Overview
overview
10Static
static
10rat/Silver...0).exe
windows7-x64
rat/Silver...0).exe
windows10-2004-x64
10rat/Silver...1).exe
windows7-x64
10rat/Silver...1).exe
windows10-2004-x64
10rat/Silver...2).exe
windows7-x64
10rat/Silver...2).exe
windows10-2004-x64
10rat/Silver...3).exe
windows7-x64
10rat/Silver...3).exe
windows10-2004-x64
10rat/Silver...4).exe
windows7-x64
10rat/Silver...4).exe
windows10-2004-x64
10rat/Silver...5).exe
windows7-x64
10rat/Silver...5).exe
windows10-2004-x64
10rat/Silver...6).exe
windows7-x64
10rat/Silver...6).exe
windows10-2004-x64
10rat/Silver...7).exe
windows7-x64
10rat/Silver...7).exe
windows10-2004-x64
10rat/Silver...2).exe
windows7-x64
10rat/Silver...2).exe
windows10-2004-x64
10rat/Silver...3).exe
windows7-x64
10rat/Silver...3).exe
windows10-2004-x64
10rat/Silver...4).exe
windows7-x64
rat/Silver...4).exe
windows10-2004-x64
10rat/Silver...5).exe
windows7-x64
10rat/Silver...5).exe
windows10-2004-x64
10rat/Silver...6).exe
windows7-x64
10rat/Silver...6).exe
windows10-2004-x64
10rat/Silver...7).exe
windows7-x64
10rat/Silver...7).exe
windows10-2004-x64
10rat/Silver...8).exe
windows7-x64
10rat/Silver...8).exe
windows10-2004-x64
10rat/Silver...9).exe
windows7-x64
10rat/Silver...9).exe
windows10-2004-x64
10Analysis
-
max time kernel
465s -
max time network
456s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2025, 22:10
Behavioral task
behavioral1
Sample
rat/SilverClient - Copy (10).exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
rat/SilverClient - Copy (10).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
rat/SilverClient - Copy (11).exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
rat/SilverClient - Copy (11).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral5
Sample
rat/SilverClient - Copy (12).exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
rat/SilverClient - Copy (12).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
rat/SilverClient - Copy (13).exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
rat/SilverClient - Copy (13).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral9
Sample
rat/SilverClient - Copy (14).exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
rat/SilverClient - Copy (14).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral11
Sample
rat/SilverClient - Copy (15).exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
rat/SilverClient - Copy (15).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral13
Sample
rat/SilverClient - Copy (16).exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
rat/SilverClient - Copy (16).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral15
Sample
rat/SilverClient - Copy (17).exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
rat/SilverClient - Copy (17).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral17
Sample
rat/SilverClient - Copy (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
rat/SilverClient - Copy (2).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral19
Sample
rat/SilverClient - Copy (3).exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
rat/SilverClient - Copy (3).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral21
Sample
rat/SilverClient - Copy (4).exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
rat/SilverClient - Copy (4).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral23
Sample
rat/SilverClient - Copy (5).exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
rat/SilverClient - Copy (5).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral25
Sample
rat/SilverClient - Copy (6).exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
rat/SilverClient - Copy (6).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral27
Sample
rat/SilverClient - Copy (7).exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
