hxxp://139[.]224[.]114[.]70[:]80

Analysis

max time kernel
1687s
max time network
1783s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2022, 22:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://139.224.114.70:80

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4752	a.exe
4540	ChromeRecovery.exe
1044	cobaltstrike.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cobaltstrike.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4112_606338166\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4112_606338166\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4112_606338166\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4112_606338166\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4112_606338166\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4112_606338166\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4112_606338166\manifest.json	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 13 IoCs

ransomware

pid	Process
2672	NOTEPAD.EXE
2668	NOTEPAD.EXE
3912	NOTEPAD.EXE
824	NOTEPAD.EXE
2232	NOTEPAD.EXE
2552	NOTEPAD.EXE
2052	NOTEPAD.EXE
1504	NOTEPAD.EXE
4288	NOTEPAD.EXE
3916	NOTEPAD.EXE
4816	NOTEPAD.EXE
812	NOTEPAD.EXE
2188	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4960	chrome.exe
4960	chrome.exe
4028	chrome.exe
4028	chrome.exe
808	chrome.exe
808	chrome.exe
2004	chrome.exe
2004	chrome.exe
5012	chrome.exe
5012	chrome.exe
3608	chrome.exe
3608	chrome.exe
4256	chrome.exe
4256	chrome.exe
3244	chrome.exe
3244	chrome.exe
2480	chrome.exe
2480	chrome.exe
4264	chrome.exe
4264	chrome.exe
4248	chrome.exe
4248	chrome.exe
4976	chrome.exe
4976	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
1420	chrome.exe
2220	chrome.exe
2220	chrome.exe
4264	chrome.exe
4264	chrome.exe
4328	chrome.exe
4328	chrome.exe
1732	chrome.exe
1732	chrome.exe
4724	chrome.exe
4724	chrome.exe
4540	chrome.exe
4540	chrome.exe
3696	chrome.exe
3696	chrome.exe
4624	chrome.exe
4624	chrome.exe
3576	chrome.exe
3576	chrome.exe
4932	chrome.exe
4932	chrome.exe
2464	chrome.exe
2464	chrome.exe
5044	chrome.exe
5044	chrome.exe
220	chrome.exe
220	chrome.exe
1760	chrome.exe
1760	chrome.exe
4872	chrome.exe
4872	chrome.exe
3696	chrome.exe
3696	chrome.exe
4316	chrome.exe
4316	chrome.exe
4164	chrome.exe
4164	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4464	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	3716	7zG.exe
Token: 35	3716	7zG.exe
Token: SeSecurityPrivilege	3716	7zG.exe
Token: SeSecurityPrivilege	3716	7zG.exe
Token: SeRestorePrivilege	2052	7zFM.exe
Token: 35	2052	7zFM.exe
Token: SeRestorePrivilege	3968	7zFM.exe
Token: 35	3968	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
3716	7zG.exe
2052	7zFM.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe
4464	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 924	4028	chrome.exe	82
PID 4028 wrote to memory of 924	4028	chrome.exe	82
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4952	4028	chrome.exe	85
PID 4028 wrote to memory of 4960	4028	chrome.exe	86
PID 4028 wrote to memory of 4960	4028	chrome.exe	86
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87
PID 4028 wrote to memory of 4604	4028	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://139.224.114.70:80
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe826a4f50,0x7ffe826a4f60,0x7ffe826a4f70
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1688 /prefetch:2
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:1
  2⤵
  PID:100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3244 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3316 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=212 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=812 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3296 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3276 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4428 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1732
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WqVVwu.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\EzWPwd.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4540
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\iA6QwC.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3696
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\LZii64.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4624
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ptwKIX.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=988 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:1592
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\events.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1088 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1760
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\beacon_1558273548.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2352 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3328 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4872
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\beacon_72995008.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3696
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\weblog_80.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\beacon_1558273548 (1).log
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\beacon_1160018498.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2672
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\beacon_1160018498.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:3352
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\events (1).log
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  PID:4584
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\beacon_71726140.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:4724
- C:\Users\Admin\Downloads\cobaltstrike.exe
  "C:\Users\Admin\Downloads\cobaltstrike.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:1044
- - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -Dfile.encoding=UTF-8 -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -javaagent:CSAgent.jar=CSAgent.properties -Duser.language=en -jar cobaltstrike.jar %*
    3⤵
    PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,2622874949161732779,15557279799213663444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 /prefetch:8
  2⤵
  PID:3688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4472

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\profile~\" -spe -an -ai#7zMap15899:68:7zEvent1810
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3716

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\profile"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2052

C:\Users\Admin\Downloads\a.exe
"C:\Users\Admin\Downloads\a.exe"
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4464
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\profile
  2⤵
  PID:2760

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\32539ebb9"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4112
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4112_606338166\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4112_606338166\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={76bd1d1e-4a3d-4024-be23-bb50b6cb865e} --system
  2⤵
  - Executes dropped EXE
  PID:4540

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\teamserver_win.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\32539ebb9

