silverrat | 632afc11c1652f563a31015c766ce4d8f0d7ea34a5668511e7c08113e657cd3d

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	$77SecurityHealthSystray.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SilverClient.exe

Executes dropped EXE 1 IoCs

pid	Process
2408	$77SecurityHealthSystray.exe.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
400	powershell.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	$77SecurityHealthSystray.exe.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MBWHYVVlEJ.jpg"	$77SecurityHealthSystray.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2668	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2812	schtasks.exe
2920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
2408	$77SecurityHealthSystray.exe.exe
400	powershell.exe
400	powershell.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4360	taskmgr.exe
2408	$77SecurityHealthSystray.exe.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	SilverClient.exe
Token: SeDebugPrivilege	4360	taskmgr.exe
Token: SeSystemProfilePrivilege	4360	taskmgr.exe
Token: SeCreateGlobalPrivilege	4360	taskmgr.exe
Token: SeDebugPrivilege	2408	$77SecurityHealthSystray.exe.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	5144	powershell.exe
Token: SeDebugPrivilege	5476	powershell.exe
Token: SeDebugPrivilege	5312	powershell.exe
Token: SeDebugPrivilege	5836	powershell.exe
Token: SeDebugPrivilege	5976	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	6076	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	6416	powershell.exe
Token: SeDebugPrivilege	6672	powershell.exe
Token: SeDebugPrivilege	6828	powershell.exe
Token: SeDebugPrivilege	7096	powershell.exe
Token: SeDebugPrivilege	6720	powershell.exe
Token: SeDebugPrivilege	6356	powershell.exe
Token: SeDebugPrivilege	7344	powershell.exe
Token: SeDebugPrivilege	7512	powershell.exe
Token: SeDebugPrivilege	7748	powershell.exe
Token: SeDebugPrivilege	7964	powershell.exe
Token: SeDebugPrivilege	7184	powershell.exe
Token: SeDebugPrivilege	6272	powershell.exe
Token: SeDebugPrivilege	8240	powershell.exe
Token: SeDebugPrivilege	8492	powershell.exe
Token: SeDebugPrivilege	8680	powershell.exe
Token: SeDebugPrivilege	8872	powershell.exe
Token: SeDebugPrivilege	7276	powershell.exe
Token: SeDebugPrivilege	9128	powershell.exe
Token: SeDebugPrivilege	8636	powershell.exe
Token: 33	4360	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4360	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2408	$77SecurityHealthSystray.exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4288	5056	SilverClient.exe	83
PID 5056 wrote to memory of 4288	5056	SilverClient.exe	83
PID 5056 wrote to memory of 4332	5056	SilverClient.exe	85
PID 5056 wrote to memory of 4332	5056	SilverClient.exe	85
PID 5056 wrote to memory of 4680	5056	SilverClient.exe	103
PID 5056 wrote to memory of 4680	5056	SilverClient.exe	103
PID 4680 wrote to memory of 2668	4680	cmd.exe	105
PID 4680 wrote to memory of 2668	4680	cmd.exe	105
PID 4680 wrote to memory of 2408	4680	cmd.exe	106
PID 4680 wrote to memory of 2408	4680	cmd.exe	106
PID 2408 wrote to memory of 1188	2408	$77SecurityHealthSystray.exe.exe	107
PID 2408 wrote to memory of 1188	2408	$77SecurityHealthSystray.exe.exe	107
PID 2408 wrote to memory of 2920	2408	$77SecurityHealthSystray.exe.exe	109
PID 2408 wrote to memory of 2920	2408	$77SecurityHealthSystray.exe.exe	109
PID 2408 wrote to memory of 1592	2408	$77SecurityHealthSystray.exe.exe	111
PID 2408 wrote to memory of 1592	2408	$77SecurityHealthSystray.exe.exe	111
