silverrat | 31f5206de0b4956ae322443d90e5413d3b99a5a0e289985d89589e687abfcc01

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2499014680-1400926959-4114284069-1000\Control Panel\International\Geo\Nation	SilverClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2499014680-1400926959-4114284069-1000\Control Panel\International\Geo\Nation	$77System Runtime.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	$77System Runtime.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SysWOW64\\$77System Runtime.exe\""	SilverClient.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3388	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3668	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
6124	schtasks.exe
4428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
640	SilverClient.exe
2816	$77System Runtime.exe
3388	powershell.exe
3388	powershell.exe
4816	chrome.exe
4816	chrome.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe
2816	$77System Runtime.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2816	$77System Runtime.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	5040	vssvc.exe
Token: SeRestorePrivilege	5040	vssvc.exe
Token: SeAuditPrivilege	5040	vssvc.exe
Token: SeDebugPrivilege	640	SilverClient.exe
Token: SeDebugPrivilege	2816	$77System Runtime.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2816	$77System Runtime.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3644	640	SilverClient.exe	86
PID 640 wrote to memory of 3644	640	SilverClient.exe	86
PID 640 wrote to memory of 3420	640	SilverClient.exe	88
PID 640 wrote to memory of 3420	640	SilverClient.exe	88
PID 640 wrote to memory of 2684	640	SilverClient.exe	91
PID 640 wrote to memory of 2684	640	SilverClient.exe	91
PID 2684 wrote to memory of 3668	2684	cmd.exe	93
PID 2684 wrote to memory of 3668	2684	cmd.exe	93
PID 2684 wrote to memory of 2816	2684	cmd.exe	94
PID 2684 wrote to memory of 2816	2684	cmd.exe	94
PID 2816 wrote to memory of 3480	2816	$77System Runtime.exe	96
PID 2816 wrote to memory of 3480	2816	$77System Runtime.exe	96
PID 2816 wrote to memory of 6124	2816	$77System Runtime.exe	98
PID 2816 wrote to memory of 6124	2816	$77System Runtime.exe	98
PID 2816 wrote to memory of 4684	2816	$77System Runtime.exe	100
PID 2816 wrote to memory of 4684	2816	$77System Runtime.exe	100
PID 2816 wrote to memory of 3388	2816	$77System Runtime.exe	104
PID 2816 wrote to memory of 3388	2816	$77System Runtime.exe	104
PID 2816 wrote to memory of 4428	2816	$77System Runtime.exe	106
PID 2816 wrote to memory of 4428	2816	$77System Runtime.exe	106
PID 4816 wrote to memory of 5656	4816	chrome.exe	108
PID 4816 wrote to memory of 5656	4816	chrome.exe	108
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 5916	4816	chrome.exe	110
PID 4816 wrote to memory of 5916	4816	chrome.exe	110
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 3980	4816	chrome.exe	109
PID 4816 wrote to memory of 5296	4816	chrome.exe	111
PID 4816 wrote to memory of 5296	4816	chrome.exe	111
PID 4816 wrote to memory of 5296	4816	chrome.exe	111
PID 4816 wrote to memory of 5296	4816	chrome.exe	111
PID 4816 wrote to memory of 5296	4816	chrome.exe	111
PID 4816 wrote to memory of 5296	4816	chrome.exe	111
PID 4816 wrote to memory of 5296	4816	chrome.exe	111
PID 4816 wrote to memory of 5296	4816	chrome.exe	111
PID 4816 wrote to memory of 5296	4816	chrome.exe	111
PID 4816 wrote to memory of 5296	4816	chrome.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3644	attrib.exe
3420	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3644
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\$77System Runtime.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC6CA.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3668
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\$77System Runtime.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\$77System Runtime.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77System Runtime.exe
      4⤵
      PID:3480
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77System Runtime.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysWOW64\$77System Runtime.exe \"\$77System Runtime.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6124
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77System Runtime.exe
      4⤵
      PID:4684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3388
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "System Runtime_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff88f37dcf8,0x7ff88f37dd04,0x7ff88f37dd10
  2⤵
  PID:5656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1920,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1588,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:5296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=1592,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4404,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4448 /prefetch:2
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4720,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5444,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5600,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:5888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5648,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5432,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=240,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:5556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3200,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  PID:5604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3964,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  PID:5940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4492,i,3535473933386946955,2436504793445971116,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4500 /prefetch:8
  2⤵
  PID:1920

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2488

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a4 0x388
1⤵
PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery