e975fe27d65bf5e22fd7b0fde9ece41e2997e98e0fa82d88a8f563847947c468

Resubmissions

19/09/2022, 21:48

220919-1nzefaafh9 6

19/09/2022, 21:41

220919-1jybkseafj 8

Analysis

max time kernel
1658s
max time network
1676s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Files.zip
Size

2.2MB
MD5

c955caef28097c6e3b21508b69de7c0d
SHA1

9ad2c18892d4a3af4b88bf69d515bc7f776d9500
SHA256

e975fe27d65bf5e22fd7b0fde9ece41e2997e98e0fa82d88a8f563847947c468
SHA512

19407087d39128e6ab7f11569f05f71d7a3f8a1379e771f9d30ec9bbd42c4c9140e7ba8683e01aaae5ff5ad9055d11fd54b1e3f0beade870bc9324ec5aea1321
SSDEEP

49152:zHiC/2axctSIYIh5nInmn4w8d264mYIh5nInmnZHZHd:zIaih5nInmnM2642h5nInmnZ59

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7e80a6dc-9d32-4e4c-8936-e51c3676ecb4.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220920001609.pma	setup.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1088	1344	WerFault.exe	56

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
4764	NOTEPAD.EXE
2132	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
2536	chrome.exe
2536	chrome.exe
1092	chrome.exe
1092	chrome.exe
4024	chrome.exe
4024	chrome.exe
4876	chrome.exe
4876	chrome.exe
3288	chrome.exe
3288	chrome.exe
1016	chrome.exe
1016	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
1536	msedge.exe
1536	msedge.exe
1604	msedge.exe
1604	msedge.exe
5572	identity_helper.exe
5572	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	3896	7zG.exe
Token: 35	3896	7zG.exe
Token: SeSecurityPrivilege	3896	7zG.exe
Token: SeSecurityPrivilege	3896	7zG.exe
Token: SeRestorePrivilege	1916	7zG.exe
Token: 35	1916	7zG.exe
Token: SeSecurityPrivilege	1916	7zG.exe
Token: SeSecurityPrivilege	1916	7zG.exe
Token: SeRestorePrivilege	3820	7zG.exe
Token: 35	3820	7zG.exe
Token: SeSecurityPrivilege	3820	7zG.exe
Token: SeSecurityPrivilege	3820	7zG.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3896	7zG.exe
1916	7zG.exe
3820	7zG.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1900	OpenWith.exe
1900	OpenWith.exe
1900	OpenWith.exe
1900	OpenWith.exe
1900	OpenWith.exe
1900	OpenWith.exe
1900	OpenWith.exe
1900	OpenWith.exe
1900	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
424	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
4812	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 4200	1900	OpenWith.exe	103
PID 1900 wrote to memory of 4200	1900	OpenWith.exe	103
PID 424 wrote to memory of 4888	424	OpenWith.exe	107
PID 424 wrote to memory of 4888	424	OpenWith.exe	107
PID 4812 wrote to memory of 2240	4812	OpenWith.exe	110
PID 4812 wrote to memory of 2240	4812	OpenWith.exe	110
PID 3940 wrote to memory of 5032	3940	OpenWith.exe	112
PID 3940 wrote to memory of 5032	3940	OpenWith.exe	112
PID 2204 wrote to memory of 1996	2204	OpenWith.exe	115
PID 2204 wrote to memory of 1996	2204	OpenWith.exe	115
PID 1016 wrote to memory of 4764	1016	OpenWith.exe	117
PID 1016 wrote to memory of 4764	1016	OpenWith.exe	117
PID 2536 wrote to memory of 3284	2536	chrome.exe	120
PID 2536 wrote to memory of 3284	2536	chrome.exe	120
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4336	2536	chrome.exe	121
PID 2536 wrote to memory of 4352	2536	chrome.exe	122
PID 2536 wrote to memory of 4352	2536	chrome.exe	122
PID 2536 wrote to memory of 3560	2536	chrome.exe	123
PID 2536 wrote to memory of 3560	2536	chrome.exe	123
PID 2536 wrote to memory of 3560	2536	chrome.exe	123
PID 2536 wrote to memory of 3560	2536	chrome.exe	123
PID 2536 wrote to memory of 3560	2536	chrome.exe	123
PID 2536 wrote to memory of 3560	2536	chrome.exe	123
PID 2536 wrote to memory of 3560	2536	chrome.exe	123
PID 2536 wrote to memory of 3560	2536	chrome.exe	123

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Files.zip
1⤵
PID:2884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 1344 -ip 1344
1⤵
PID:1304

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1344 -s 2460
1⤵
- Program crash
PID:1088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4508