PID 2408 wrote to memory of 400	2408	$77SecurityHealthSystray.exe.exe	113
PID 2408 wrote to memory of 400	2408	$77SecurityHealthSystray.exe.exe	113
PID 2408 wrote to memory of 2812	2408	$77SecurityHealthSystray.exe.exe	114
PID 2408 wrote to memory of 2812	2408	$77SecurityHealthSystray.exe.exe	114
PID 2408 wrote to memory of 4420	2408	$77SecurityHealthSystray.exe.exe	122
PID 2408 wrote to memory of 4420	2408	$77SecurityHealthSystray.exe.exe	122
PID 2408 wrote to memory of 4012	2408	$77SecurityHealthSystray.exe.exe	125
PID 2408 wrote to memory of 4012	2408	$77SecurityHealthSystray.exe.exe	125
PID 2408 wrote to memory of 1520	2408	$77SecurityHealthSystray.exe.exe	127
PID 2408 wrote to memory of 1520	2408	$77SecurityHealthSystray.exe.exe	127
PID 2408 wrote to memory of 2768	2408	$77SecurityHealthSystray.exe.exe	129
PID 2408 wrote to memory of 2768	2408	$77SecurityHealthSystray.exe.exe	129
PID 2408 wrote to memory of 4416	2408	$77SecurityHealthSystray.exe.exe	131
PID 2408 wrote to memory of 4416	2408	$77SecurityHealthSystray.exe.exe	131
PID 2408 wrote to memory of 232	2408	$77SecurityHealthSystray.exe.exe	133
PID 2408 wrote to memory of 232	2408	$77SecurityHealthSystray.exe.exe	133
PID 2408 wrote to memory of 532	2408	$77SecurityHealthSystray.exe.exe	135
PID 2408 wrote to memory of 532	2408	$77SecurityHealthSystray.exe.exe	135
PID 2408 wrote to memory of 116	2408	$77SecurityHealthSystray.exe.exe	137
PID 2408 wrote to memory of 116	2408	$77SecurityHealthSystray.exe.exe	137
PID 2408 wrote to memory of 3936	2408	$77SecurityHealthSystray.exe.exe	139
PID 2408 wrote to memory of 3936	2408	$77SecurityHealthSystray.exe.exe	139
PID 2408 wrote to memory of 4496	2408	$77SecurityHealthSystray.exe.exe	141
PID 2408 wrote to memory of 4496	2408	$77SecurityHealthSystray.exe.exe	141
PID 2408 wrote to memory of 5008	2408	$77SecurityHealthSystray.exe.exe	143
PID 2408 wrote to memory of 5008	2408	$77SecurityHealthSystray.exe.exe	143
PID 2408 wrote to memory of 3968	2408	$77SecurityHealthSystray.exe.exe	145
PID 2408 wrote to memory of 3968	2408	$77SecurityHealthSystray.exe.exe	145
PID 2408 wrote to memory of 4624	2408	$77SecurityHealthSystray.exe.exe	147
PID 2408 wrote to memory of 4624	2408	$77SecurityHealthSystray.exe.exe	147
PID 2408 wrote to memory of 4664	2408	$77SecurityHealthSystray.exe.exe	149
PID 2408 wrote to memory of 4664	2408	$77SecurityHealthSystray.exe.exe	149
PID 2408 wrote to memory of 1076	2408	$77SecurityHealthSystray.exe.exe	151
PID 2408 wrote to memory of 1076	2408	$77SecurityHealthSystray.exe.exe	151
PID 2408 wrote to memory of 2636	2408	$77SecurityHealthSystray.exe.exe	153
PID 2408 wrote to memory of 2636	2408	$77SecurityHealthSystray.exe.exe	153
PID 2408 wrote to memory of 412	2408	$77SecurityHealthSystray.exe.exe	155
PID 2408 wrote to memory of 412	2408	$77SecurityHealthSystray.exe.exe	155
PID 2408 wrote to memory of 4952	2408	$77SecurityHealthSystray.exe.exe	157
PID 2408 wrote to memory of 4952	2408	$77SecurityHealthSystray.exe.exe	157
PID 2408 wrote to memory of 1104	2408	$77SecurityHealthSystray.exe.exe	159
PID 2408 wrote to memory of 1104	2408	$77SecurityHealthSystray.exe.exe	159
PID 2408 wrote to memory of 2084	2408	$77SecurityHealthSystray.exe.exe	161
PID 2408 wrote to memory of 2084	2408	$77SecurityHealthSystray.exe.exe	161
PID 2408 wrote to memory of 4932	2408	$77SecurityHealthSystray.exe.exe	163
PID 2408 wrote to memory of 4932	2408	$77SecurityHealthSystray.exe.exe	163
PID 2408 wrote to memory of 2244	2408	$77SecurityHealthSystray.exe.exe	165
PID 2408 wrote to memory of 2244	2408	$77SecurityHealthSystray.exe.exe	165