rat/SilverClient - Copy (7).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral29
Sample
rat/SilverClient - Copy (8).exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
rat/SilverClient - Copy (8).exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral31
Sample
rat/SilverClient - Copy (9).exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
rat/SilverClient - Copy (9).exe
Resource
win10v2004-20250217-en
General
-
Target
rat/SilverClient - Copy (5).exe
-
Size
43KB
-
MD5
44a5ff2feda2634ae7d9fadc97ebd0a0
-
SHA1
9a763aefd806585e11a36203e575ae142f38bc6c
-
SHA256
5dde6801897a7d76c16e64c0b36a3280fbf5371642a690b85ddd31538c4458d8
-
SHA512
cebc24998c33d7fe8bcdba5183d60c36b3ccaac247d0ee206a73485236453c109dc269522df01d85f58efd3d7a28358221f2139f11356f95f9b8283475f576ca
-
SSDEEP
768:GdmcASe38zJ/Ol6IoZmtPHJm7+avCJ8eEPNRULQD9PUGa7AB6Sh/lE:GdmcASeuOtvhmeZKNGsD9pYAoS/lE
Malware Config
Extracted
silverrat
1.0.0.0
if-eventually.gl.at.ply.gg:17094
Mutex_DthEiIseBZ
-
certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
-
decrypted_key
-|S.S.S|-
-
key
yy6zDjAUmbB09pKvo5Hhug==
-
key_x509
eGlwZU1BZVJwdkFBdllxYmdRQUJ2eWtsbVVURFhE
-
reconnect_delay
0
-
server_signature
82XrwJstrm0nqjslD808bx+Ume3efeGMf7zUlVkngpQb87z21PsSKQBcTZK9EaXM0QyjpcsVNJXl0qmSosxJJOm0KKVMHYKGnVBNCZLj5O99+4v22ZWCi56RWOs9+ng8qwN8xdzn3HnKucPRz7a8JhI+UEI2ukS8ZhVfV7qf1oq6FwIG1uh4L4GwsQcfllQtFIzrcJqIdmWxM3WuMauxIW/Zzj51aSjpesrkHtxhBfKl3W4xhpX5jcWIcCiLfvfQ9E+PNUX749MGWb8fbvDdeI5yZun92ZZlcYpsymaYSEGIyzYotaZEVnsVattoVvsdOkWrsVqlKf4XIPFxmijkMaGQ/ayfFFpbjWPbyeJGlIAa+KbR5CxvF59/zedZirVAcFOWAzE/E/+kyxIbNtd6o7GZE2ZcIsMeei2HIjuCiWKsiV7qLY7vd//T8Rf8mG5/4i/xCiDG7HHX4oSx6mi6u97uThj6ULk43RmOL+fHaV2J+DewyDSivdrRWlQ95pX8FlRiKXlaJIxCbTWOwxsK2xebzkbsUKGGsOwCA/UQJ1TXNmatbaNqldHgqXKgYSFLRIiLDgM0xZQ+ThJag+cRkT7qr7W7HVaFlDNiLbVm4QZ34Iy//W3TM7w17dYghMhn3550gafqXCLOIH9vPh+YF9KVG3e3EOrkYaDUQK13PxY=
Signatures
-
Silverrat family
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3984 attrib.exe 2452 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation $77Runtime Broker.exe Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation SilverClient - Copy (5).exe -
Executes dropped EXE 1 IoCs
pid Process 2764 $77Runtime Broker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SysTemp64\\$77Runtime Broker.exe\"" SilverClient - Copy (5).exe -
pid Process 280 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 30 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3240 timeout.exe -
Enumerates system info in registry 2 TTPs 20 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2200 schtasks.exe 292 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 4572 SilverClient - Copy (5).exe 2764 $77Runtime Broker.exe 2764 $77Runtime Broker.exe 280 powershell.exe 280 powershell.exe 280 powershell.exe 5004 powershell.exe 2808 powershell.exe 4512 powershell.exe 2600 powershell.exe 3184 powershell.exe 3184 powershell.exe 2344 powershell.exe 2344 powershell.exe 5004 powershell.exe 5004 powershell.exe 3460 powershell.exe 3460 powershell.exe 1080 powershell.exe 1080 powershell.exe 4512 powershell.exe 4512 powershell.exe 2808 powershell.exe 2808 powershell.exe 2600 powershell.exe 2600 powershell.exe 3220 powershell.exe 3220 powershell.exe 3184 powershell.exe 3184 powershell.exe 1856 powershell.exe 1856 powershell.exe 4704 powershell.exe 4704 powershell.exe 3460 powershell.exe 3460 powershell.exe 2344 powershell.exe 2344 powershell.exe 4876 powershell.exe 4876 powershell.exe 728 powershell.exe 728 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2764 $77Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeBackupPrivilege 1144 vssvc.exe Token: SeRestorePrivilege 1144 vssvc.exe Token: SeAuditPrivilege 1144 vssvc.exe Token: