37791bfbca0c8896f7ca2a90b252c69a4f9fd
SHA256e263772dd11ccfb8d5995355f3b642583fff829b7c3c15d754c1704d3092a769
SHA51229622eeb7bf87b9b6979b6bdd04d591615cf59d9fce919ab666afde7be07d1ee16406b5f1c527bf8af41443f87b01f5c1ea63c8df7668dbb5789026453fb50a5
-
Filesize
255KB
MD51bc5fee52ed62d4289244a8c30e24ec5
SHA1cb2aeb91247bd83861c52ad48efcbbe6cd2759c7
SHA256de928599d639284c82ac1d7b3014d5babd7a7faed3e1a96d03fd135057e87060
SHA5123afc8c9f7858107ea0abe2d23f0897fb751c97cf12dd9e62a3467e02dc3b0bfebfcdaf001f15f6adaaf88bc4d742e66ff47e12ff4fd08840ff435977affc3b78
-
Filesize
255KB
MD5c5458e807149a6753573622c8482b3b4
SHA1c017fc71612222a0fa98ca433310a0e0ce59ef68
SHA2567e3f454110b99c0d6a8fb6cafdb9f0e349f985f4554b33313adc9eea78e91653
SHA51247852a908b58734a5f3e5fff4df5779cc6e55c036190f3d6a6853d9d4c26cd29b05e28ff7ade614f1f7560ea3025161491d0c6915dcd3b7806a40bba3daa90ad
-
Filesize
8KB
MD5ef5d816d9db65485fbc7f09e118220bc
SHA19589ab399790f9e7a8f34c7e60f9c95cadd9bb5c
SHA256d13c9fad2d875c05a50bbc20f0c25268976ed91d407e774d9850f581c53f2f7e
SHA51299f6b65746ed8f99f4ae154884ed230d06eb10d635ca472e5b11f714095724ee552aa10b43a60bd11f69f23e03e0482ac0cc9de701ab3f2e921fb511dcc682ac
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
5KB
MD5fff6ede5397041036f877ebe90c040ea
SHA1f4768c06be964ea9491cdce1176333718c4f9dd7
SHA256dae5947911d2d5234efd0e6446de8b7300a7113e165286a6e18786069c083346
SHA5128cd280a8c021fb71bcced4b5e60fd44cc65e780c9f4488c7fd232cd5c5a17c89872c031d6c61b4629952dc65cfb193d63e952ef147bef0af53b41470f763b0d0
-
Filesize
6KB
MD5707eec0c76bc5b56e012c53fc4bb4e8f
SHA1f18ecf3ac770ac5fdf58e233de4ff06f9f39a178
SHA256fa91a2e23eacc6fc8f4d0c758b11650ff03dd91a666da834de52b9c277908275
SHA5126521606ff3d72bad65ed49f7c507536c2cad5b221aa6a1346f63f9dbea378b7d09c7461b26dd610a26f2aa17dc0bbdb7068747621c6a8cffa5338be6c639f59c
-
Filesize
6KB
MD554c35fab29c6b68c0c32be4f02f92252
SHA140840f6db7b1855332901480e5b0105005cb1899
SHA256b29128ae81a0c0724e1814de65eba3169583d1399812bb94064173f660e52acb
SHA51229ae710b7d9fda9dfb04dbf2de05f8e16c9abbdc96ad19024afa0a3fee92e602f6e7141fce9bd5c6f3ffe83098180a72356fc9a715ba3ce1334e107d84e6991c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
8KB
MD5ce54d48719755e683e05865f6cc7e19e
SHA19bbfe5b29a4f1b6c04f78779f115c2fc2aa0a342
SHA25682ba4ce782e37b9d2e3110b69b685ac1c9cc6c3cf9f87503b42c68e7f4ea8cc2
SHA512d805eb841c29cd4e4823210321fe79959f844437b468b091417952918a09e915a8a0dd3a056896a2e305a6e34f50e05f9082e8ed9d2a33ec3f3f6be019109680
-
Filesize
28KB
MD51857ee683af4743024e94024ca60dbc5
SHA1f62463dcf876e854a9e39ba95a23be25190ef093
SHA256a6792e54bb4ce353f6f8dfe5156474790cd006df4d3daa8b57cee6087826cbb3
SHA5123a70e22af5ecfcfe52b072c08495c342cce02e30990e9498c155ba217fa5deb62170ed35f4c2db20b9e8d554df7a0bccb02af5fcfb1cc8b097b647c4ce30e182
-
Filesize
7KB
MD56d127e45ab3488937ae0040e31d3655e
SHA18ebed63e7b5c8c33b19164393dcbcef3176960ee
SHA25643f5a729d9577003961847f8914281b672b07b8719b09e3be6b72b509c0a6027
SHA512a2fda10d0c44b1567ec68d305bc62baef50a65208d8cf14a7190a79b79537a34270f1216f0ba9c5fd1f415e31cd7cf155879d527f85be7fa4500aa343877898b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e