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4288	attrib.exe
4332	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\root"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4288
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\root\$77SecurityHealthSystray.exe.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE86C.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2668
- - C:\Users\Admin\root\$77SecurityHealthSystray.exe.exe
    "C:\Users\Admin\root\$77SecurityHealthSystray.exe.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77SecurityHealthSystray.exe.exe
      4⤵
      PID:1188
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77SecurityHealthSystray.exe.exe" /TR "C:\Users\Admin\root\$77SecurityHealthSystray.exe.exe \"\$77SecurityHealthSystray.exe.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2920
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77SecurityHealthSystray.exe.exe
      4⤵
      PID:1592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:400
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "SecurityHealthSystray.exe_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2812
  - - C:\Windows\SYSTEM32\Cmd.exe
      "Cmd"
      4⤵
      PID:4420
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4416
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:532
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3936
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5008
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4624
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:412
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1104
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4932
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4780
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2248
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5144
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5476
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5836
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5976
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4300
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2712
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6416
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6672
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6828
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7096
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7096" "2456" "2056" "2460" "0" "0" "2464" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9648
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6720
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6720" "2460" "2400" "2464" "0" "0" "2468" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:8900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6356
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6356" "2536" "2508" "2540" "0" "0" "2544" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7344
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7512
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7512" "2644" "2536" "2648" "0" "0" "2652" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:7712
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7748
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7748" "2668" "2596" "2672" "0" "0" "2676" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9012
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7964
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7184
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6272
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8240
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8680
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:9128
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "9128" "2432" "2360" "2436" "0" "0" "2440" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9480
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7276
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8636
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9484
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9676
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:10148

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4360

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

14.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.160.190.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

speed-janet.gl.at.ply.gg

$77SecurityHealthSystray.exe.exe

Remote address:

8.8.8.8:53

Request

speed-janet.gl.at.ply.gg

IN A

Response

speed-janet.gl.at.ply.gg

IN A

147.185.221.25
DNS

25.221.185.147.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.221.185.147.in-addr.arpa

IN PTR

Response
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

fast.com

$77SecurityHealthSystray.exe.exe

Remote address:

8.8.8.8:53

Request

fast.com

IN A

Response

fast.com

IN A

104.124.161.107
GET

https://fast.com/

$77SecurityHealthSystray.exe.exe

Remote address:

104.124.161.107:443

Request

GET / HTTP/1.1
Host: fast.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-amz-id-2: 5xeFJ0C3BI9NJEqHaWCag/JCYyBvwd9bI1QPgoou1Pl2bhLRhQMJsPavFJ0T5X+pY9b7hC7T4FU=
x-amz-request-id: 1JCZCVXYY4QMR4TH
Last-Modified: Wed, 04 Dec 2024 21:22:43 GMT
ETag: "1b1d641cc8eeeaf906b5b6619f1ca1fe"
x-amz-server-side-encryption: AES256
x-amz-version-id: 5rgp8mxWCvpJo8mTPLjGrqHsu.OouizH
Content-Language: en
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 25888
Server: AmazonS3
Cache-Control: max-age=3551
Expires: Thu, 09 Jan 2025 12:31:37 GMT
Date: Thu, 09 Jan 2025 11:32:26 GMT
Connection: keep-alive
Vary: Accept-Language
Strict-Transport-Security: max-age=31536000
GET

https://fast.com//app-0bffe1.js

$77SecurityHealthSystray.exe.exe

Remote address:

