hxxps://drive[.]google[.]com/file/d/1zmVExGpsH2FKwcXGAn2dygrOLXfX-edX/view?usp=sharing

Analysis

max time kernel
127s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1zmVExGpsH2FKwcXGAn2dygrOLXfX-edX/view?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	drive.google.com
12	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133700551252279143"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2692	chrome.exe
2692	chrome.exe
4368	msedge.exe
4368	msedge.exe
1652	msedge.exe
1652	msedge.exe
5740	msedge.exe
5740	msedge.exe
944	msedge.exe
944	msedge.exe
944	msedge.exe
944	msedge.exe
944	msedge.exe
944	msedge.exe
944	msedge.exe
944	msedge.exe
944	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeCreateGlobalPrivilege	13968	dwm.exe
Token: SeChangeNotifyPrivilege	13968	dwm.exe
Token: 33	13968	dwm.exe
Token: SeIncBasePriorityPrivilege	13968	dwm.exe
Token: SeCreateGlobalPrivilege	4668	dwm.exe
Token: SeChangeNotifyPrivilege	4668	dwm.exe
Token: 33	4668	dwm.exe
Token: SeIncBasePriorityPrivilege	4668	dwm.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 3368	2692	chrome.exe	86
PID 2692 wrote to memory of 3368	2692	chrome.exe	86
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 1660	2692	chrome.exe	87
PID 2692 wrote to memory of 2396	2692	chrome.exe	88
PID 2692 wrote to memory of 2396	2692	chrome.exe	88
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89
PID 2692 wrote to memory of 4404	2692	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1zmVExGpsH2FKwcXGAn2dygrOLXfX-edX/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff84d65cc40,0x7ff84d65cc4c,0x7ff84d65cc58
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1760,i,4157549434404299747,10805520806534399633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1752 /prefetch:2
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,4157549434404299747,10805520806534399633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,4157549434404299747,10805520806534399633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,4157549434404299747,10805520806534399633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,4157549434404299747,10805520806534399633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3628,i,4157549434404299747,10805520806534399633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4676,i,4157549434404299747,10805520806534399633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5140,i,4157549434404299747,10805520806534399633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5168,i,4157549434404299747,10805520806534399633,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:3992

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\funny.bat" "
1⤵
PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" md 8742 "
  2⤵
  PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" start funny.bat"
  2⤵
  PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K funny.bat
    3⤵
    PID:3592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" md 8742 "
      4⤵
      PID:2016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" start funny.bat"
      4⤵
      PID:4588
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K funny.bat
        5⤵
        
        PID:1780
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" md 8742 "
        6⤵
        
        PID:4220
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start funny.bat"
        6⤵
        
        PID:4612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K funny.bat
        7⤵
        
        PID:3608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" md 8745 "
        8⤵
        
        PID:6152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start funny.bat"
        8⤵
        
        PID:6212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K funny.bat
        9⤵
        
        PID:6532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" md 8761 "
        10⤵
        
        PID:7224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start funny.bat"
        10⤵
        
        PID:7356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K funny.bat
        11⤵
        
        PID:7912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" md 8774 "
        12⤵
        
        PID:8764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start funny.bat"
        12⤵
        
        PID:8772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K funny.bat
        13⤵
        
        PID:8864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" md 8781 "
        14⤵
        
        PID:8376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start funny.bat"
        14⤵
        
        PID:9464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K funny.bat
        15⤵
        
        PID:10376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" md 8807 "
        16⤵
        
        PID:12464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start funny.bat"
        16⤵
        
        PID:12516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K funny.bat
        17⤵
        
        PID:13068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" md 24354 "
        14⤵
        
        PID:11696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start chromebomb.html"
        14⤵
        
        PID:11764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\chromebomb.html
        15⤵
        
        PID:12580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83c5846f8,0x7ff83c584708,0x7ff83c584718
        16⤵
        
        PID:12620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" md 2857 "
        12⤵
        
        PID:9564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start chromebomb.html"
        12⤵
        
        PID:9608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\chromebomb.html
        13⤵
        
        PID:8264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7ff83c5846f8,0x7ff83c584708,0x7ff83c584718
        14⤵
        
