silverrat | c7c78f431c21c05d2963fb7635b73d969b7dada294252ef1d2b634b030a2375f

Analysis

max time kernel
544s
max time network
900s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
09/02/2025, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Silly.exe
Size

45KB
MD5

1cf8d6e0acaa084d9b4201f11a1a04a8
SHA1

7cc576ff7a096e14a6e83836bfd3cd29f7164392
SHA256

c7c78f431c21c05d2963fb7635b73d969b7dada294252ef1d2b634b030a2375f
SHA512

de6889cffba397b9a95b02d3271b14c9abbe543fb2a4415182cb24e9a3cf152bfb1ae5d3237eacac613f411fc278d120191f45c5cb1c4ca5135f393b57c0527a
SSDEEP

768:iqzAMCV2799XtzcyyMjtjRULQD9PpnUz1QB6S9RVvr0/bE:iqzAM8qfzcMjGsD9K1QoyRVA/bE

Score

10^/10

silverrat defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

if-eventually.gl.at.ply.gg:17094

Mutex

lAxDBRhAFu

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
discord
https://discord.com/api/webhooks/1335679503938355221/lGcOUDspps04wapqxq013W8uYGPSCcmnxl9Q1xnWdBn45Ul8QBT-Qs2mjsdVNXfOtTCe
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
b0FGeVZNcFRMWVloVHR6Z0VESU5RdlpZUmxZbUFE
payload_url
https://g.top4top.io/p_2522c7w8u1.png
reconnect_delay
4
server_signature
t9H0tGywaq23QHywsvniYlva2DUEoHwEX4RZOKw6QYOUUUEs6+qPhkwL0ziJc2nYj2yd5E4o3kMJj8NRpRTkpZcyIg/ljsBjIY4uuTgySYNYShSJRrNgQc/XiUXjH546feRdpS3EuZPWH15iNA3U89kmdXU1BOtms28guz5MUZ/jdeGBHbjPJULpyM8EgGGdK3ajqJ+NWQxPHql47XGQFXqJ5PauE0xmpcMKt+LU7fe+NS0Yx11uv+tRwSlMmFhYU9pSYoS8zZ7Lyeaw8rcxs06oecNxLKcmbSH3H5QWo4qYq/Y7HAeBmLEHHB5t8+bCVeDMfccmct8s+aZpljSceGlri2HJsxEjZ7FYmh4+o8bhacTmqQyE99P1kSa4FAWPLn59j5s1nO91Sb/rMvcNUApgatm6ZRZjc+Ninv7rXwFncnT7eRSRvldp7PohX6bsJEJRMnfLT4YxM0TzqV9POSK0hjrRojbiRQWahccxQRKfg3TcVxNnNjCQWMOJ0YzNuQ0ZSTLPO3QA4v/0cwD5nBhPdhowAnMUb4j61HsPdaQnKXvlx377vbMOowWJFqGC1ES1rKn843GMu81HL7FJsfrpqglmmFTddG3IwkeJU7umxj41+anidgCco7Jzbii9D9e4l2DF3EuhYg+qIuiwNw4ACh3olxSGStXl952V/dY=

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	$77Runtime Broker.exe

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
49	836	Process not Found

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4916	attrib.exe
4212	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	Silly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	$77Runtime Broker.exe

