silverrat | c9c505c8607cad0f8b787fe677ac182fc697930d9ef1895178c50e4f8d99f0c0

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	SilverClient - Copy (6).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	$77Runtime Broker.exe

Executes dropped EXE 1 IoCs

pid	Process
5068	$77Runtime Broker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SysTemp64\\$77Runtime Broker.exe\""	SilverClient - Copy (6).exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4544	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3140	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4068	schtasks.exe
1604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
1804	SilverClient - Copy (6).exe
5068	$77Runtime Broker.exe
5068	$77Runtime Broker.exe
4544	powershell.exe
4544	powershell.exe
4544	powershell.exe
2900	powershell.exe
3916	powershell.exe
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe
4784	powershell.exe
4784	powershell.exe
4784	powershell.exe
2900	powershell.exe
2900	powershell.exe
1764	powershell.exe
1764	powershell.exe
3916	powershell.exe
3916	powershell.exe
3452	powershell.exe
3452	powershell.exe
3776	powershell.exe
3776	powershell.exe
4064	powershell.exe
4064	powershell.exe
2864	powershell.exe
2864	powershell.exe
1764	powershell.exe
1764	powershell.exe
2704	powershell.exe
2704	powershell.exe
3452	powershell.exe
3452	powershell.exe
368	powershell.exe
368	powershell.exe
3968	powershell.exe
3968	powershell.exe
4468	powershell.exe
4468	powershell.exe
3776	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5068	$77Runtime Broker.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeBackupPrivilege	3720	vssvc.exe
Token: SeRestorePrivilege	3720	vssvc.exe
Token: SeAuditPrivilege	3720	vssvc.exe
Token: SeDebugPrivilege	1804	SilverClient - Copy (6).exe
Token: SeDebugPrivilege	5068	$77Runtime Broker.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	5136	powershell.exe
Token: SeDebugPrivilege	5212	powershell.exe
Token: SeDebugPrivilege	5416	powershell.exe
Token: SeDebugPrivilege	5424	powershell.exe
Token: SeDebugPrivilege	5764	powershell.exe
Token: SeDebugPrivilege	5736	powershell.exe
Token: SeDebugPrivilege	6112	powershell.exe
Token: SeDebugPrivilege	6048	powershell.exe
Token: SeDebugPrivilege	5816	powershell.exe
Token: SeDebugPrivilege	6408	powershell.exe
Token: SeDebugPrivilege	6468	powershell.exe
Token: SeDebugPrivilege	6880	powershell.exe
Token: SeDebugPrivilege	6192	powershell.exe
Token: SeDebugPrivilege	6836	powershell.exe
Token: SeDebugPrivilege	6732	powershell.exe
Token: SeDebugPrivilege	7184	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	7336	powershell.exe
Token: SeDebugPrivilege	7520	powershell.exe
Token: SeDebugPrivilege	7780	powershell.exe
Token: SeDebugPrivilege	7704	powershell.exe
Token: SeDebugPrivilege	8176	powershell.exe
Token: SeDebugPrivilege	7264	powershell.exe
Token: SeDebugPrivilege	8120	powershell.exe
Token: SeDebugPrivilege	6956	powershell.exe
Token: SeDebugPrivilege	8216	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	8656	powershell.exe
Token: SeDebugPrivilege	9772	powershell.exe
Token: SeDebugPrivilege	10152	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5068	$77Runtime Broker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 3456	1804	SilverClient - Copy (6).exe	90
PID 1804 wrote to memory of 3456	1804	SilverClient - Copy (6).exe	90
PID 1804 wrote to memory of 4356	1804	SilverClient - Copy (6).exe	93
PID 1804 wrote to memory of 4356	1804	SilverClient - Copy (6).exe	93
PID 1804 wrote to memory of 4172	1804	SilverClient - Copy (6).exe	104
PID 1804 wrote to memory of 4172	1804	SilverClient - Copy (6).exe	104
PID 4172 wrote to memory of 3140	4172	cmd.exe	106
PID 4172 wrote to memory of 3140	4172	cmd.exe	106
PID 4172 wrote to memory of 5068	4172	cmd.exe	107
PID 4172 wrote to memory of 5068	4172	cmd.exe	107
PID 5068 wrote to memory of 228	5068	$77Runtime Broker.exe	109
PID 5068 wrote to memory of 228	5068	$77Runtime Broker.exe	109
PID 5068 wrote to memory of 4068	5068	$77Runtime Broker.exe	111
PID 5068 wrote to memory of 4068	5068	$77Runtime Broker.exe	111
PID 5068 wrote to memory of 2884	5068	$77Runtime Broker.exe	113
PID 5068 wrote to memory of 2884	5068	$77Runtime Broker.exe	113
PID 5068 wrote to memory of 4544	5068	$77Runtime Broker.exe	115
PID 5068 wrote to memory of 4544	5068	$77Runtime Broker.exe	115
PID 5068 wrote to memory of 1604	5068	$77Runtime Broker.exe	116
PID 5068 wrote to memory of 1604	5068	$77Runtime Broker.exe	116
PID 5068 wrote to memory of 1772	5068	$77Runtime Broker.exe	133
PID 5068 wrote to memory of 1772	5068	$77Runtime Broker.exe	133
PID 5068 wrote to memory of 2900	5068	$77Runtime Broker.exe	135
PID 5068 wrote to memory of 2900	5068	$77Runtime Broker.exe	135
PID 5068 wrote to memory of 2828	5068	$77Runtime Broker.exe	137
PID 5068 wrote to memory of 2828	5068	$77Runtime Broker.exe	137
PID 5068 wrote to memory of 3916	5068	$77Runtime Broker.exe	139
PID 5068 wrote to memory of 3916	5068	$77Runtime Broker.exe	139
PID 5068 wrote to memory of 2308	5068	$77Runtime Broker.exe	141
PID 5068 wrote to memory of 2308	5068	$77Runtime Broker.exe	141
PID 5068 wrote to memory of 3032	5068	$77Runtime Broker.exe	143
PID 5068 wrote to memory of 3032	5068	$77Runtime Broker.exe	143
PID 5068 wrote to memory of 1388	5068	$77Runtime Broker.exe	145
PID 5068 wrote to memory of 1388	5068	$77Runtime Broker.exe	145
PID 5068 wrote to memory of 4784	5068	$77Runtime Broker.exe	147
PID 5068 wrote to memory of 4784	5068	$77Runtime Broker.exe	147
PID 5068 wrote to memory of 3936	5068	$77Runtime Broker.exe	149
PID 5068 wrote to memory of 3936	5068	$77Runtime Broker.exe	149
PID 5068 wrote to memory of 1764	5068	$77Runtime Broker.exe	151
PID 5068 wrote to memory of 1764	5068	$77Runtime Broker.exe	151