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Files\" -spe -an -ai#7zMap13582:90:7zEvent3409
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3896

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Files\OriginLogger\" -spe -an -ai#7zMap13009:116:7zEvent236
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1916

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Files\Updater\" -spe -an -ai#7zMap9519:106:7zEvent9781
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Files\OriginLogger\OriginLogger
  2⤵
  PID:4200

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Files\OriginLogger\.text
1⤵
PID:764

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:424
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Files\OriginLogger\7__+\(r_
  2⤵
  PID:4888

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Files\Updater\.text
1⤵
PID:3136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Files\Updater\.rsrc_1
  2⤵
  PID:2240

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Files\Updater\.reloc
  2⤵
  PID:5032

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Files\Updater\.rsrc\version.txt
1⤵
PID:4816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Files\Updater\.rsrc\MANIFEST\1
  2⤵
  PID:1996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Files\profile.origin
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe25fb4f50,0x7ffe25fb4f60,0x7ffe25fb4f70
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1696 /prefetch:2
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2052 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2348 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3696 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=848 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3920 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2804 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=932 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3676 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3824 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3440 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,4321815794252050996,11469998698405658824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:1868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:2584
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Files\NetCore.dll
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Files\eula.html
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe1a3a46f8,0x7ffe1a3a4708,0x7ffe1a3a4718
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6669654629352090570,8620686318469824541,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,6669654629352090570,8620686318469824541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,6669654629352090570,8620686318469824541,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3116 /prefetch:8
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6669654629352090570,8620686318469824541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6669654629352090570,8620686318469824541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,6669654629352090570,8620686318469824541,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6669654629352090570,8620686318469824541,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6669654629352090570,8620686318469824541,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,6669654629352090570,8620686318469824541,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6669654629352090570,8620686318469824541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6356 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1628
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff681045460,0x7ff681045470,0x7ff681045480
    3⤵
    PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6669654629352090570,8620686318469824541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
0e6284fa66ef3302f49d7cbb9ef6aac6

SHA1
c2ccd26a90f76ada50f815cd553c09966602cee1

SHA256
23c80b7449835f93ac6ad0fc8f116068b88b2507bca791eb0f1a608d4235e4f0

SHA512
330e0462d671b3d10b6d659b6aebbae8ba35dfbc9a4bca1f973477d55932219b5d7d656b89690b95be5b75ce19ae02d65e8c34443d63f9dbcedafc99c921663c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NetCore.dll

Filesize
21KB

MD5
ae0c5fd1454fcff2c8ac401822164923

SHA1
961f3adc13b09b884f2675fc9da0dc2ea331aeea

SHA256
7c793bcc86a3e8aa83d38f80f6973e2a0276bf76f15bf0cb63a7507de5dd8f7a

SHA512
72a152a64cc609ef4cd37abe0ff9c952a1626f14d2237072d3d9502806334527d2523f9fe27b1caf45b6f5f408081b41db4c28c528b86e182a1de6510a43cce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OriginLogger.exe

Filesize
966KB

MD5
904195035801d5d9fc9458366777108b

SHA1
c018199cff11acf37706020e2b6d30da0a15f832

SHA256
f2e727c38ff2ee77981e76a30e61d012fd34b40d528f05b90c1a265b43e57862

SHA512
ac68fa6f6216435f4c169258236790390668a7f69a1843eecb05da6b66f916b9bd46b46239f35de44c1b502cc9ad9bc533c57f1b0aa7a617f44c603062e33273

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OriginLogger\.text

Filesize
369KB

MD5
7af4a5ebdb9cb25fd19a9fb88b4ce6f3

SHA1
28b51bb3b25be8672b8a2403fbb5750c52080046

SHA256
166fa3b8c74363c78a158b37974e1abdae63d11650d2a0ee9a46383227af4255

SHA512
07b0a8a4bd9238a61a89ce21729417979990e285e562b0365375219d7273983ea6a055519be16e18d1909de18820277dad893adcfa25439b0203bb9ded993249

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OriginLogger\7__+\(r_

Filesize
242KB

MD5
e7bee05591191d2f0f8079db77337871

SHA1
1415b0821541e798a41a66315068e84e11670d0d

SHA256
485abf18d316f98464b0716de2420cce436378b158b7ef415db32df963fa1cfd

SHA512
f69258b987eb137799ca4a4b98b9e8019a659ee2eec5c48a1dc5957a439ab6afae720469dd92661dba1d466c909b2b1fb236d61aa1439c7b922a607b2cbc5983