Executes dropped EXE 1 IoCs

pid	Process
4832	$77Runtime Broker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WinTask\\$77Runtime Broker.exe\""	Silly.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1304	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	discord.com
22	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2848	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2088	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5060	schtasks.exe
772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1608	Silly.exe
1304	powershell.exe
1304	powershell.exe
4832	$77Runtime Broker.exe
1132	powershell.exe
1132	powershell.exe
1764	powershell.exe
1764	powershell.exe
3552	powershell.exe
3552	powershell.exe
1028	powershell.exe
1028	powershell.exe
2996	powershell.exe
2996	powershell.exe
3848	powershell.exe
3848	powershell.exe
1764	powershell.exe
1764	powershell.exe
1132	powershell.exe
1132	powershell.exe
216	powershell.exe
216	powershell.exe
4596	powershell.exe
4596	powershell.exe
3552	powershell.exe
3552	powershell.exe
1028	powershell.exe
1028	powershell.exe
4820	powershell.exe
4820	powershell.exe
796	powershell.exe
796	powershell.exe
2996	powershell.exe
2996	powershell.exe
1940	powershell.exe
1940	powershell.exe
3848	powershell.exe
3848	powershell.exe
4632	powershell.exe
4632	powershell.exe
5344	powershell.exe
5344	powershell.exe
216	powershell.exe
216	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4832	$77Runtime Broker.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeBackupPrivilege	4260	vssvc.exe
Token: SeRestorePrivilege	4260	vssvc.exe
Token: SeAuditPrivilege	4260	vssvc.exe
Token: SeDebugPrivilege	1608	Silly.exe
Token: SeDebugPrivilege	4832	$77Runtime Broker.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeDebugPrivilege	5500	powershell.exe
Token: SeDebugPrivilege	5948	powershell.exe
Token: SeDebugPrivilege	5780	powershell.exe
Token: SeDebugPrivilege	6136	powershell.exe
Token: SeDebugPrivilege	5760	powershell.exe
Token: SeDebugPrivilege	6224	powershell.exe
Token: SeDebugPrivilege	6336	powershell.exe
Token: SeDebugPrivilege	6484	powershell.exe
Token: SeDebugPrivilege	6748	powershell.exe
Token: SeDebugPrivilege	7012	powershell.exe
Token: SeDebugPrivilege	6212	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	7036	powershell.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeDebugPrivilege	7252	powershell.exe
Token: SeDebugPrivilege	7484	powershell.exe
Token: SeDebugPrivilege	7752	powershell.exe
Token: SeDebugPrivilege	7940	powershell.exe
Token: SeDebugPrivilege	7276	powershell.exe
Token: SeDebugPrivilege	7992	powershell.exe
Token: SeDebugPrivilege	8172	powershell.exe
Token: SeDebugPrivilege	8296	powershell.exe
Token: SeDebugPrivilege	8516	powershell.exe
Token: SeDebugPrivilege	8728	powershell.exe
Token: SeDebugPrivilege	9028	powershell.exe
Token: SeDebugPrivilege	8232	powershell.exe
Token: SeDebugPrivilege	8720	powershell.exe
Token: SeDebugPrivilege	7856	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	5860	powershell.exe
Token: SeDebugPrivilege	8132	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4832	$77Runtime Broker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 4916	1608	Silly.exe	93
PID 1608 wrote to memory of 4916	1608	Silly.exe	93
PID 1608 wrote to memory of 4212	1608	Silly.exe	95
PID 1608 wrote to memory of 4212	1608	Silly.exe	95
PID 1608 wrote to memory of 3328	1608	Silly.exe	100
PID 1608 wrote to memory of 3328	1608	Silly.exe	100
PID 3328 wrote to memory of 2088	3328	cmd.exe	102
PID 3328 wrote to memory of 2088	3328	cmd.exe	102