SeDebugPrivilege 4572 SilverClient - Copy (5).exe Token: SeDebugPrivilege 2764 $77Runtime Broker.exe Token: SeDebugPrivilege 280 powershell.exe Token: SeDebugPrivilege 5004 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 4512 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 3184 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 3460 powershell.exe Token: SeDebugPrivilege 1080 powershell.exe Token: SeDebugPrivilege 3220 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 728 powershell.exe Token: SeDebugPrivilege 4876 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 4608 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 3204 powershell.exe Token: SeDebugPrivilege 5264 powershell.exe Token: SeDebugPrivilege 5420 powershell.exe Token: SeDebugPrivilege 5592 powershell.exe Token: SeDebugPrivilege 5868 powershell.exe Token: SeDebugPrivilege 6096 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 5788 powershell.exe Token: SeDebugPrivilege 6240 powershell.exe Token: SeDebugPrivilege 6504 powershell.exe Token: SeDebugPrivilege 6744 powershell.exe Token: SeDebugPrivilege 6944 powershell.exe Token: SeDebugPrivilege 7152 powershell.exe Token: SeDebugPrivilege 5184 powershell.exe Token: SeDebugPrivilege 6476 powershell.exe Token: SeDebugPrivilege 7284 powershell.exe Token: SeDebugPrivilege 7508 powershell.exe Token: SeDebugPrivilege 7692 powershell.exe Token: SeDebugPrivilege 7932 powershell.exe Token: SeDebugPrivilege 8184 powershell.exe Token: SeDebugPrivilege 7880 powershell.exe Token: SeDebugPrivilege 8220 powershell.exe Token: SeDebugPrivilege 8456 powershell.exe Token: SeDebugPrivilege 8660 powershell.exe Token: SeDebugPrivilege 8896 powershell.exe Token: SeDebugPrivilege 8368 powershell.exe Token: SeDebugPrivilege 8940 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2764 $77Runtime Broker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4572 wrote to memory of 3984 4572 SilverClient - Copy (5).exe 93 PID 4572 wrote to memory of 3984 4572 SilverClient - Copy (5).exe 93 PID 4572 wrote to memory of 2452 4572 SilverClient - Copy (5).exe 95 PID 4572 wrote to memory of 2452 4572 SilverClient - Copy (5).exe 95 PID 4572 wrote to memory of 2600 4572 SilverClient - Copy (5).exe 103 PID 4572 wrote to memory of 2600 4572 SilverClient - Copy (5).exe 103 PID 2600 wrote to memory of 3240 2600 cmd.exe 105 PID 2600 wrote to memory of 3240 2600 cmd.exe 105 PID 2600 wrote to memory of 2764 2600 cmd.exe 106 PID 2600 wrote to memory of 2764 2600 cmd.exe 106 PID 2764 wrote to memory of 3780 2764 $77Runtime Broker.exe 108 PID 2764 wrote to memory of 3780 2764 $77Runtime Broker.exe 108 PID 2764 wrote to memory of 2200 2764 $77Runtime Broker.exe 110 PID 2764 wrote to memory of 2200 2764 $77Runtime Broker.exe 110 PID 2764 wrote to memory of 652 2764 $77Runtime Broker.exe 112 PID 2764 wrote to memory of 652 2764 $77Runtime Broker.exe 112 PID 2764 wrote to memory of 280 2764 $77Runtime Broker.exe 114 PID 2764 wrote to memory of 280 2764 $77Runtime Broker.exe 114 PID 2764 wrote to memory of 292 2764 $77Runtime Broker.exe 115 PID 2764 wrote to memory of 292 2764 $77Runtime Broker.exe 115 PID 2764 wrote to memory of 3916 2764 $77Runtime Broker.exe 132 PID 2764 wrote to memory of 3916 2764 $77Runtime Broker.exe 132 PID 2764 wrote to memory of 5004 2764 $77Runtime Broker.exe 134 PID 2764 wrote to memory of 5004 2764 $77Runtime Broker.exe 134 PID 2764 wrote to memory of 964 2764 $77Runtime Broker.exe 136 PID 2764 wrote to memory of 964 2764 $77Runtime Broker.exe 136 PID 2764 wrote to memory of 2808 2764 $77Runtime Broker.exe 138 PID 2764 wrote to memory of 2808 2764 $77Runtime Broker.exe 138 PID 2764 wrote to memory of 4776 2764 $77Runtime Broker.exe 140 PID 2764 wrote to memory of 4776 2764 $77Runtime Broker.exe 140 PID 2764 wrote to memory of 4512 2764 $77Runtime Broker.exe 142 PID 2764 wrote to memory of 4512 2764 $77Runtime Broker.exe 142 PID 2764 wrote to memory of 4276 2764 $77Runtime Broker.exe 144 PID 2764 wrote to memory of 4276 2764 $77Runtime Broker.exe 144 PID 2764 wrote to memory of 2600 2764 $77Runtime Broker.exe 146 PID 2764 wrote to memory of 2600 2764 $77Runtime Broker.exe 146 PID 2764 wrote to memory of 4836 2764 $77Runtime Broker.exe 148 PID 2764 wrote to memory of 4836 2764 $77Runtime Broker.exe 148 PID 2764 wrote to memory of 3184 2764 $77Runtime Broker.exe 150 PID 2764 wrote to memory of 3184 2764 $77Runtime Broker.exe 150 PID 2764 wrote to memory of 1144 2764 $77Runtime Broker.exe 152 PID 2764 wrote to memory of 1144 2764 $77Runtime Broker.exe 152 PID 2764 wrote to memory of 2344 2764 $77Runtime Broker.exe 154 PID 2764 wrote to memory of 2344 2764 $77Runtime Broker.exe 154 PID 2764 wrote to memory of 4356 2764 $77Runtime Broker.exe 156 PID 2764 wrote to memory of 4356 2764 $77Runtime Broker.exe 156 PID 2764 wrote to memory of 3460 2764 $77Runtime Broker.exe 158 PID 2764 wrote to memory of 3460 2764 $77Runtime Broker.exe 158 PID 2764 wrote to memory of 2488 2764 $77Runtime Broker.exe 160 PID 2764 wrote to memory of 2488 2764 $77Runtime Broker.exe 160 PID 2764 wrote to memory of 1080 2764 $77Runtime Broker.exe 162 PID 2764 wrote to memory of 1080 2764 $77Runtime Broker.exe 162 PID 2764 wrote to memory of 4068 2764 $77Runtime Broker.exe 164 PID 2764 wrote to memory of 4068 2764 $77Runtime Broker.exe 164 PID 2764 wrote to memory of 3220 2764 $77Runtime Broker.exe 166 PID 2764 wrote to memory of 3220 2764 $77Runtime Broker.exe 166 PID 2764 wrote to memory of 1256 2764 $77Runtime Broker.exe 168 PID 2764 wrote to memory of 1256 2764 $77Runtime Broker.exe 168 PID 2764 wrote to memory of 1856 2764 $77Runtime Broker.exe 170 PID 2764 wrote to memory of 1856 2764 $77Runtime Broker.exe 170 PID 2764 wrote to memory of 2968 2764 $77Runtime Broker.exe 172 PID 2764 wrote to memory of 2968 2764 $77Runtime Broker.exe 172 PID 2764 wrote to memory of 4704 2764 $77Runtime Broker.exe 174 PID 2764 wrote to memory of 4704 2764 $77Runtime Broker.exe 174 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3984 attrib.exe 2452 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rat\SilverClient - Copy (5).exe"C:\Users\Admin\AppData\Local\Temp\rat\SilverClient - Copy (5).exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64"2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3984
-
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2277.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3240
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77Runtime Broker.exe4⤵PID:3780
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2200
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77Runtime Broker.exe4⤵PID:652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:280
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:004⤵
- Scheduled Task/Job: Scheduled Task
PID:292
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2344" "2412" "2572" "2416" "0" "0" "2360" "0" "0" "0" "0" "0"5⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:8268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3220" "2492" "2328" "2496" "0" "0" "2500" "0" "0" "0" "0" "0"5⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "1856" "2500" "2460" "2504" "0" "0" "2508" "0" "0" "0" "0" "0"5⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:8920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:4224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5264
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5420
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5592