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OriginLogger\OriginLogger

Filesize
512B

MD5
1072aeeaf6e260503bcd0725523b02d6

SHA1
ae62613645f2d5189d47b288766ca02bb8c11845

SHA256
a33d9a39e3a4f380ffa2a38898dc64e83543813ed3f42eba672a0530936e5461

SHA512
ebc8074f1a3d482a8080a741e88699966ece1f2afff798094c08384064eb79828eec22005833f6ee7176ca57aab341288b6576e2ce7992d5e849eef689643857

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Updater.exe

Filesize
178KB

MD5
47e00b87cfb027b0ee0d720c46149500

SHA1
ded51121250d963696d88456861c1fd574d92baf

SHA256
ace87049c22119880bd5355a8d41a8d2e217ad987fe83ec30f1b6aa5403056ef

SHA512
a4ea2e3799ce3fee9a3223639656bfc729f5ef54a40ad908524eae8286fbf1311a5128415b2c027f202f4bfa811d832b1bab31cd47fe491b7f13eb09b238e8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Updater\.reloc

Filesize
512B

MD5
8cbb2d61929f02e8b0ac40943c580ae2

SHA1
cfba2fa417b283e4a502e64ce308ab51b82957c2

SHA256
29b7fcff614f6d27fd27efa642bcd3091efb9533bf30b7eafc1e8f42b703940d

SHA512
f9395560488903769f5390d90d1fa8b3060392b69b4b0aa891abd3e9cf17e7a6ad03a8dbf3a8231e2277c751175962f1125cf069d01b888151dc9ac114dedcf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Updater\.rsrc\MANIFEST\1

Filesize
436B

MD5
fd46cae204161f624089374d1892677e

SHA1
c2844e969091e2abc3ededb9792e7c129c050e1c

SHA256
6a2cf379aa950dde3136a3e3ff80047923faaf69dc65c7c5af21350f6d6a2a08

SHA512
f47fa6b9c85e4affa911b725f702cfc4cbd7e0e69e833e999a53e536aae73e85a329adbc92b8116763fdc2a72a97eac1a10da8a56b658a9f68ef1d8128ba1463

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Updater\.rsrc\version.txt

Filesize
1KB

MD5
3441db03f7e6f3e045da8ffd332f1b58

SHA1
2c620eedcf655ee7fcd67696a15185f7fa399bf7

SHA256
eb200eb876797a26c016bafcc099e1de88905d3c28181c3c60585256c6dad761

SHA512
1b36207684509337804185dc354297831863b0765e4e88c0e5824a6bf8132d0ddebbc3bdc81b7eb1e3bb16b357182c0a172e499f649dae6b4e44917da1c97e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Updater\.rsrc_1

Filesize
160B

MD5
e27460c94da515f8acaedc3481255078

SHA1
d034ed35f2344805b708d99f55b6c1ca0f1d93c6

SHA256
52fcc5b3c6cb2458e6361fe35191ed477bb3da93fdf4ffdb126479ca014e529f

SHA512
751c02eb49e4dc799f3f03a53c20d34e1f1f5e9b2cc6544f36fdcc7c5dfa79ba8362abd7e5440f474efaf089496e14f6c806e9c6b658eaf7d2db9c8dc8b8025d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Updater\.text

Filesize
176KB

MD5
7dfafcfab412c554b14a8058c9cce278

SHA1
69a3c54d11f07ddc585462b9ba60ac1166c8a6f4

SHA256
fd7e58b406cecff7a0120d6ac6c0a7a6501cc8b29ff39ad04e5e9bc4bb783ae4

SHA512
da19a7ef1da902ca22b988d242aa3d8926d0d5de1ab6310a1b240909643fce0e6c495721a446523e0bf5341b7163a3774a6c82ad7ec28c6bb89e19d8e09e1f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\eula.html

Filesize
16KB

MD5
0d257ea704c1c23ea230d539ab7879d9

SHA1
ae2a24e17c4312d277c815da8947fbc36e2a9cad

SHA256
db32ddf458fb6f01f17bd20fc594386bf692f7f2a59b24e5b72d3bbfdac59bc1

SHA512
c8e089c3701fef67b295e179688c99ef200678c24a54bc642386ee1b9d206e0cec82d7e748b8bcee37a858682c0b7393b8509a632e1ce3b9c0eee55448d3c16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\profile.origin

Filesize
126B

MD5
00f80f42d1f53459a46d5e03f17dffd2

SHA1
1a19cf35788f810482b0cbc25106af862a1f7618

SHA256
fbb3c590df6143a18d8bbcdad773be2d6ee341b6148f9bfe69f3710f31940a65

SHA512
b0f86584ce02a737d3ee95f5ae8d5a2a75ed18b8d742fc30101b6c8f1bd5957b2efc116c6913bc95278c8e588971f197bb4aa151fec7182db743c1cdd51fd5fd

Download Submit