PID 3328 wrote to memory of 4832	3328	cmd.exe	104
PID 3328 wrote to memory of 4832	3328	cmd.exe	104
PID 4832 wrote to memory of 1976	4832	$77Runtime Broker.exe	106
PID 4832 wrote to memory of 1976	4832	$77Runtime Broker.exe	106
PID 4832 wrote to memory of 5060	4832	$77Runtime Broker.exe	108
PID 4832 wrote to memory of 5060	4832	$77Runtime Broker.exe	108
PID 4832 wrote to memory of 2252	4832	$77Runtime Broker.exe	110
PID 4832 wrote to memory of 2252	4832	$77Runtime Broker.exe	110
PID 4832 wrote to memory of 1304	4832	$77Runtime Broker.exe	112
PID 4832 wrote to memory of 1304	4832	$77Runtime Broker.exe	112
PID 4832 wrote to memory of 772	4832	$77Runtime Broker.exe	113
PID 4832 wrote to memory of 772	4832	$77Runtime Broker.exe	113
PID 4832 wrote to memory of 4188	4832	$77Runtime Broker.exe	143
PID 4832 wrote to memory of 4188	4832	$77Runtime Broker.exe	143
PID 4832 wrote to memory of 1132	4832	$77Runtime Broker.exe	145
PID 4832 wrote to memory of 1132	4832	$77Runtime Broker.exe	145
PID 4832 wrote to memory of 3588	4832	$77Runtime Broker.exe	147
PID 4832 wrote to memory of 3588	4832	$77Runtime Broker.exe	147
PID 4832 wrote to memory of 1764	4832	$77Runtime Broker.exe	149
PID 4832 wrote to memory of 1764	4832	$77Runtime Broker.exe	149
PID 4832 wrote to memory of 5088	4832	$77Runtime Broker.exe	151
PID 4832 wrote to memory of 5088	4832	$77Runtime Broker.exe	151
PID 4832 wrote to memory of 3552	4832	$77Runtime Broker.exe	153
PID 4832 wrote to memory of 3552	4832	$77Runtime Broker.exe	153
PID 4832 wrote to memory of 292	4832	$77Runtime Broker.exe	155
PID 4832 wrote to memory of 292	4832	$77Runtime Broker.exe	155
PID 4832 wrote to memory of 1028	4832	$77Runtime Broker.exe	157
PID 4832 wrote to memory of 1028	4832	$77Runtime Broker.exe	157
PID 4832 wrote to memory of 2400	4832	$77Runtime Broker.exe	159
PID 4832 wrote to memory of 2400	4832	$77Runtime Broker.exe	159
PID 4832 wrote to memory of 2996	4832	$77Runtime Broker.exe	161
PID 4832 wrote to memory of 2996	4832	$77Runtime Broker.exe	161
PID 4832 wrote to memory of 616	4832	$77Runtime Broker.exe	163
PID 4832 wrote to memory of 616	4832	$77Runtime Broker.exe	163
PID 4832 wrote to memory of 3848	4832	$77Runtime Broker.exe	165
PID 4832 wrote to memory of 3848	4832	$77Runtime Broker.exe	165
PID 4832 wrote to memory of 1168	4832	$77Runtime Broker.exe	167
PID 4832 wrote to memory of 1168	4832	$77Runtime Broker.exe	167
PID 4832 wrote to memory of 216	4832	$77Runtime Broker.exe	169
PID 4832 wrote to memory of 216	4832	$77Runtime Broker.exe	169
PID 4832 wrote to memory of 1848	4832	$77Runtime Broker.exe	171
PID 4832 wrote to memory of 1848	4832	$77Runtime Broker.exe	171
PID 4832 wrote to memory of 4596	4832	$77Runtime Broker.exe	173
PID 4832 wrote to memory of 4596	4832	$77Runtime Broker.exe	173
PID 4832 wrote to memory of 2688	4832	$77Runtime Broker.exe	175
PID 4832 wrote to memory of 2688	4832	$77Runtime Broker.exe	175
PID 4832 wrote to memory of 4820	4832	$77Runtime Broker.exe	177
PID 4832 wrote to memory of 4820	4832	$77Runtime Broker.exe	177
PID 4832 wrote to memory of 4184	4832	$77Runtime Broker.exe	179
PID 4832 wrote to memory of 4184	4832	$77Runtime Broker.exe	179
PID 4832 wrote to memory of 796	4832	$77Runtime Broker.exe	181
PID 4832 wrote to memory of 796	4832	$77Runtime Broker.exe	181
PID 4832 wrote to memory of 3988	4832	$77Runtime Broker.exe	183
PID 4832 wrote to memory of 3988	4832	$77Runtime Broker.exe	183
PID 4832 wrote to memory of 1940	4832	$77Runtime Broker.exe	185
PID 4832 wrote to memory of 1940	4832	$77Runtime Broker.exe	185