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5868 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5868" "2508" "2432" "2512" "0" "0" "2516" "0" "0" "0" "0" "0"5⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:8496
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6096 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "6096" "2392" "1448" "2520" "0" "0" "2524" "0" "0" "0" "0" "0"5⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:8276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2732" "2548" "2456" "2552" "0" "0" "2556" "0" "0" "0" "0" "0"5⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:8288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5788
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6240
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6504
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6744
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6944 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "6944" "2672" "2580" "2604" "0" "0" "2584" "0" "0" "0" "0" "0"5⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:8524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5184
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6476
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:6976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7152 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "7152" "2528" "2540" "2532" "0" "0" "2536" "0" "0" "0" "0" "0"5⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:8428
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7284
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7508 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "7508" "2360" "2284" "2364" "0" "0" "2368" "0" "0" "0" "0" "0"5⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:8524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7692
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7932
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8184
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:7880
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8220
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8456
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8660
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8896
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:9052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵PID:9180
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8368
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:8520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8940 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "8940" "2156" "2080" "2164" "0" "0" "2168" "0" "0" "0" "0" "0"5⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵PID:2820
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7616
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 712 -p 5920 -ip 59201⤵PID:6504
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD58a1eef6b3d01df4374b3c0dc2f1a8965
SHA1f524c941a6815bf5313a07f1eaa6a64dc28a5a27
SHA25667cce8c31a1e9ebf57219d2bb34377dbb15df3cfcc0a3084321442828756c0bb
SHA5125667d82d0f42659c635a3165930adea446258fc3108781e41e7f2b0f3f863bed59f7e34d1848407b8989c9ba9c01b5ee5a76c1d13680aac40603af8a38bdd7a6
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
2KB
MD52b30242fe3de4d9edb43c28f08031166
SHA13dec76d6059bc908c3c1afe3c6512bb9b2884466
SHA256176626b849aae53dfff8e6577e14ce326ef446cb4ef95fc7aade9b6e2444345a
SHA5129891c05741744099c40dd66f951e963fe762e3d241a43f338bc805df81727fc0728c0f257a229f7c5a79d713832cd933488eb6740cb17e29630a53b4753b4240
-
Filesize
1024B
MD588f8023b671bd918e72b37c256496090
SHA1e7d783239db717381d0602d2f41a5122d7559890
SHA25691e5b660b663926176d8f705c21f5724cbe2b39caa9b9d5c7a8bf63faafd781f
