silverrat | e40efe97ccad1bbdbb23f174021b1f09337120467683c1a43ec242c1bd05fd34

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	uicleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	$77BBCa.exe

Executes dropped EXE 1 IoCs

pid	Process
2424	$77BBCa.exe

Loads dropped DLL 2 IoCs

pid	Process
5432	taskmgr.exe
5432	taskmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\Temp spoofer\\$77BBCa.exe\""	uicleaner.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4924	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
1030	raw.githubusercontent.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4516	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133779153735756979"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\1	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\1 = 14002e80922b16d365937a46956b92703aca08af0000	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\2	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Documents"	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\1\NodeSlot = "7"	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	dnSpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = 0100000000000000ffffffff	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "9"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\2\NodeSlot = "8"	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	dnSpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4284	uicleaner.exe
4924	powershell.exe
4924	powershell.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
2424	$77BBCa.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5432	taskmgr.exe
8132	dnSpy.exe
5540	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	5480	vssvc.exe
Token: SeRestorePrivilege	5480	vssvc.exe
Token: SeAuditPrivilege	5480	vssvc.exe
Token: SeDebugPrivilege	4284	uicleaner.exe
Token: SeDebugPrivilege	2424	$77BBCa.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeIncreaseQuotaPrivilege	4924	powershell.exe
Token: SeSecurityPrivilege	4924	powershell.exe
Token: SeTakeOwnershipPrivilege	4924	powershell.exe
Token: SeLoadDriverPrivilege	4924	powershell.exe
Token: SeSystemProfilePrivilege	4924	powershell.exe
Token: SeSystemtimePrivilege	4924	powershell.exe
Token: SeProfSingleProcessPrivilege	4924	powershell.exe
Token: SeIncBasePriorityPrivilege	4924	powershell.exe
Token: SeCreatePagefilePrivilege	4924	powershell.exe
Token: SeBackupPrivilege	4924	powershell.exe
Token: SeRestorePrivilege	4924	powershell.exe
Token: SeShutdownPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeSystemEnvironmentPrivilege	4924	powershell.exe
Token: SeRemoteShutdownPrivilege	4924	powershell.exe
Token: SeUndockPrivilege	4924	powershell.exe
Token: SeManageVolumePrivilege	4924	powershell.exe
Token: 33	4924	powershell.exe
Token: 34	4924	powershell.exe
Token: 35	4924	powershell.exe
Token: 36	4924	powershell.exe
Token: SeDebugPrivilege	5432	taskmgr.exe
Token: SeSystemProfilePrivilege	5432	taskmgr.exe
Token: SeCreateGlobalPrivilege	5432	taskmgr.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe
Token: SeShutdownPrivilege	4216	chrome.exe
Token: SeCreatePagefilePrivilege	4216	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
5432	taskmgr.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe
4216	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2424	$77BBCa.exe
8132	dnSpy.exe
8132	dnSpy.exe
5540	chrome.exe
5540	chrome.exe
5540	chrome.exe
5540	chrome.exe
5540	chrome.exe
5540	chrome.exe
5540	chrome.exe
5540	chrome.exe
5540	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 4340	4284	uicleaner.exe	85
PID 4284 wrote to memory of 4340	4284	uicleaner.exe	85
PID 4284 wrote to memory of 2968	4284	uicleaner.exe	87
PID 4284 wrote to memory of 2968	4284	uicleaner.exe	87
PID 4284 wrote to memory of 224	4284	uicleaner.exe	95
PID 4284 wrote to memory of 224	4284	uicleaner.exe	95
PID 224 wrote to memory of 4516	224	cmd.exe	97
PID 224 wrote to memory of 4516	224	cmd.exe	97
PID 224 wrote to memory of 2424	224	cmd.exe	98
PID 224 wrote to memory of 2424	224	cmd.exe	98
PID 2424 wrote to memory of 424	2424	$77BBCa.exe	100
PID 2424 wrote to memory of 424	2424	$77BBCa.exe	100
PID 2424 wrote to memory of 4660	2424	$77BBCa.exe	102
PID 2424 wrote to memory of 4660	2424	$77BBCa.exe	102
PID 2424 wrote to memory of 5752	2424	$77BBCa.exe	104
PID 2424 wrote to memory of 5752	2424	$77BBCa.exe	104
PID 2424 wrote to memory of 4924	2424	$77BBCa.exe	106
PID 2424 wrote to memory of 4924	2424	$77BBCa.exe	106
PID 4216 wrote to memory of 1628	4216	chrome.exe	119
PID 4216 wrote to memory of 1628	4216	chrome.exe	119
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 276	4216	chrome.exe	120
PID 4216 wrote to memory of 3176	4216	chrome.exe	121
PID 4216 wrote to memory of 3176	4216	chrome.exe	121
PID 4216 wrote to memory of 5448	4216	chrome.exe	122
PID 4216 wrote to memory of 5448	4216	chrome.exe	122
PID 4216 wrote to memory of 5448	4216	chrome.exe	122
PID 4216 wrote to memory of 5448	4216	chrome.exe	122
PID 4216 wrote to memory of 5448	4216	chrome.exe	122
PID 4216 wrote to memory of 5448	4216	chrome.exe	122
PID 4216 wrote to memory of 5448	4216	chrome.exe	122
PID 4216 wrote to memory of 5448	4216	chrome.exe	122
PID 4216 wrote to memory of 5448	4216	chrome.exe	122
PID 4216 wrote to memory of 5448	4216	chrome.exe	122
PID 4216 wrote to memory of 5448	4216	chrome.exe	122
PID 4216 wrote to memory of 5448	4216	chrome.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4340	attrib.exe
2968	attrib.exe