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4916	attrib.exe
4212	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Silly.exe
"C:\Users\Admin\AppData\Local\Temp\Silly.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4916
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBCD8.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2088
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:1976
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5060
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:2252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1304
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:772
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1132
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1764
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3552
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1028
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2996
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3848
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:216
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4596
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4820
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:796
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1940
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5344
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5500
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5780
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5948
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6136
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6224
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6336
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6484
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6748
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7012
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6212
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4704
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7036
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7036" "2164" "2448" "2568" "0" "0" "2572" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9052
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7252
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7484
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7752
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7940
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7276
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7992
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8172
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8296
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8516
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8728
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:9028
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8232
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8720
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:1824
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9016
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9500
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9668
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9912
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7856
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4216
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4656
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3256
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4576
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5860
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:6876
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:7196
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8132
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzA4NUM0MjQtNURDQy00ODE2LThGQTktOUNGNEYwREE5Njg5fSIgdXNlcmlkPSJ7ODhGODczRjctRUE5MS00Qjg5LTk0MjctMUI2NTQyMjQ5RDVEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjFEQ0RDOTQtMDU5Ri00QzhDLTkwNzMtNTE3NUU4RjJCRkRCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTkzODgyMTE5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d5027fa84240dc3220d99716447c97c0

SHA1
92ac0541c869f9f37262d32b913b654362f09be7

SHA256
997c33ab00b8fa500c72f4a15a23220662307056c761088d178506ace4937e82

SHA512
b8e951c42b1a721621c6d9899c4a68b3fa0d51a2643a02b22b27cce7611e70c66fdd51a22190a254727537c0abb135bbf5cfe6956cb82f4f0a00ff63243b9b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
64B

MD5
dc45ba1328a66107d589162f8806e324

SHA1
696b51015b9a7daf287ae9e45a5f7f9e8913320a

SHA256
bef528b035e978bede9829a47d5e8f6cf3e7abdafc7102d17ff7eac5d18288a4

SHA512
a0aaf6e37fdc7e2969808558d3218eb593f40a0f6451724bb5c3b0234fa500816cfe10a032ca944069484c7c14c4ab995b6162559057ed34920d9ebafa5f754e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ubaw5ip2.zhg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBCD8.tmp.bat

Filesize
197B

MD5
f189d01c126a575a4f3dfd9135d19527

SHA1
eda17e3271929e33e4d1e059ba1cd984bb528614

SHA256
cdf5cf19c0c14de77755067e7dddc8756bbda9bed633bfaa61317ac5e50df60d

SHA512
cb65618f91bc40651b68973cf12f79d3611bdc80a33286c281a9eed9babb036c5d3723ad5271e8dfa1a9495e8fb1b7c0fab8f69a1ff527a84f4fde79d2570558

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
e93ea8d3a52d3e11a82abd0308986443

SHA1
2948dec1d043107428550eb097c9393c14541727

SHA256
044d54fcb8b25c5c6d49a00c5a310d435995c67efa4cb5e232e714fa83547ff5

SHA512
7b2d2f7ac3d7e22c65627cd9cc420469ad2813b178fd1d2ad182bea3a36c6864a98c586ce595a3857a4de7e4ae22a959487bff0f2a8a0be7945ddcdc417aad3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
9b321b7822b14127e52269f6bff6c986

SHA1
da84587867f5473dfd05578c0e1bcfbb863b4f28

SHA256
85ee06fe11601bdf0757692aa7f19891d709e9a10711dc8e892535f86afe8815

SHA512
c5172dc600a2ec471e96556cc156498de09aa015f12162191b150715983ddd1e14edaf78a005bf3e2cabe08fd9b06eb489f1c374c26f3202e7c8dffbb7414631

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
82a8e2f764bed73f1cea834dc9de3851

SHA1
62f4c8a045ba49f70657ba9596263cc6d75f4091

SHA256
9acda8a62726abfbe5d1d15c8fcbd66a7e090b6f75edf0965892aa4e1965db70

SHA512
0631693b49d6b3473dc0a92b2931be124cd5033e406a7091503d701238d802fbc6b4b3a53383b72f7b657ce8ff95272e5c664d84ce74150120f6ea9c7fe63546

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
b62e8fa51f2b83de70e652c5992f0e09

SHA1
fd782706d984fe9f19e1042e0526c61246ac0cdd

SHA256
e4d102bf646189412401050c07a3f85726f86ec02340ea461d7cd0b8c7ba1896

SHA512
6da41656a0b189d514931c36126f32b0c69674f5dbd00f5e132fdc2abe4284b781e8c9e13d565aa1b4e66b5252c8f6b463e09c5c654bbf60f1cac89b05e82aae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
1caf5d78b18a4a61c87ceddc3d6a6a51

SHA1
093e0d3e81cf2fb12dd92a396ef7021913a9aa77

SHA256
b94cf5a57e7c9ffb57a6842dbaaccecaa51a64782fd470f37ea5ae7a8fad0e3c

SHA512
f1a986dec03a4ea2636ae3f11f527d1987fa87c52a3d65ca33d08fe48fe320a00accdb01bce0f9279639d96cba3175513e342837630c8ca4e6c6746fc550d62e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
e56735478c799e9b0d12e445d5b40c27