SHA5122743993064aa04841651d0091a354949d814295b5534ccc8e3e59f4d2b0788bad4b297caf78fb2b25054a212279f193f826f128150ce3ccf46c8e30687e4496a
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
199B
MD542e0fd141cd4e247263ea0647e5145f4
SHA18b0358ca96c288fe0cc44f435d8cf81958dcee5d
SHA256a48c08ba5924a5e766d16ded8294c0d23ebcf5c3a52c0462cd24026293dd8f09
SHA512eb695195b69497b729db49312fccd7fb254e89e29f28080d29f89dc784f53d0a4aa44c9c6a89faa38ab5efc6503ac0924130d1912e9b3b2e73de7e819ae84331
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD55fd935e307f219b5062db9b2e9c66ad4
SHA1dfc98c90c211b84350aecd16ebb4f9116322c2c8
SHA2563eab55978d1ff864975a8f345de545c6067c20908e0cd900b5739563e7577e27
SHA5123eefcb1e3aef81679d146452ca0daf73215aefa49560302de6d34d84e496597a0933d054ce5509f18000e93fcc6625cf2efa481452081d735d27cefc4b711adb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5073e04f25ef09139e521a8ec4d96dd90
SHA16a7b87a56504f24e2c6cdbf6ad203bd8c2c345fe
SHA2568e6975701944abee301c5ff92f3a20ea932fa054518342760504ad89fb872263
SHA512c67fc9343e63aebd5c6577dc158fc934b16fd8e42dbb4f2a07c7142819422598d956c9eafaf602a8ab1579e76cf7297b39b03106752ba9f0ce08a4d66fca4143
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD54e215a07811900a428ad91e3af071780
SHA1788ecc3875c013052d662224ca6fd5dbdfccee8e
SHA2563471294666a7113cdd239ff1a35732a138309c8825304118c8977c408fbe0934
SHA512735b2b94525e4a09b849461a0381532f1a97a39192bee98c2afdfbe929b6534801edd242abba8dc9ab661398fafd4704a0bd8a93475c5419c7cb70dac77f0235
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD525012bbc603fd267fa671fdd4b7aa201
SHA1e824d17aa2b2611350ea3b20c8e3e8087ff776c4
SHA25607269cf3628ca46586ad45d8591e52176bf66a59c6426a388b261579647b46a5
SHA5128e3afc6ce64947551b4617d5c2fa7e4c9a5dd36b1d32d42ed74fa33ceba901bb31d3deb66f5644991c73c826d3f39345f366268e9fca701ac5b6624e781a4d27
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD54a3dba7f71b6c83b3ea233ed8d8e5c8e
SHA1b6bb9d949c5fd57c4849bce373617bf51bff996f
SHA256c6ef4ade9b7b24106193ceb38a78cab62e564144ac5f66eff8e4e5d39b265fb1
SHA5129cc54133716e025db7ddf563226c1bad42741e0c58288d337d49123f05a3b92a1f44f1b486a87ecc02e1245ae049d6cbb15af2ead6cb525bd8d0738dd9503651
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5a79e7a46dd309b50c0032ce965b026d3
SHA1af1d618c468f475b6524e6dbbdf42fdc9d1737ac
SHA256c4ef1b786e2202228730626cb39c14ea872fbf31456c6ce1d423483cf3749cb1
SHA5123dea82abdf7908142758939a048a82e7787563fa1283268031257382629e0a002c872bdf878a9e8bb6050723a55ca0d761267c5ea34561996d22035151a2afd0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5751d37b92d593d26c522e794aa0c504c
SHA1f6bd0456c62db945764765109304232e39292adb
SHA256b1960811e6eaa2980e8a4933ac8065d3484da4659d8b177dc8410c3e44623445
SHA512697a47b5a8eedb663869f68eef168cb7ad3dec7718812e9d8fbbb098296b52832a9dc9777b45626eeff1017365fd31d105f3d3359a5f8a85766ccbc14ce3d68f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5ce63459210ae43701dfad859c35b8176
SHA1dbdf555b9eef71e52f4d3d19e81d38bd9ba300a7
SHA256044bbd35c92e9fdcb90fc91c6fe295a956b4b16d92d36125ce67e470eb7d1642
SHA512e1823e1d418e5223a6e3f524b0ebf79468f7591a38cc1fdb636a0266ed0537d68ce0a4f00072bdf7b5080f389b6d35534523bec0483e8e00ed6d63a58f3de441
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD50cb450d6d4f02918c4648c83ff800a91
SHA1e377ab379958e6954cdaa31efbfa84ca89780e6a
SHA2567b5e9e934afd58f09cb07a66bbe4f633b2764388f3899a1509ee91e9bcd966b7
SHA5121910d902f6a470f5729f4972069b0ad1f33d7fb0200be8316c1d3a96626bdfcec2ba2b9829949f76720b818f929bdd56b04ad1ed56a5172dbb1bb9fea796e788
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5d052c89a4379f49eb5a16c2923e36b45
SHA1d947be6f1af2a803fa2e039614e3940a8a1742d2
SHA2564f5b9fa6194cf2ce030cc1589aed9edd7103af861d64a78bd705052e4924cbcc
