silverrat | c9c505c8607cad0f8b787fe677ac182fc697930d9ef1895178c50e4f8d99f0c0

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	$77Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	SilverClient - Copy (8).exe

Executes dropped EXE 1 IoCs

pid	Process
1168	$77Runtime Broker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SysTemp64\\$77Runtime Broker.exe\""	SilverClient - Copy (8).exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4400	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5108	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3848	schtasks.exe
500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
4848	SilverClient - Copy (8).exe
1168	$77Runtime Broker.exe
1168	$77Runtime Broker.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
4724	powershell.exe
2588	powershell.exe
2900	powershell.exe
1508	powershell.exe
3600	powershell.exe
3600	powershell.exe
2900	powershell.exe
2900	powershell.exe
4724	powershell.exe
4724	powershell.exe
2336	powershell.exe
2336	powershell.exe
2588	powershell.exe
2588	powershell.exe
1508	powershell.exe
1508	powershell.exe
720	powershell.exe
720	powershell.exe
4908	powershell.exe
4908	powershell.exe
1460	powershell.exe
1460	powershell.exe
3600	powershell.exe
3600	powershell.exe
2336	powershell.exe
2336	powershell.exe
4796	powershell.exe
4796	powershell.exe
2964	powershell.exe
2964	powershell.exe
4012	powershell.exe
4012	powershell.exe
720	powershell.exe
720	powershell.exe
1684	powershell.exe
1684	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1168	$77Runtime Broker.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeBackupPrivilege	3968	vssvc.exe
Token: SeRestorePrivilege	3968	vssvc.exe
Token: SeAuditPrivilege	3968	vssvc.exe
Token: SeDebugPrivilege	4848	SilverClient - Copy (8).exe
Token: SeDebugPrivilege	1168	$77Runtime Broker.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	100	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	5180	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	5232	powershell.exe
Token: SeDebugPrivilege	5520	powershell.exe
Token: SeDebugPrivilege	5624	powershell.exe
Token: SeDebugPrivilege	5812	powershell.exe
Token: SeDebugPrivilege	5352	powershell.exe
Token: SeDebugPrivilege	5916	powershell.exe
Token: SeDebugPrivilege	5356	powershell.exe
Token: SeDebugPrivilege	6280	powershell.exe
Token: SeDebugPrivilege	6252	powershell.exe
Token: SeDebugPrivilege	6608	powershell.exe
Token: SeDebugPrivilege	6752	powershell.exe
Token: SeDebugPrivilege	6912	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	6104	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	7552	powershell.exe
Token: SeDebugPrivilege	7372	powershell.exe
Token: SeDebugPrivilege	7792	powershell.exe
Token: SeDebugPrivilege	6988	powershell.exe
Token: SeDebugPrivilege	7964	powershell.exe
Token: SeDebugPrivilege	6408	powershell.exe
Token: SeDebugPrivilege	7292	powershell.exe
Token: SeDebugPrivilege	8244	powershell.exe
Token: SeDebugPrivilege	7820	powershell.exe
Token: SeDebugPrivilege	9116	powershell.exe
Token: SeDebugPrivilege	7772	powershell.exe
Token: SeDebugPrivilege	8500	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	6540	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1168	$77Runtime Broker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 116	4848	SilverClient - Copy (8).exe	90
PID 4848 wrote to memory of 116	4848	SilverClient - Copy (8).exe	90
PID 4848 wrote to memory of 1932	4848	SilverClient - Copy (8).exe	92
PID 4848 wrote to memory of 1932	4848	SilverClient - Copy (8).exe	92
PID 4848 wrote to memory of 2712	4848	SilverClient - Copy (8).exe	101
PID 4848 wrote to memory of 2712	4848	SilverClient - Copy (8).exe	101
PID 2712 wrote to memory of 5108	2712	cmd.exe	103
PID 2712 wrote to memory of 5108	2712	cmd.exe	103
PID 2712 wrote to memory of 1168	2712	cmd.exe	104
PID 2712 wrote to memory of 1168	2712	cmd.exe	104
PID 1168 wrote to memory of 3408	1168	$77Runtime Broker.exe	106
PID 1168 wrote to memory of 3408	1168	$77Runtime Broker.exe	106
PID 1168 wrote to memory of 3848	1168	$77Runtime Broker.exe	108
PID 1168 wrote to memory of 3848	1168	$77Runtime Broker.exe	108
PID 1168 wrote to memory of 1408	1168	$77Runtime Broker.exe	110
PID 1168 wrote to memory of 1408	1168	$77Runtime Broker.exe	110
PID 1168 wrote to memory of 4400	1168	$77Runtime Broker.exe	112
PID 1168 wrote to memory of 4400	1168	$77Runtime Broker.exe	112
PID 1168 wrote to memory of 500	1168	$77Runtime Broker.exe	113
PID 1168 wrote to memory of 500	1168	$77Runtime Broker.exe	113
PID 1168 wrote to memory of 848	1168	$77Runtime Broker.exe	128
PID 1168 wrote to memory of 848	1168	$77Runtime Broker.exe	128
PID 1168 wrote to memory of 4724	1168	$77Runtime Broker.exe	130
PID 1168 wrote to memory of 4724	1168	$77Runtime Broker.exe	130
PID 1168 wrote to memory of 4340	1168	$77Runtime Broker.exe	132
PID 1168 wrote to memory of 4340	1168	$77Runtime Broker.exe	132
PID 1168 wrote to memory of 2900	1168	$77Runtime Broker.exe	134
PID 1168 wrote to memory of 2900	1168	$77Runtime Broker.exe	134
PID 1168 wrote to memory of 3148	1168	$77Runtime Broker.exe	136
PID 1168 wrote to memory of 3148	1168	$77Runtime Broker.exe	136
PID 1168 wrote to memory of 2588	1168	$77Runtime Broker.exe	138
PID 1168 wrote to memory of 2588	1168	$77Runtime Broker.exe	138
PID 1168 wrote to memory of 2552	1168	$77Runtime Broker.exe	140
PID 1168 wrote to memory of 2552	1168	$77Runtime Broker.exe	140
PID 1168 wrote to memory of 1508	1168	$77Runtime Broker.exe	142
PID 1168 wrote to memory of 1508	1168	$77Runtime Broker.exe	142
PID 1168 wrote to memory of 3992	1168	$77Runtime Broker.exe	144
PID 1168 wrote to memory of 3992	1168	$77Runtime Broker.exe	144
PID 1168 wrote to memory of 3600	1168	$77Runtime Broker.exe	146
PID 1168 wrote to memory of 3600	1168	$77Runtime Broker.exe	146
PID 1168 wrote to memory of 1268	1168	$77Runtime Broker.exe	148
PID 1168 wrote to memory of 1268	1168	$77Runtime Broker.exe	148