Filesize
721B

MD5
986a98700999fef99e6e480f868340e4

SHA1
8d97d10bcfe40b9e61d460587e4a0b8cc987cef4

SHA256
e27b5b99b8b10dc147df6729c8d915967d4add4a9ee23115595cf4b5fc40e1b0

SHA512
29a9953a1ac502668d9a539f1edd9ed7784a628f2597a3e1fb782e4d17e7822f79a7db1a6fdedfa20acb0d85d0276abc60ed8409a31eb23bb1936725f404f3d0

Download Submit
C:\Users\Admin\Downloads\EzWPwd.log

Filesize
1KB

MD5
03a88ae50527f05ea2aef9909c9f1ae9

SHA1
de678f03bbddd7f592a24584bf17fcda60aa6c25

SHA256
ebfb83869250593e1b01b1e231d4c01eff0581114d928c00513aebc86e1cb562

SHA512
d0834498f9d26eccacb2bfe3aaf5e6184aa3e53764ca956fc6c5f4397738d257d11c6e5cf79e24071ac0216201f9cad0387844eef522a2ca38ca6867ff3df42c

Download Submit
C:\Users\Admin\Downloads\LZii64.log

Filesize
39KB

MD5
40efcd4be455f1664ff4f049fd92f5d7

SHA1
73e91c08de50b0978ba6f8165c2c58e01a4d11d2

SHA256
21b984ddfeb47a56b085b41a3c33c229ee9d467ba0ed321e7786f29698719805

SHA512
eecf33a05be32060d6fd32bda1b762b8844676afc4627afb46877678767b1d21c015b9250d6bdcaa0c478d65f36eefb8fd4c386d7459e8d7320d2ab995f83410

Download Submit
C:\Users\Admin\Downloads\WqVVwu.log

Filesize
121KB

MD5
abdcd9b642a13601db703b576f892991

SHA1
4f622960ea0b0e964250460384d2cfe21df02fc0

SHA256
056ac01b36855bb30521fde583fcb393dcf8ea063007c451269346d124226a28

SHA512
37426256003212a508db5412fc29187993a5eed1712fee17b66eadcc58d83f2783c307b737dee8683ecefcf9f33ca60704be4e6031ecf2856924a01798b71e6d

Download Submit
C:\Users\Admin\Downloads\a.exe

Filesize
3.1MB

MD5
e0e42e4d9fd58108c86d5f061e670685

SHA1
ce904060db3ea588d96b5a04e749e45397213f56

SHA256
e77081068e4e4188dd79f5fa91d106c0d0ce21b6f5a3076b3f8167fd29ffcf62

SHA512
febce58643c7133440af5ed2c547af69064ea780f35000c558d03ee4c26d04450640ca108d391b599fa8c471bddd69c653cf6d622af1aa9f2228beb87d6ce6d7

Download Submit
C:\Users\Admin\Downloads\a.exe

Filesize
3.1MB

MD5
e0e42e4d9fd58108c86d5f061e670685

SHA1
ce904060db3ea588d96b5a04e749e45397213f56

SHA256
e77081068e4e4188dd79f5fa91d106c0d0ce21b6f5a3076b3f8167fd29ffcf62

SHA512
febce58643c7133440af5ed2c547af69064ea780f35000c558d03ee4c26d04450640ca108d391b599fa8c471bddd69c653cf6d622af1aa9f2228beb87d6ce6d7

Download Submit
C:\Users\Admin\Downloads\iA6QwC.log

Filesize
6KB

MD5
4b9884ab68489c5edd8ea3f92f3a9098

SHA1
f9d9992adb9c4e67721b837a8143d656b2f07d88

SHA256
bc661555ab9773c160c42e61ce2d794e0a1f41673aa6bb07d1d9bd753c234e04

SHA512
ff652634ada37482343671fe917618ddeec416a38950a250770beda4a4135d0f867560e5b4b501ccd2d330d1ed80c1fa56e009340ce9b60762a09fea3c7f4fed

Download Submit
C:\Users\Admin\Downloads\profile

Filesize
148B

MD5
46438b614dcb2175148fa7e0bdc604a4

SHA1
dcd1b431c955cf1fb6064756c6044a49ef507c37

SHA256
74bc92bcf960bfb62b22aa65370cdd1cd37739baa4eab9b240d72692c898ef1f

SHA512
12dd3d49d0b7516c811868a01431b9d9cbbde5c4d1ff867d2bd6d9ab9a09ad2fee7c0ca42bd80b1f1a4dee94c602a9e9188036a79257e7dd6f376a42f0685cc5

Download Submit
C:\Users\Admin\Downloads\ptwKIX.log

Filesize
52KB

MD5
ccf621ddea76cb5c1a9e409cea0b3949

SHA1
b11d4d71f6da9f3f9d51d7b5dc9059691ecc1ff9

SHA256
6fcd93a6a9173233ef7998135ca6b98ed502cebe614d8313ff7ddba7d16ba054

SHA512
80f22abead51e9de7a31066a187c562c4b8331c67a1d5c3a2db4e65da6066dc71a27f2a0cdace4fde33757a56d771b8121e295ac1a2ac3e3da20b45ebb1ae363

Download Submit