SHA512c6a6d0fbd291c7eb1b6908651a5793ccd08d96c02eef9bdaf199ba8ab766bea1f3e442e3ddb9417c4694c63c9e2cf6636f5a0af6d65c880524311f1834de57f9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD567d5a8a738cfedf404431f1bd44e1922
SHA1600d7c2d66c1d523213800764ad0d7d481007ce5
SHA256dbbd19ab7f082deec13be63f9a3489f9b6c67cde08b4ce22fb320cbfc2706e26
SHA512ef5887e013cd0e14474dd62661862782f182f9330dbe2ec53272265acec996f75f99d5e4d47147310ab20f204df3075b9f8dd23d98820633e955f6e8729c8040
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD581858a2113c71e1dce0b10474d23bfd3
SHA1884fa07cbacefdd632e86ea720a80d924b3106f4
SHA256b2a6bad22a681060e20d381beb892e545ad09d59ec47482e843b5a2ee6ea4e0d
SHA512ebbf28c0510d4afb10d1b11a25b43c93a9e96c48529dc488e9c718189b504acff7fc005a325ef32492b919be6e020924cb705bf9c68475c8395aa98033e77221
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5e7d72c7d0555a515592276d452b09975
SHA101ac1d4b2c88fc99d84063fc2596daeba3a9e827
SHA256109419ecfe5d3553949da030ace379984aabfdcea970b5ac68aa30b1334b663c
SHA51236a26312737fdc705c76faf5b195179c97ef12d6f51842157d8442d39253e475a7f23ed67a6d8569af968d7352138d0cef404df3aecee049c86762b831ebbea1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5071e924dcc3b69b778eabeaf710a7dfc
SHA1a5837b511732f9a7a680e69f441116fa6fda94e3
SHA25653a96b612ce5c9f8740361f7be21cf2a77a323edfb44b89ad30b1412b5d82d71
SHA512a8b9c2737e926e7223844f6f2797ebf812d1a07a555ab9e4fc933c4283804990ad32e89472409b792939c0c0335817676dcecd5d2ff3390f010da1fa5c9e742a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5fa08fd6360e4e495044c82fde5407e51
SHA19027f6b21b55cf58436d85a0238bd9f96794d707
SHA256357ad18ade47f062bf5c4576c6d96dc682290ae2ddd07cfb7d94b9ab0cff76f6
SHA512130c50287d69380e762edee9735b2bf376b05ef2ded2cad518d011835b56f95bb5238a33d9a38f4f9d05446f9aba0ffb686cafc23b60fa0efc4265dd1ab4cd1f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD596b940de618d1f0792c302f7dce50491
SHA1586964e1497829010581fa1205d8a8ccffecd3ee
SHA2567e5fbe5ed91053e8cd8b49149d7c016f789990395abf49fa77381c718aaced1a
SHA51298cf0b005e80bb0e591b0c80f4a43ba44d7966bcb9e605ec85efe499961ecbf901af0bf2354b6dfc18c2ad4b9f2696008224e91d57acb92c3def4c03d2c19228
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD55123c56887b095cb52a8f473175d91ce
SHA180d9556c40c3c3f4e9d2944ea30c8dba9ba8dcd7
SHA256dc368fc380c9653a8ce352aec9fa7faa7775a2d45c66a4566604c0f1fdd48bbc
SHA51247019474a857372fc1a909248c6716b49b6d8437876ce50b684798d5e7d7d913e44755cc677c05d4a16015764d21d8792f9b04a8c9edca18720fd4600d39a690
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5911391463c1d259a95842d3b8ab629d6
SHA102e380e3e545673ee711e87c4db73d412c0b1648
SHA256de3dd82a86cc8e85f339a865d263c086146085c5c027bb8cf85a1dbbf92aaa0b
SHA51215428a5b72e76e409c30d2687a89a4525a05a30c6870ee2e1a8aff891ab9e52cb62ac8e6f7800a5c6cf13eadc38ea6c73d5bedd25db6f82b6d05d9a83228c145
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5c6a400285403f3318b3d1ae789ba38c6
SHA1177022f0316c6ba59fa6a513b280be881d727d38
SHA2565e39228ee678a261a1d2b0a7097db08b35c8b1534f83c82bcda6a3d662741b0e
SHA512e536018b273c3e85de6082cce86079d00924d2b3347387c211c73b0a28453b991188c78561fad02095bf7f948aa6e9568c5d1c1f77583fc1d55eec0fb9cf2ef9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD512ad178725706eb25012c70e030a5d40
SHA1833b4390e1146ccd4c0ce964e206c6181a2fda2b
SHA256922e302c6f8599e0a4a708eabb229b01b5a797d72192f39929ddf3c561b4aa62
SHA512f4ffa034cfda08802c73c95fe75417e571b9c05279f611dc3ffd1c18bd145e5049152d405e17efb70612c009666eaa39f415dff7240b8004fdd3a9eaa8cdbf93
-
Filesize
43KB
MD544a5ff2feda2634ae7d9fadc97ebd0a0
SHA19a763aefd806585e11a36203e575ae142f38bc6c
SHA2565dde6801897a7d76c16e64c0b36a3280fbf5371642a690b85ddd31538c4458d8
SHA512cebc24998c33d7fe8bcdba5183d60c36b3ccaac247d0ee206a73485236453c109dc269522df01d85f58efd3d7a28358221f2139f11356f95f9b8283475f576ca