silverrat | c9c505c8607cad0f8b787fe677ac182fc697930d9ef1895178c50e4f8d99f0c0

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rat/SilverClient - Copy (15).exe
Size

43KB
MD5

44a5ff2feda2634ae7d9fadc97ebd0a0
SHA1

9a763aefd806585e11a36203e575ae142f38bc6c
SHA256

5dde6801897a7d76c16e64c0b36a3280fbf5371642a690b85ddd31538c4458d8
SHA512

cebc24998c33d7fe8bcdba5183d60c36b3ccaac247d0ee206a73485236453c109dc269522df01d85f58efd3d7a28358221f2139f11356f95f9b8283475f576ca
SSDEEP

768:GdmcASe38zJ/Ol6IoZmtPHJm7+avCJ8eEPNRULQD9PUGa7AB6Sh/lE:GdmcASeuOtvhmeZKNGsD9pYAoS/lE

Score

10^/10

silverrat defense_evasion execution persistence trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

if-eventually.gl.at.ply.gg:17094

Mutex

Mutex_DthEiIseBZ

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
eGlwZU1BZVJwdkFBdllxYmdRQUJ2eWtsbVVURFhE
reconnect_delay
0
server_signature
82XrwJstrm0nqjslD808bx+Ume3efeGMf7zUlVkngpQb87z21PsSKQBcTZK9EaXM0QyjpcsVNJXl0qmSosxJJOm0KKVMHYKGnVBNCZLj5O99+4v22ZWCi56RWOs9+ng8qwN8xdzn3HnKucPRz7a8JhI+UEI2ukS8ZhVfV7qf1oq6FwIG1uh4L4GwsQcfllQtFIzrcJqIdmWxM3WuMauxIW/Zzj51aSjpesrkHtxhBfKl3W4xhpX5jcWIcCiLfvfQ9E+PNUX749MGWb8fbvDdeI5yZun92ZZlcYpsymaYSEGIyzYotaZEVnsVattoVvsdOkWrsVqlKf4XIPFxmijkMaGQ/ayfFFpbjWPbyeJGlIAa+KbR5CxvF59/zedZirVAcFOWAzE/E/+kyxIbNtd6o7GZE2ZcIsMeei2HIjuCiWKsiV7qLY7vd//T8Rf8mG5/4i/xCiDG7HHX4oSx6mi6u97uThj6ULk43RmOL+fHaV2J+DewyDSivdrRWlQ95pX8FlRiKXlaJIxCbTWOwxsK2xebzkbsUKGGsOwCA/UQJ1TXNmatbaNqldHgqXKgYSFLRIiLDgM0xZQ+ThJag+cRkT7qr7W7HVaFlDNiLbVm4QZ34Iy//W3TM7w17dYghMhn3550gafqXCLOIH9vPh+YF9KVG3e3EOrkYaDUQK13PxY=

Signatures

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1804	attrib.exe
3788	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	$77Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	SilverClient - Copy (15).exe