        PID:10296
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:1656
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:11332
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:11636
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:11916
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:12072
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:12392
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:12748
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13284
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13572
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:14304
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:14312
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:14324
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:14332
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13356
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13368
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13376
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13360
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13444
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:12556
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13440
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13384
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13548
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13460
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13468
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:12520
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13616
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13632
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:12792
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:12788
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13656
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13648
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13668
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13676
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:1728
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13704
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13708
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13776
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:12232
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13740
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13696
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13748
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13768
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13764
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13812
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13800
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13824
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13808
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13332
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13516
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:12576
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:14256
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:13040
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:14592
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:14776
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:15072
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:15104
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        12⤵
        
        PID:15232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" md 25399 "
        10⤵
        
        PID:9128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start chromebomb.html"
        10⤵
        
        PID:8424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\chromebomb.html
        11⤵
        
        PID:9804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83c5846f8,0x7ff83c584708,0x7ff83c584718
        12⤵
        
        PID:9832
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:9988
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:10440
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:10984
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:11160
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:10616
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:11756
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:12008
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:12184
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:12296
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:12544
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:13316
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:13860
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:13912
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:13976
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:13484
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:1288
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:1112
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:13724
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:13144
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:13528
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:632
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:13856
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:13416
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:13340
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:12848
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:14632
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:14800
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:15488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" md 4425 "
        8⤵
        
        PID:7324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start chromebomb.html"
        8⤵
        
        PID:7368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\chromebomb.html
        9⤵
        
        PID:7324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83c5846f8,0x7ff83c584708,0x7ff83c584718
        10⤵
        
        PID:412
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:8772
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:9260
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:9456
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:9588
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:9796
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:5776
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:8860
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:9956
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:10392
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:10944
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:1412
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:11440
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:11724
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:11980
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:12156
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:12504
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:12880
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:12908
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:12916
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:12924
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:12932
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:12940
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:12948
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:12956
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:12964
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:12972
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:12308
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:13880
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:13924
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:13408
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:3052
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:14644
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:14812
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" md 26445 "
        6⤵
        
        PID:5336
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start chromebomb.html"
        6⤵
        
        PID:5376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\chromebomb.html
        7⤵
        
        PID:6028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83c5846f8,0x7ff83c584708,0x7ff83c584718
        8⤵
        
        PID:6096
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:6424
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:6612
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:6700
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:6848
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:6896
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:7244
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:7268
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:7276
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:7284
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:7292
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:7300
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:7308
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:7720
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:7928
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:8156
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:8560
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:8904
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:9140
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:9196
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:9352
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:9688
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:9916
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:10232
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:2656
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:6128
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:11000
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:11176
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:11244
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:10056
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:11552
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:12048
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:12256
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:12360
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:12692
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:13252
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:13324
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:4308
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:14668
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:14836
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:15088
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:15120
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:15200
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:15208
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:15248
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:14352
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:14408
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:14452
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:14416
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:14424
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:14460
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:14532
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:14524
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:14928
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:15368
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:15436
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:15480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" md 26445 "
      4⤵
      PID:1192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" start chromebomb.html"
      4⤵
      PID:4692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\chromebomb.html
        5⤵
        
        PID:1056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff83c5846f8,0x7ff83c584708,0x7ff83c584718
        6⤵
        