SHA1
d33810c1df4f23d4f7b9385f1ea4a4e5e54eefd6

SHA256
7b8d05149bc20b51ff8dc83f65d3f08da4e79cbd950dd10095aa2b7b1ae68ccf

SHA512
71d51e55dca56a0c0702646061cb83b2425dcdb37e00f8720410bec7f2acb5c9922567343a12a7f91c02fccc0fb746705759fdd4d5615dd5db4b47b4cb78bd33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
dac1bec48dbffa4cc529d704a2a0a9c1

SHA1
cdfe291e70a9eb0c794de6366954dfa0b60fb441

SHA256
2a21b72c86bd17a0be77a0a13904a979413b5f150f2c6ca2804f1f9d59f6dc81

SHA512
429b9c65d1e6b67935e08a98d517b473e9359e5a2ac5094cbbdda87b23b9e513b3f0f22a179a2a4180475dbc8926660b6e4ea85d0b9829a5730ca016594e074d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
d6714065a3b5eca36cc12188541f8183

SHA1
1138b0af5b3c763eeb38c4a0cbeca77d4390864a

SHA256
4c413ccd818ff45e975af5e1a28aa7dabb8996e75f5bdf347ed3a8649f302026

SHA512
eaa0305dca365b0024140823a1ead2179ec8561ccefba30251b1423fc1117d75d63614cc8c16669e46578b9fd98cecfcd2993ecf624c77d9279d322eef1dca7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
656e580fc659b6526c46ee556e046577

SHA1
50da43897f0ab3605b2c7107096fbb854207463c

SHA256
7807044e451a30eb8ffdb7b87342d34d50ece047c60ec8ed09d976e3c309cb23

SHA512
d468c0dfa2b1a6bb9d25b398d81a44acad37516337c8f6ceee810a11c212b8497c4a5b2baf8f7441c1c51c8ee01833abbee6de27a59be2fb86ca25167f6e26aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
367a9e95e743a12e1a6c68de65c1ef3c

SHA1
d0f93149d7afc5881f22bd698c7e3c06528b3844

SHA256
2e97a97734e9e90d373add5d83c390ae0abf96e515415c8680c6a30d220d6d4d

SHA512
6d89648fe48cbc40d19ec18cbe4b78a6705cf124e047f8b5fbb9b02ea4f67c23db19750cfcb25efeb01e1df04b6d405277a1eb9348a3d146ea7153a1f7f6da86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
200792274e133d7113d4f789783bd7ec

SHA1
81d322bbff985a5cd458f37873475d0f74b6701f

SHA256
78ac910cead864d3232f2dffaba07192b8ee8f9e4eafd56eef0bb4da1591d66c

SHA512
038185999f7e6db04eae2e26eda12b47621a5a1576d67556a924bfdf39bb0f063bad3bff66effa0048d8385eae6dcc6ccb4272a12c98659ee86110635db0ab2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
56f98593e99a446ac92f217438879f89

SHA1
60e133fec2d9674c0938f33fe3e427455cd05c14

SHA256
ab2313e09bb3fd55eff6b22f1cb73bff19b8f41dbff44d6ba3bf7acbaefc98a2

SHA512
74bb3fef1f6f10c09578137c219053bc01c3aaf615408dabdce39d2308e414d9ccf9a50e2a30a03ab5828fb4b0caa90fdb48663d8bec8ea14965152b9cf03a4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
1f11d1050f80eef348e1e9bdc0d0d77e

SHA1
66bb688f0e749186d97bec020cb59c759a4b6071

SHA256
72926d2304a830728b271851f7c6a45dd0f4f8a2b2a2a43b764a173b0d34cc5b

SHA512
cd82c4b8cf096e64cb6eec46664095fd8e2f47e118821ccb1ff0129aed99f50893d53aa05a75e728e4722a8354ec878a384bf8bfb176d5177d9a095e9604992b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
966cb00a5c7a68b82ab6030621d54e09

SHA1
27138162370d5d23af16100288f4600bec11a566

SHA256
b049096bf2c42839cab54270ae94cacaa02a614452a0d4ad492a42596d9ba9c5

SHA512
a13dbd31e4e8b9d60a025cb74a6fd3958fdc3cbef8b3ec87d8cd1363eabdb7154dae808d6514b3034183af9e0c9b0ed78adc4a30c4afda8dc24a07a8aebcebca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
698980e77145237589b2cb6f2dab419c