Executes dropped EXE 1 IoCs

pid	Process
3516	$77Runtime Broker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SysTemp64\\$77Runtime Broker.exe\""	SilverClient - Copy (15).exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4004	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3632	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
792	schtasks.exe
4680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
1400	SilverClient - Copy (15).exe
3516	$77Runtime Broker.exe
3516	$77Runtime Broker.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	2876	vssvc.exe
Token: SeRestorePrivilege	2876	vssvc.exe
Token: SeAuditPrivilege	2876	vssvc.exe
Token: SeDebugPrivilege	1400	SilverClient - Copy (15).exe
Token: SeDebugPrivilege	3516	$77Runtime Broker.exe
Token: SeDebugPrivilege	4004	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3516	$77Runtime Broker.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1804	1400	SilverClient - Copy (15).exe	90
PID 1400 wrote to memory of 1804	1400	SilverClient - Copy (15).exe	90
PID 1400 wrote to memory of 3788	1400	SilverClient - Copy (15).exe	92
PID 1400 wrote to memory of 3788	1400	SilverClient - Copy (15).exe	92
PID 1400 wrote to memory of 880	1400	SilverClient - Copy (15).exe	103
PID 1400 wrote to memory of 880	1400	SilverClient - Copy (15).exe	103
PID 880 wrote to memory of 3632	880	cmd.exe	105
PID 880 wrote to memory of 3632	880	cmd.exe	105
PID 880 wrote to memory of 3516	880	cmd.exe	106
PID 880 wrote to memory of 3516	880	cmd.exe	106
PID 3516 wrote to memory of 4836	3516	$77Runtime Broker.exe	108
PID 3516 wrote to memory of 4836	3516	$77Runtime Broker.exe	108
PID 3516 wrote to memory of 792	3516	$77Runtime Broker.exe	110
PID 3516 wrote to memory of 792	3516	$77Runtime Broker.exe	110
PID 3516 wrote to memory of 4472	3516	$77Runtime Broker.exe	112
PID 3516 wrote to memory of 4472	3516	$77Runtime Broker.exe	112
PID 3516 wrote to memory of 4004	3516	$77Runtime Broker.exe	114
PID 3516 wrote to memory of 4004	3516	$77Runtime Broker.exe	114
PID 3516 wrote to memory of 4680	3516	$77Runtime Broker.exe	115
PID 3516 wrote to memory of 4680	3516	$77Runtime Broker.exe	115
PID 3516 wrote to memory of 2832	3516	$77Runtime Broker.exe	132
PID 3516 wrote to memory of 2832	3516	$77Runtime Broker.exe	132
PID 3516 wrote to memory of 2712	3516	$77Runtime Broker.exe	134
PID 3516 wrote to memory of 2712	3516	$77Runtime Broker.exe	134
PID 3516 wrote to memory of 2800	3516	$77Runtime Broker.exe	136
PID 3516 wrote to memory of 2800	3516	$77Runtime Broker.exe	136
PID 3516 wrote to memory of 1536	3516	$77Runtime Broker.exe	138
PID 3516 wrote to memory of 1536	3516	$77Runtime Broker.exe	138
PID 3516 wrote to memory of 4692	3516	$77Runtime Broker.exe	140
PID 3516 wrote to memory of 4692	3516	$77Runtime Broker.exe	140
PID 3516 wrote to memory of 2804	3516	$77Runtime Broker.exe	142
PID 3516 wrote to memory of 2804	3516	$77Runtime Broker.exe	142
PID 3516 wrote to memory of 1888	3516	$77Runtime Broker.exe	144
PID 3516 wrote to memory of 1888	3516	$77Runtime Broker.exe	144
PID 3516 wrote to memory of 5100	3516	$77Runtime Broker.exe	146
PID 3516 wrote to memory of 5100	3516	$77Runtime Broker.exe	146
PID 3516 wrote to memory of 4408	3516	$77Runtime Broker.exe	148
PID 3516 wrote to memory of 4408	3516	$77Runtime Broker.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1804	attrib.exe
3788	attrib.exe

C:\Users\Admin\AppData\Local\Temp\rat\SilverClient - Copy (15).exe
"C:\Users\Admin\AppData\Local\Temp\rat\SilverClient - Copy (15).exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1804
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3632
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:4836
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:792
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:4472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4004
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4680
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:2712
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:1536
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:2804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:5100
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:3248
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:2916
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:2216
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:180
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:3884
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:2728
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:3504
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:2220
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:5148
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:5312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:5440
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:5696
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:5840
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:6084
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:4208
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:5176
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:6256
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:6520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:6824
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:7100
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:6656
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:6400
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:6384
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:7420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r4o2lajv.3sa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.bat

Filesize
199B

MD5
cbd3fd5eb26a4228218865ff462c3be0

SHA1
12fb6c6ad2a25b5127e810000249bdeca730a589

SHA256
b24f31ad7511f7d6eebb84fd678e192dae8f31cc1574a9e72374f6e87100f160

SHA512
1944b960757359c778e36ed6f5b376e86cb59df9ff9f6f3c7aaf35342897956815a462077b60442527ae779fd3027bfb9239840c428c221901aa9bd320ec1740

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
092abb987a781e77d9e421ee3741cc12

SHA1
3110fdb03ab666d5fbcc730c25287a03ea941abf

SHA256
9ba38bff72f4bea96506d79bde1ee8ce8e80b20565137ff5da1375fbd7e5d3b5

SHA512
b61cbb2aec6922dc420cdc79376ec30030d73c93f883ac376befad28e8af3ec7eb19941c0da642157387b1235d4a959f0fb3db0d6b4c67f77666dbb71ce409d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
4fd370af9dd82a2d5745586d3d362e5f

SHA1
5d7e0adccb1e9538efc0cc6d10ee8e502c297573

SHA256
6c6a3ca6daaf752df6654cd75ecf8844928c69a78ad736036cf923720cf373aa

SHA512
b1b66714791c8d92f7308960d698b0ce17a3e97495786901da17ef40a1da7a5b9cf5bd99df6658c99aeacd9c8605652b9d41536a00479d1d9903fa5313f38436

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
29817090fc9b988c948259cdeb396d4e

SHA1
f9550a0866fb9cc35a4ff74c95af9445221e2c94

SHA256
615a2e558979aad15edbb06768613b913cc8fc808f74dead0f85e3787dbbaec5

SHA512
5120b7fac9c2573c7647deb60749c01255734f3cea180ea5f5b0a06f985f325e21f1a6d2266bde53e2cbf4a568cb8994fecc1284788827daca8b57f130f21cc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
727d4d894051cd0c1fb6af41b4562176

SHA1
e01f285366b8a22dcd203cac733c48abba346e0a

SHA256
7e3d09e20ae6921daeebeaf9562c92c093cad94982ce705ecd3c067a63b8d926

SHA512
522e63c663130998c979aea7be222168747b478a9b5ac0d3223f2b560ce9e1e5bfa8e578c47f8fecac15b6b249fb4041913542e0479120c2d4b0fc438152ea07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
75a1f33705136030d13ec7ed5b81917c

SHA1
0f5227db21e9e3ee396a721c5ea37c510319cf26

SHA256
de4026a4444a11e56637b9fa6581e5d9056a6e1d5245e1b09c97eb6b0f4336d6

SHA512
53bb176b39f7a20368b7fb1910713dfbac1107f819149e5de27dd7adb4b261d71f84ffc0acb96cabcd040c568ff03c06f78fa2e427f9d8f12237a97aa00cd260

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
45cfb4bcd2224187eb0f2101ccdc0233

SHA1
f0e2da02bb1f694299710835e67c380da6447b17

SHA256
5be7dcce6ea234d0989394ace14bf3e2275a96c049ba6e280f94707ed81a3030

SHA512
128c5f8c74d08193fb5ee8558004cf805ef16015ff9659e6e29de60835c29dd7db44368c35f241810848a58f97d8a87ab8091315d216eb8d1a23c1278c93c570

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
67331ba7fb2abcf3e29e21ec7f89431c

SHA1
34272e2dd185255a2fff85a3033c721ec932724e

SHA256
31a995c0de56d63c3d18d256c35f9b5a99fe001e35ea72895901c218c29cffbc

SHA512
d5197c37815c9c079cc0b4f05c7ec806b217b73a59a53e310007471c3be4783f76d4c7dad83fb4b0270dd09fa4e60ccad521a222df2ab08490d2becd419d51f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
ec380156bfd528209d6f09e0d5a9c6bf

SHA1
46b56ac37052f9df627681667f4f84cb78fce3fe

SHA256
1edcb46a8d3e03affd97ed7f4fe1ee8a3ad7147e65185784fe2b19480901d75e

SHA512
e76de58251c9de3e71c5d39c4da081a4a7d89793303b95374a1cbd48c2b42579de15f8d37d59496ad7236627c09a0dc71c516af7f5ab11427b62a6e5e3e1cdb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
891839f52621d009bee857ebdf22e8a5

SHA1
1d40d4243696263588f05db52eca73bffe58b2d2

SHA256
d158e414166f812cfe35a349e3f6630883f68adc04736ccbfb2d421d77658749

SHA512
f57181a41c519e1995d0ee3a89b739ad805acebc1b15d5032792837764998e330a2f3b52d4170e87520fb4b4122c91601c93417ed754be14cee7bcddec1d1087

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe

Filesize
43KB

MD5
44a5ff2feda2634ae7d9fadc97ebd0a0

SHA1
9a763aefd806585e11a36203e575ae142f38bc6c

SHA256
5dde6801897a7d76c16e64c0b36a3280fbf5371642a690b85ddd31538c4458d8

SHA512
cebc24998c33d7fe8bcdba5183d60c36b3ccaac247d0ee206a73485236453c109dc269522df01d85f58efd3d7a28358221f2139f11356f95f9b8283475f576ca

Download Submit
memory/1400-4-0x00007FFFC0F00000-0x00007FFFC19C1000-memory.dmp

Filesize
10.8MB

Download
memory/1400-1-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1400-0-0x00007FFFC0F03000-0x00007FFFC0F05000-memory.dmp

Filesize
8KB

Download
memory/1400-2-0x00007FFFC0F00000-0x00007FFFC19C1000-memory.dmp

Filesize
10.8MB

Download
memory/1400-3-0x00007FFFC0F03000-0x00007FFFC0F05000-memory.dmp

Filesize
8KB

Download
memory/1400-10-0x00007FFFC0F00000-0x00007FFFC19C1000-memory.dmp

Filesize
10.8MB

Download
memory/1536-113-0x00000229327F0000-0x0000022932834000-memory.dmp

Filesize
272KB

Download
memory/1536-134-0x00000229328C0000-0x0000022932936000-memory.dmp

Filesize
472KB

Download
memory/3516-28-0x0000000001D10000-0x0000000001D30000-memory.dmp

Filesize
128KB

Download
memory/4004-15-0x000002F459F40000-0x000002F459F62000-memory.dmp

Filesize
136KB

Download