        PID:1040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,14085199192287393093,18240118449106478240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5740
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5760
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6064
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5628
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5644
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5340
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6264
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6460
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6644
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6732
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6856
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6880
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6888
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7072
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7096
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7104
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7112
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6296
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7428
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7788
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7980
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7580
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2272
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:8176
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:8196
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:8204
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:8212
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:8220
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:8228
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:8236
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:8244
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:8252
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:8268
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:8756
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:9064
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:3188
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:9312
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:9512
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:9680
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:9908
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:10224
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:9496
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:10468
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:10488
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:10496
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:10504
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:10512
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:10520
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:10528
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:10536
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:10544
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:11028
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:11200
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:11020
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:11520
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:11816
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:12240
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:12340
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:12604
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:13204
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:13504
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:13560
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:14264
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:13712
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5312
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5308
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5316
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:3016
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:812
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:1188
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4864
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2960
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:12808
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:13584
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:1224
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4356
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:1644
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2816
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:14652
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:14820
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:15080
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:15240
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:15644
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:15664
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:15672
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:15680
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:15688
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:15696
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:15704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" md 26445 "
  2⤵
  PID:368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" start chromebomb.html"
  2⤵
  PID:3088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\chromebomb.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff83c5846f8,0x7ff83c584708,0x7ff83c584718
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,14626450565643136393,1514290714630853657,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1936 /prefetch:2
      4⤵
      PID:2108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,14626450565643136393,1514290714630853657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,14626450565643136393,1514290714630853657,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
      4⤵
      PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14626450565643136393,1514290714630853657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
      4⤵
      PID:2920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14626450565643136393,1514290714630853657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
      4⤵
      PID:3928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14626450565643136393,1514290714630853657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
      4⤵
      PID:5804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14626450565643136393,1514290714630853657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
      4⤵
      PID:5788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14626450565643136393,1514290714630853657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
      4⤵
      PID:8720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14626450565643136393,1514290714630853657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
      4⤵
      PID:10044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14626450565643136393,1514290714630853657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
      4⤵
      PID:10780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2200
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1144
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5328
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6344
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6768
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7128
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7136
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6212
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7344
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5696
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12232
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12312
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15096
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15224
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5560

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13968

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1bcdb31315fef18e5d0a10248bef95fa

SHA1
a444893eddc68913d5046feb76d2ba714a6b134b

SHA256
0799b5fb9bb575b4702f3cba4e56fd92f5d242b4fce3fb2b33d5b21c7024c834

SHA512
5311e3caa8b84676ffac930222934866dd8a8bfd81f02bf9f2c4d11ca9c9cf8ea6385e6e763ac3476f59b14a0ddf2cd865a1e16b958555a0082411b191689daa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
3c9e2007c0e821a97d7cb2b08d3fa06f

SHA1
cf117ba64f80437c3242da1ff8ae35ac6da4e59b

SHA256
fb6ed2c369ca0a1697e733ddcdf987ea8b3890a1e8e3b3a3672ff8da48ffe619

SHA512
81635c5ccf358f514ffb80dfc55a240ad3ee8a48e63d8fdab221e264953197c19d96ee2924aa3da05f2a08db9cfc6dd0e1c976179516ea2f9a32ba0402390379

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
0eccb84503f469929f29154d7228be43

SHA1
7ddce9f1ce38b23ab48b5ec560f9e2ce3ba6efc3

SHA256
7ee28ec7cc441928a40a76eae93280d7167047e10cc33537a2748ae34120bfd7

SHA512
169bf6e02093599dd51f63aeacb6e6fc079f77471b1b1405e67727322aa8368285adde8f7fad620d02ded8cecb356b86e538ffe09636d0a91580b28d8911fe52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
2b04af858f036cd69c8f63edc771b4d8

SHA1
93fe28a6cc907a97ab084e4b2cb4bfc51cb2fd14

SHA256
eb360ed10aa4408e027eaffda0d6d0ca6bd9ce49820e64b391db8c64960508dd

SHA512
d08ae2236bc434a6228742ddb95a884c7fe47e7c612f5a874fc69f936490969c27857fc117db89cb560c978a825fac411e03f1f6a5ad4e40d1021e52e61f8df8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b54c6df8506924d69898d07952d320f3

SHA1
a5123708f03d572be23aa61a779599961ecd19ad

SHA256
3e01d03a1d6dd261d72a62424c28b9a89810bd588f1fb9975159e4ba06faf7c7

SHA512
f4a9a795f461235397c499713d91537cacf85d03fe0d52d5e5701230aff0cfe9a73a23400fbd840b1f6b3b2d0c1af90884a2fc6f47074a903f584e7d783364f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ba98d7ddaf9e6b4eae8ab07e3494268b