PID 5068 wrote to memory of 2832	5068	$77Runtime Broker.exe	153
PID 5068 wrote to memory of 2832	5068	$77Runtime Broker.exe	153
PID 5068 wrote to memory of 3452	5068	$77Runtime Broker.exe	155
PID 5068 wrote to memory of 3452	5068	$77Runtime Broker.exe	155
PID 5068 wrote to memory of 2884	5068	$77Runtime Broker.exe	157
PID 5068 wrote to memory of 2884	5068	$77Runtime Broker.exe	157
PID 5068 wrote to memory of 3776	5068	$77Runtime Broker.exe	159
PID 5068 wrote to memory of 3776	5068	$77Runtime Broker.exe	159
PID 5068 wrote to memory of 4708	5068	$77Runtime Broker.exe	161
PID 5068 wrote to memory of 4708	5068	$77Runtime Broker.exe	161
PID 5068 wrote to memory of 4064	5068	$77Runtime Broker.exe	163
PID 5068 wrote to memory of 4064	5068	$77Runtime Broker.exe	163
PID 5068 wrote to memory of 2536	5068	$77Runtime Broker.exe	165
PID 5068 wrote to memory of 2536	5068	$77Runtime Broker.exe	165
PID 5068 wrote to memory of 2864	5068	$77Runtime Broker.exe	166
PID 5068 wrote to memory of 2864	5068	$77Runtime Broker.exe	166
PID 5068 wrote to memory of 1084	5068	$77Runtime Broker.exe	169
PID 5068 wrote to memory of 1084	5068	$77Runtime Broker.exe	169
PID 5068 wrote to memory of 2704	5068	$77Runtime Broker.exe	171
PID 5068 wrote to memory of 2704	5068	$77Runtime Broker.exe	171
PID 5068 wrote to memory of 5108	5068	$77Runtime Broker.exe	173
PID 5068 wrote to memory of 5108	5068	$77Runtime Broker.exe	173
PID 5068 wrote to memory of 368	5068	$77Runtime Broker.exe	175
PID 5068 wrote to memory of 368	5068	$77Runtime Broker.exe	175

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4356	attrib.exe
3456	attrib.exe

C:\Users\Admin\AppData\Local\Temp\rat\SilverClient - Copy (6).exe
"C:\Users\Admin\AppData\Local\Temp\rat\SilverClient - Copy (6).exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3456
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD6.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3140
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:228
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4068
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:2884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4544
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1604
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3916
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4784
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1764
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3452
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3776
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4064
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2864
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2704
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:368
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4468
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3968
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3828
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:336
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5212
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5272
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5424
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5620
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5764
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5848
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5400
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6192
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6280
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6468
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6880
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7088
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6732
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2820
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7184
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7336
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7520
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7520" "2416" "2360" "2420" "0" "0" "2424" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9376
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7780
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7780" "2412" "2360" "2416" "0" "0" "2420" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9332
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7856
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7892
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7264
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7672
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7680
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8216
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8268
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8396
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:8504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8656
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:8752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:8960
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8980
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9092
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:8788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:8796
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9188
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9260
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9476
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:9772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:10152
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10160
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

System Information Discovery