SHA1
35d960b4428779c34890748d8bbdc84ec0539b09

SHA256
a40d63ff64c03b1e7ef60702e1f6156c175e2f98c951c3731a8d8721713d5d5f

SHA512
44e3f8199553040554720fd33c896947bdde969b993ac1fc34218ff37587fee7167b0c42bf2549c61c898e15ab3a42ff3dcfbd14dfccc6854778087069a1cc90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
0f59774d7ad2ce16f686c08630ac82dc

SHA1
332b0c19daf0fcff750e4751a6e1af62840857af

SHA256
4f663fadfde868a93fcc324eef69df4a5e6d4a62ff0d44339d1a253e24bf90fa

SHA512
bdd0eaa06a5382bd0eb69053d1d4ca0c91c26fb7fd0d113185537a1d6988597645e62f03246702b0100170370a7c6b92432a8650ffcc3f47b2d3f740819878c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
b9778c943bf57106b582a0a66ce5db21

SHA1
9765bd4ccaed038fbfb353079d1d9b7d14f9e7bf

SHA256
31554f9f9e16645937bab7ccdef4294a208373410c6369e2f71ac76f5d8df246

SHA512
6285bd2d028d182c01296701c76f95af4440fc995caef0bd17a2baaecb18217fa418547aa25b4cdea95ae15fafcd8de48117451aa653d750e91b74111ffa1899

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FTW7KP2XE441IZ8RCSHL.temp

Filesize
6KB

MD5
8d398cb82cb05e2fe22f82d7ddca3b6c

SHA1
7e4fe39802fa9030697b6d17984635c100160bdd

SHA256
c46840c2e6f21d9ad89b7d67f9a6015d9fe6ca3a585d23c338915aa11665ba3c

SHA512
ec007c7de750d5fcf9c57336ebe1e978191c1112593a0bbd778a2997672c1c8a64662478768541af5045950d2cb9c90a3b2af14d6c3608bd4ff474f4f0fc8190

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z7PB5DIG4LS5M2AHLMDG.temp

Filesize
6KB

MD5
3d34cd29d270580be070e8b9e18fa37d

SHA1
28cbd0159dc7d16bcb014ec606f2e0b3f6a5b1d8

SHA256
0cd105f9780f19ded50c3fc246fcb56183e765750a0e114f43870e6f07e959eb

SHA512
b4c63c8a57dfa39da16a1b9cd6c908112a55c5518c8304d84cfaf5a7d10e97e4668bbd62db230310fb2a2e5775cd07f60e02b999820095ceec4907827b6ae969

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe

Filesize
45KB

MD5
1cf8d6e0acaa084d9b4201f11a1a04a8

SHA1
7cc576ff7a096e14a6e83836bfd3cd29f7164392

SHA256
c7c78f431c21c05d2963fb7635b73d969b7dada294252ef1d2b634b030a2375f

SHA512
de6889cffba397b9a95b02d3271b14c9abbe543fb2a4415182cb24e9a3cf152bfb1ae5d3237eacac613f411fc278d120191f45c5cb1c4ca5135f393b57c0527a

Download Submit
memory/1132-139-0x000001F39C8C0000-0x000001F39C936000-memory.dmp

Filesize
472KB

Download
memory/1304-14-0x000001297B4F0000-0x000001297B512000-memory.dmp

Filesize
136KB

Download
memory/1608-2-0x00007FFDD6F10000-0x00007FFDD79D1000-memory.dmp

Filesize
10.8MB

Download
memory/1608-3-0x00007FFDD6F13000-0x00007FFDD6F15000-memory.dmp

Filesize
8KB

Download
memory/1608-4-0x00007FFDD6F10000-0x00007FFDD79D1000-memory.dmp

Filesize
10.8MB

Download
memory/1608-10-0x00007FFDD6F10000-0x00007FFDD79D1000-memory.dmp

Filesize
10.8MB

Download
memory/1608-0-0x00007FFDD6F13000-0x00007FFDD6F15000-memory.dmp

Filesize
8KB

Download
memory/1608-1-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/1764-113-0x0000014C769C0000-0x0000014C76A04000-memory.dmp

Filesize
272KB

Download
memory/4832-28-0x0000000001B50000-0x0000000001B70000-memory.dmp

Filesize
128KB

Download
memory/4832-26-0x000000001C9F0000-0x000000001CA00000-memory.dmp

Filesize
64KB

Download