PID 1168 wrote to memory of 2336	1168	$77Runtime Broker.exe	150
PID 1168 wrote to memory of 2336	1168	$77Runtime Broker.exe	150
PID 1168 wrote to memory of 4680	1168	$77Runtime Broker.exe	152
PID 1168 wrote to memory of 4680	1168	$77Runtime Broker.exe	152
PID 1168 wrote to memory of 720	1168	$77Runtime Broker.exe	154
PID 1168 wrote to memory of 720	1168	$77Runtime Broker.exe	154
PID 1168 wrote to memory of 2252	1168	$77Runtime Broker.exe	156
PID 1168 wrote to memory of 2252	1168	$77Runtime Broker.exe	156
PID 1168 wrote to memory of 4908	1168	$77Runtime Broker.exe	158
PID 1168 wrote to memory of 4908	1168	$77Runtime Broker.exe	158
PID 1168 wrote to memory of 4056	1168	$77Runtime Broker.exe	160
PID 1168 wrote to memory of 4056	1168	$77Runtime Broker.exe	160
PID 1168 wrote to memory of 1460	1168	$77Runtime Broker.exe	162
PID 1168 wrote to memory of 1460	1168	$77Runtime Broker.exe	162
PID 1168 wrote to memory of 1592	1168	$77Runtime Broker.exe	164
PID 1168 wrote to memory of 1592	1168	$77Runtime Broker.exe	164
PID 1168 wrote to memory of 4796	1168	$77Runtime Broker.exe	166
PID 1168 wrote to memory of 4796	1168	$77Runtime Broker.exe	166
PID 1168 wrote to memory of 3728	1168	$77Runtime Broker.exe	168
PID 1168 wrote to memory of 3728	1168	$77Runtime Broker.exe	168
PID 1168 wrote to memory of 2964	1168	$77Runtime Broker.exe	170
PID 1168 wrote to memory of 2964	1168	$77Runtime Broker.exe	170

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
116	attrib.exe
1932	attrib.exe

C:\Users\Admin\AppData\Local\Temp\rat\SilverClient - Copy (8).exe
"C:\Users\Admin\AppData\Local\Temp\rat\SilverClient - Copy (8).exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:116
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1577.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:5108
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:3408
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3848
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:1408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4400
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:500
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4724
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2588
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1508
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3600
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2336
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:720
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4908
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1460
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4796
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2964
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4012
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1684
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4496
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5104
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4844
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:100
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5024
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5232
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5344
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5624
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5708
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5916
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5980
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:5356
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5456
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6280
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6460
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:6752
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6912
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7004
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4432
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6104
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7372
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7792
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7964
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7964" "2416" "2356" "2420" "0" "0" "2424" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:8984
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8068
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6988
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:7292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6408
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8104
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8244
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8364
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:8752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:8840
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8944
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:9116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9200
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7772
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8500
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8500" "2184" "2120" "2188" "0" "0" "2192" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9372
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7348
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9536
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2732
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2072
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3692
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1584
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:5784
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6540
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:7248
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:4472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

System Information Discovery