C:\Users\Admin\AppData\Local\Temp\uicleaner.exe
"C:\Users\Admin\AppData\Local\Temp\uicleaner.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Temp spoofer"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4340
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Temp spoofer\$77BBCa.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF6A4.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4516
- - C:\Users\Admin\Temp spoofer\$77BBCa.exe
    "C:\Users\Admin\Temp spoofer\$77BBCa.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77BBCa.exe
      4⤵
      PID:424
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77BBCa.exe" /TR "C:\Users\Admin\Temp spoofer\$77BBCa.exe \"\$77BBCa.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4660
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77BBCa.exe
      4⤵
      PID:5752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5480

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffa80b8cc40,0x7ffa80b8cc4c,0x7ffa80b8cc58
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2004,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1392 /prefetch:2
  2⤵
  PID:276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:5288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5156,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4904,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5232 /prefetch:2
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:4468
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2ac,0x2b0,0x2b4,0x288,0x2b8,0x7ff6cbe94698,0x7ff6cbe946a4,0x7ff6cbe946b0
    3⤵
    - Drops file in Windows directory
    PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5288,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5232,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3328,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4400 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5800,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5348,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3308,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6096,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6088,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3548,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5980,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6200,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6344,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=4960,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6660,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6584,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6908,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7040,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7052 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7176,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7204 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=7188,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7348 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=7212,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7488 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=7476,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7632 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=7652,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7776 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=7784,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7916 /prefetch:1
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=7940,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=8064 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=8188,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=8204 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=8212,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=8348 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=8384,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=8240 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=8632,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=8508 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=8640,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=8788 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=8812,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=8932 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=8940,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=9076 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=9092,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=9224 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=9060,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=9368 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=9508,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=9528 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=9388,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=9640 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=9704,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=9660 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=9720,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=9832 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=9808,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=10080 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=9948,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=10200 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=10076,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=10220 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=10576,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=10536 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=10972,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=10976 /prefetch:1
  2⤵
  PID:6576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=8084,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=11024 /prefetch:1
  2⤵
  PID:6712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=10436,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7328 /prefetch:1
  2⤵
  PID:6720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=10828,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=11308 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=7640,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7516 /prefetch:1
  2⤵
  PID:6680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=11448,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=10460 /prefetch:1
  2⤵
  PID:6844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=11656,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=11640 /prefetch:1
  2⤵
  PID:7084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=11756,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=11772 /prefetch:1
  2⤵
  PID:7124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=11908,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=11752 /prefetch:1
  2⤵
  PID:6560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=12052,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=11612 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=12100,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=11932 /prefetch:1
  2⤵
  PID:6584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=12128,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=12244 /prefetch:1
  2⤵
  PID:6568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=12144,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=12360 /prefetch:1
  2⤵
  PID:6556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --field-trial-handle=12340,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=12580 /prefetch:1
  2⤵
  PID:6732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --field-trial-handle=12604,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=12712 /prefetch:1
  2⤵
  PID:6608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --field-trial-handle=12720,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=12844 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --field-trial-handle=12992,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=13064 /prefetch:1
  2⤵
  PID:7352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --field-trial-handle=12968,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=13212 /prefetch:1
  2⤵
  PID:7464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=13376,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=13364 /prefetch:1
  2⤵
  PID:7524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --field-trial-handle=13492,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=13476 /prefetch:1
  2⤵
  PID:7588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=13912,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=13924 /prefetch:8
  2⤵
  PID:7744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=13948,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=13980 /prefetch:8
  2⤵
  PID:7752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=13992,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=14256 /prefetch:8
  2⤵
  PID:7760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=14000,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=14420 /prefetch:8
  2⤵
  PID:7768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=14124,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=14560 /prefetch:8
  2⤵
  PID:7776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --field-trial-handle=14004,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=14712 /prefetch:1
  2⤵
  PID:7924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --field-trial-handle=10016,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=11496 /prefetch:1
  2⤵
  PID:7828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --field-trial-handle=9924,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=10056 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --field-trial-handle=3432,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=9168 /prefetch:1
  2⤵
  PID:8088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --field-trial-handle=7900,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=14120 /prefetch:1
  2⤵
  PID:6512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --field-trial-handle=11716,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=11704 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=9840,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=11608 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --field-trial-handle=12740,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7832 /prefetch:1
  2⤵
  PID:6700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --field-trial-handle=11444,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=13656 /prefetch:1
  2⤵
  PID:7376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --field-trial-handle=12956,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:6272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --field-trial-handle=9984,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=9620 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=9764,i,10566634677069948209,15295779941056503883,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3280 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5540

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e4 0x33c
1⤵
PID:4604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7260

C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe
"C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:8132

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap21423:56:7zEvent13198 -ad -saa -- "C:\Users\Admin\Desktop\rat"
1⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffa80b8cc40,0x7ffa80b8cc4c,0x7ffa80b8cc58
  2⤵
  PID:7784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery