silverrat | c9c505c8607cad0f8b787fe677ac182fc697930d9ef1895178c50e4f8d99f0c0

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	SilverClient - Copy (14).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	$77Runtime Broker.exe

Executes dropped EXE 1 IoCs

pid	Process
3620	$77Runtime Broker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SysTemp64\\$77Runtime Broker.exe\""	SilverClient - Copy (14).exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1036	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3148	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4508	schtasks.exe
5032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
532	SilverClient - Copy (14).exe
3620	$77Runtime Broker.exe
3620	$77Runtime Broker.exe
1036	powershell.exe
1036	powershell.exe
1036	powershell.exe
3664	powershell.exe
3784	powershell.exe
4812	powershell.exe
1728	powershell.exe
1728	powershell.exe
1728	powershell.exe
316	powershell.exe
316	powershell.exe
1752	powershell.exe
1752	powershell.exe
4932	powershell.exe
4932	powershell.exe
4080	powershell.exe
4080	powershell.exe
3664	powershell.exe
3664	powershell.exe
1788	powershell.exe
1788	powershell.exe
4812	powershell.exe
4812	powershell.exe
3784	powershell.exe
3784	powershell.exe
3672	powershell.exe
3672	powershell.exe
4080	powershell.exe
4828	powershell.exe
4828	powershell.exe
1300	powershell.exe
1300	powershell.exe
316	powershell.exe
1752	powershell.exe
1752	powershell.exe
316	powershell.exe
3780	powershell.exe
3780	powershell.exe
4932	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3620	$77Runtime Broker.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeBackupPrivilege	4368	vssvc.exe
Token: SeRestorePrivilege	4368	vssvc.exe
Token: SeAuditPrivilege	4368	vssvc.exe
Token: SeDebugPrivilege	532	SilverClient - Copy (14).exe
Token: SeDebugPrivilege	3620	$77Runtime Broker.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	292	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	5144	powershell.exe
Token: SeDebugPrivilege	5368	powershell.exe
Token: SeDebugPrivilege	5624	powershell.exe
Token: SeDebugPrivilege	6080	powershell.exe
Token: SeDebugPrivilege	5888	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	5564	powershell.exe
Token: SeDebugPrivilege	6228	powershell.exe
Token: SeDebugPrivilege	6384	powershell.exe
Token: SeDebugPrivilege	6684	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	6884	powershell.exe
Token: SeDebugPrivilege	6760	powershell.exe
Token: SeDebugPrivilege	5660	powershell.exe
Token: SeDebugPrivilege	7292	powershell.exe
Token: SeDebugPrivilege	7680	powershell.exe
Token: SeDebugPrivilege	7568	powershell.exe
Token: SeDebugPrivilege	7928	powershell.exe
Token: SeDebugPrivilege	8060	powershell.exe
Token: SeDebugPrivilege	7488	powershell.exe
Token: SeDebugPrivilege	7772	powershell.exe
Token: SeDebugPrivilege	8408	powershell.exe
Token: SeDebugPrivilege	9136	powershell.exe
Token: SeDebugPrivilege	8564	powershell.exe
Token: SeDebugPrivilege	9060	powershell.exe
Token: SeDebugPrivilege	8956	powershell.exe
Token: SeDebugPrivilege	6632	powershell.exe
Token: SeDebugPrivilege	7972	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3620	$77Runtime Broker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 228	532	SilverClient - Copy (14).exe	92
PID 532 wrote to memory of 228	532	SilverClient - Copy (14).exe	92
PID 532 wrote to memory of 3740	532	SilverClient - Copy (14).exe	94
PID 532 wrote to memory of 3740	532	SilverClient - Copy (14).exe	94
PID 532 wrote to memory of 1284	532	SilverClient - Copy (14).exe	103
PID 532 wrote to memory of 1284	532	SilverClient - Copy (14).exe	103
PID 1284 wrote to memory of 3148	1284	cmd.exe	105
PID 1284 wrote to memory of 3148	1284	cmd.exe	105
PID 1284 wrote to memory of 3620	1284	cmd.exe	106
PID 1284 wrote to memory of 3620	1284	cmd.exe	106
PID 3620 wrote to memory of 1996	3620	$77Runtime Broker.exe	108
PID 3620 wrote to memory of 1996	3620	$77Runtime Broker.exe	108
PID 3620 wrote to memory of 4508	3620	$77Runtime Broker.exe	110
PID 3620 wrote to memory of 4508	3620	$77Runtime Broker.exe	110
PID 3620 wrote to memory of 2264	3620	$77Runtime Broker.exe	112
PID 3620 wrote to memory of 2264	3620	$77Runtime Broker.exe	112
PID 3620 wrote to memory of 1036	3620	$77Runtime Broker.exe	114
PID 3620 wrote to memory of 1036	3620	$77Runtime Broker.exe	114
PID 3620 wrote to memory of 5032	3620	$77Runtime Broker.exe	115
PID 3620 wrote to memory of 5032	3620	$77Runtime Broker.exe	115
PID 3620 wrote to memory of 1824	3620	$77Runtime Broker.exe	129
PID 3620 wrote to memory of 1824	3620	$77Runtime Broker.exe	129
PID 3620 wrote to memory of 3664	3620	$77Runtime Broker.exe	131
PID 3620 wrote to memory of 3664	3620	$77Runtime Broker.exe	131
PID 3620 wrote to memory of 3156	3620	$77Runtime Broker.exe	133
PID 3620 wrote to memory of 3156	3620	$77Runtime Broker.exe	133
PID 3620 wrote to memory of 3784	3620	$77Runtime Broker.exe	135
PID 3620 wrote to memory of 3784	3620	$77Runtime Broker.exe	135
PID 3620 wrote to memory of 3276	3620	$77Runtime Broker.exe	137
PID 3620 wrote to memory of 3276	3620	$77Runtime Broker.exe	137
PID 3620 wrote to memory of 4812	3620	$77Runtime Broker.exe	139
PID 3620 wrote to memory of 4812	3620	$77Runtime Broker.exe	139
PID 3620 wrote to memory of 4256	3620	$77Runtime Broker.exe	141
PID 3620 wrote to memory of 4256	3620	$77Runtime Broker.exe	141
PID 3620 wrote to memory of 1728	3620	$77Runtime Broker.exe	143
PID 3620 wrote to memory of 1728	3620	$77Runtime Broker.exe	143
PID 3620 wrote to memory of 2200	3620	$77Runtime Broker.exe	145
PID 3620 wrote to memory of 2200	3620	$77Runtime Broker.exe	145
PID 3620 wrote to memory of 1752	3620	$77Runtime Broker.exe	147
PID 3620 wrote to memory of 1752	3620	$77Runtime Broker.exe	147
PID 3620 wrote to memory of 2000	3620	$77Runtime Broker.exe	149
PID 3620 wrote to memory of 2000	3620	$77Runtime Broker.exe	149
PID 3620 wrote to memory of 316	3620	$77Runtime Broker.exe	151
PID 3620 wrote to memory of 316	3620	$77Runtime Broker.exe	151
PID 3620 wrote to memory of 2948	3620	$77Runtime Broker.exe	153
PID 3620 wrote to memory of 2948	3620	$77Runtime Broker.exe	153
PID 3620 wrote to memory of 4932	3620	$77Runtime Broker.exe	155
PID 3620 wrote to memory of 4932	3620	$77Runtime Broker.exe	155
PID 3620 wrote to memory of 4584	3620	$77Runtime Broker.exe	157
PID 3620 wrote to memory of 4584	3620	$77Runtime Broker.exe	157
PID 3620 wrote to memory of 4080	3620	$77Runtime Broker.exe	159
PID 3620 wrote to memory of 4080	3620	$77Runtime Broker.exe	159
PID 3620 wrote to memory of 2264	3620	$77Runtime Broker.exe	161
PID 3620 wrote to memory of 2264	3620	$77Runtime Broker.exe	161
PID 3620 wrote to memory of 1788	3620	$77Runtime Broker.exe	163
PID 3620 wrote to memory of 1788	3620	$77Runtime Broker.exe	163
PID 3620 wrote to memory of 1640	3620	$77Runtime Broker.exe	165
PID 3620 wrote to memory of 1640	3620	$77Runtime Broker.exe	165
PID 3620 wrote to memory of 3672	3620	$77Runtime Broker.exe	167
PID 3620 wrote to memory of 3672	3620	$77Runtime Broker.exe	167
PID 3620 wrote to memory of 1140	3620	$77Runtime Broker.exe	169
PID 3620 wrote to memory of 1140	3620	$77Runtime Broker.exe	169
PID 3620 wrote to memory of 4828	3620	$77Runtime Broker.exe	171
PID 3620 wrote to memory of 4828	3620	$77Runtime Broker.exe	171

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
228	attrib.exe
3740	attrib.exe

C:\Users\Admin\AppData\Local\Temp\rat\SilverClient - Copy (14).exe
"C:\Users\Admin\AppData\Local\Temp\rat\SilverClient - Copy (14).exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:228
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEAFC.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3148
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:1996
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4508
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:2264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1036
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3664
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3784
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4812
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1728
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1752
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:316
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4932
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4080
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1788
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3672
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4828
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1300
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3780
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4092
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4476
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3004
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5144
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5368
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5624
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6080
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1636
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1636 -s 1940
        5⤵
        
        PID:9356
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1936
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5564
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5564" "2788" "2716" "2792" "0" "0" "2796" "0" "0" "0" "0" "0"
        5⤵
        
        PID:9208
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6228
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6384
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6684
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6884
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6884" "2396" "2440" "2400" "0" "0" "2364" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9472
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4004
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:6760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:5660
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7568
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7680
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7928
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7488
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7772
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8408
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:8680
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:8816
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:9136
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8564
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:9060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8624
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8956
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7972
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9464
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:224
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

System Information Discovery