104.124.161.107:443

Request

GET //app-0bffe1.js HTTP/1.1
Host: fast.com

Response

HTTP/1.1 200 OK

x-amz-id-2: dueD+i/JfeXxJFkx5IDA5Vr2cnVfsgsYn/eaeRMEBG1xF4LaA5zPV2dW511OyEVxoqhsqOB+1SY=
x-amz-request-id: 1JCXZ0B6JNA47G68
Last-Modified: Wed, 04 Dec 2024 21:22:26 GMT
ETag: "7dca38ddf02adeaf9daf00a90a523f44"
x-amz-server-side-encryption: AES256
x-amz-version-id: rfuYT79IYWucl2TmLCSLcz1KLy9aJDEl
Content-Language: en
Accept-Ranges: bytes
Content-Type: text/javascript
Content-Length: 133839
Server: AmazonS3
Cache-Control: max-age=1849842
Expires: Thu, 30 Jan 2025 21:23:08 GMT
Date: Thu, 09 Jan 2025 11:32:26 GMT
Connection: keep-alive
Strict-Transport-Security: max-age=31536000
DNS

api.fast.com

$77SecurityHealthSystray.exe.exe

Remote address:

8.8.8.8:53

Request

api.fast.com

IN A

Response

api.fast.com

IN CNAME

fast.dradis.netflix.com

fast.dradis.netflix.com

IN CNAME

fast.eu-west-1.internal.dradis.netflix.com

fast.eu-west-1.internal.dradis.netflix.com

IN CNAME

apiproxy-api-fast-vpc0-nlb-a96e4348fff0cfe7.elb.eu-west-1.amazonaws.com

apiproxy-api-fast-vpc0-nlb-a96e4348fff0cfe7.elb.eu-west-1.amazonaws.com

IN A

63.35.136.11

apiproxy-api-fast-vpc0-nlb-a96e4348fff0cfe7.elb.eu-west-1.amazonaws.com

IN A

34.249.148.94

apiproxy-api-fast-vpc0-nlb-a96e4348fff0cfe7.elb.eu-west-1.amazonaws.com

IN A

34.242.3.84
GET

https://api.fast.com/netflix/speedtest/?https=True&urlCount=5&token=YXNkZmFzZGxmbnNkYWZoYXNkZmhrYWxm

$77SecurityHealthSystray.exe.exe

Remote address:

63.35.136.11:443

Request

GET /netflix/speedtest/?https=True&urlCount=5&token=YXNkZmFzZGxmbnNkYWZoYXNkZmhrYWxm HTTP/1.1
Host: api.fast.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 552
Date: Thu, 09 Jan 2025 11:32:26 GMT
Via: 1.1 i-0527b0c2a61c862a8 (eu-west-1)
X-Originating-URL: https://api.fast.com/netflix/speedtest/?token=YXNkZmFzZGxmbnNkYWZoYXNkZmhrYWxm&https=True&urlCount=5
Set-Cookie: nfvdid=BQFmAAEBEEiR6oYSkKM7McebgSRGDeBA975B4BcWTFLuKihuGrdjOQKlN3bj9wouQEBxYrS-AKyQGxjCTCmGG0BjvUsd_YXWpjgLxH2oH-g9ZGFKpNDAuA%3D%3D; Domain=.netflix.com; Path=/; Max-Age=31536000
X-Netflix.nfstatus: 1_1
X-Netflix.proxy.execution-time: 129
GET

http://45.57.68.135/speedtest?c=gb&n=174&v=21&e=1736425947&t=e_7TnGiPUErhcX3cPcnUVRUpsX_UrLgk3EzwBw

$77SecurityHealthSystray.exe.exe

Remote address:

45.57.68.135:80

Request

GET /speedtest?c=gb&n=174&v=21&e=1736425947&t=e_7TnGiPUErhcX3cPcnUVRUpsX_UrLgk3EzwBw HTTP/1.1
Host: 45.57.68.135
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Jan 2025 11:32:27 GMT
Content-Type: application/octet-stream
Content-Length: 26214400
Last-Modified: Tue, 12 Nov 2024 17:14:56 GMT
Connection: keep-alive
Timing-Allow-Origin: *
Cache-Control: no-store
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-TCP-Info
X-TCP-Info: addr=181.215.176.83;port=51984;sc=
Accept-Ranges: bytes
DNS