SHA1
6db23bfaf371146850d9cd02d33dbf320d4eccc5

SHA256
ae30b11b5a0231315fda833c2f16b7481940e4dbdaee9ed29dd86b904653e51e

SHA512
110be0cc0df04ad94c04449f4d811c2e240cb865905cfb42a937de2b2990c85ec05b79f97576d1beaaba7e9d6ef8a4852c41a80e8390951725a6204eb11a40cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
189e1a173c095fbf7915ba269d9e4afa

SHA1
6d22d2a84d036914638832b56dfffe8f2a39e67f

SHA256
06d30479a40f3bbb7d911fd014893658595bf381855518927f2ba3344fdf879b

SHA512
7ea93d0380f412a3bc210d1b3382f3f36909f4bb4774fb705c3fb950504b937e9fff8047180bdaecf890ac8cc3b74907d29fa6ae3628c516657a0a7eba99b136

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
b89be96888581b9165bd24992651be24

SHA1
163c5496e52c006a8aec0f6a5382a6487a8696d4

SHA256
1cac4879f47616fc358acd5f953973bd07380ecc1579af421c1b783aa6a5419c

SHA512
970549740c5e9231214ed7837e2f8e66504b2a36d0dddc3ffc57f06c2faa232376692bec726db80bb0c84bee74dd46a8e57d21781b6d60146a4ff3804e863345

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
150B

MD5
a27f9be427615840e923969342a3bd9b

SHA1
3fcb9c0c79a8625d035464fe50d8a7ae5667650b

SHA256
57088a447d5bc747ddeee59d05540c38c895394294d762dc126397dddef7af4e

SHA512
5be940a12e792badfcbfceb21006b2cec51674264910ee111615d16c2197fba029eb1118702b0b73a70318da3ae53eb41c274defb305b31fe7260bc98d65c6c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\5ea9d385-91c1-496a-b659-22980e7c5518.dmp

Filesize
466KB

MD5
102a84d7411db8b4e1e7092d7ab532fa

SHA1
116381c1b5668a92c810ab258a3910c08c1764c5

SHA256
cd7aa7e32eff797f50865cdea1650bde599cd6018de312696e9564f2942e0148

SHA512
015ce55e72571f33eb20c6e98423fa497003189f28fa7834976f2d476138b9b84032d29fadaaad6dfd36a464ee1fca184e977e835a3ca4cda49d8bc2e8fc828a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae2211d64595cf58b6835832822b65ce

SHA1
c21cc92a2e6fdffc0ed9196b10040aca41cdf99e

SHA256
99ff55ee2ade269b5fcda69d1919b856f85ef983884ffffcc681be17683d3c04

SHA512
8915f5e531ccb0d08a5490a8e2e2fa8fa52149d9c729289ebeb01d907715767682c4c048a3c12c4e5651edc24300e0663ef257bc3bcf3b38110afa75bd352075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2c5aed703eb08934bd30717ab1481197

SHA1
c904a16985c33b5cc9585bcf5c1140b93ffd5bee

SHA256
11f3f620fa17abd2237c576ab405d5dba6f00420228c31c61a3aa24e386799dc

SHA512
db492269cf2684f3c2319a70badadd3151585ff828eece9679946681c693766b3798c8fe3480f7b1b63827714957dde213809e0ec1adc25042526f651595df62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a58c856a6e1189ac49cd9aeecaefbac1

SHA1
4275ab8c5d2a35ea0f2dc9c044ccd19db4304a85

SHA256
d4c68b1e54616b0360f97bf5464be1c3cade9a367af85509c5b8a1bea6e30b01

SHA512
77a33a268b83f465ef6397d5e117b17a7bfc9d2fdd24575f3bdb0fb32f096b67b4f4c8d1ae9c3cd5875d62deba125e3126e897150fd4cc251a571c8a2388aeb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2190e85f5f9ffc15d837c3167a0a2ab9

SHA1
28ab05e5c8c1ea278649559b9fa8ae9c17f69ae1

SHA256
855b9b8606bb0306662ce3edf393a3fd4aad80aa7c6de491ce1d57bc630b3b31

SHA512
c6a72c94d400ded59ea66bfeac1dd793716353296897d5b0db6e6872f16ba1e038c933aa5f1a38eeb1d2069f65225097569e585160a3654517ed998e8c572d85

Download Submit