107.161.124.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.161.124.104.in-addr.arpa

IN PTR

Response

107.161.124.104.in-addr.arpa

IN PTR

a104-124-161-107deploystaticakamaitechnologiescom
DNS

11.136.35.63.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.136.35.63.in-addr.arpa

IN PTR

Response

11.136.35.63.in-addr.arpa

IN PTR

ec2-63-35-136-11 eu-west-1compute amazonawscom
DNS

135.68.57.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

135.68.57.45.in-addr.arpa

IN PTR

Response

135.68.57.45.in-addr.arpa

IN PTR

ipv4-c098-nyc005-ix1oca nflxvideonet
GET

http://45.57.69.138/speedtest?c=gb&n=174&v=21&e=1736425947&t=p8CY9dHH-HZ6D1-kz83rG0fXbmUBvKgn9q0hqQ

$77SecurityHealthSystray.exe.exe

Remote address:

45.57.69.138:80

Request

GET /speedtest?c=gb&n=174&v=21&e=1736425947&t=p8CY9dHH-HZ6D1-kz83rG0fXbmUBvKgn9q0hqQ HTTP/1.1
Host: 45.57.69.138
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 Jan 2025 11:32:32 GMT
Content-Type: application/octet-stream
Content-Length: 26214400
Last-Modified: Tue, 12 Nov 2024 17:14:56 GMT
Connection: keep-alive
Timing-Allow-Origin: *
Cache-Control: no-store
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-TCP-Info
X-TCP-Info: addr=181.215.176.83;port=51987;sc=
Accept-Ranges: bytes
DNS

138.69.57.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.69.57.45.in-addr.arpa

IN PTR

Response

138.69.57.45.in-addr.arpa

IN PTR

ipv4-c112-nyc005-ix1oca nflxvideonet

147.185.221.25:2217

speed-janet.gl.at.ply.gg

tls

$77SecurityHealthSystray.exe.exe

29.6kB
765.4kB
452
719
147.185.221.25:2217

speed-janet.gl.at.ply.gg

tls

$77SecurityHealthSystray.exe.exe

268.8kB
7.3kB
270
162
147.185.221.25:2217

speed-janet.gl.at.ply.gg

tls

$77SecurityHealthSystray.exe.exe

37.1kB
3.3kB
50
39
147.185.221.25:2217

speed-janet.gl.at.ply.gg

tls

$77SecurityHealthSystray.exe.exe

2.4kB
733 B
18
14
147.185.221.25:2217

speed-janet.gl.at.ply.gg

tls

$77SecurityHealthSystray.exe.exe

891 B
653 B
8
7
147.185.221.25:7355

speed-janet.gl.at.ply.gg

$77SecurityHealthSystray.exe.exe

260 B
5
147.185.221.25:2217

speed-janet.gl.at.ply.gg

tls

$77SecurityHealthSystray.exe.exe

17.8kB
903.5kB
363
714
147.185.221.25:2217

speed-janet.gl.at.ply.gg

tls

$77SecurityHealthSystray.exe.exe

1.7kB
441 B
8
7
147.185.221.25:2217

speed-janet.gl.at.ply.gg

tls

$77SecurityHealthSystray.exe.exe

1.8kB
789 B
12
10
147.185.221.25:2217

speed-janet.gl.at.ply.gg

tls

$77SecurityHealthSystray.exe.exe

937 B
661 B
9
8
104.124.161.107:443

https://fast.com//app-0bffe1.js

tls, http

$77SecurityHealthSystray.exe.exe

3.5kB
170.1kB
67
127

HTTP Request

GET https://fast.com/

HTTP Response

200

HTTP Request

GET https://fast.com//app-0bffe1.js

HTTP Response

200
63.35.136.11:443

https://api.fast.com/netflix/speedtest/?https=True&urlCount=5&token=YXNkZmFzZGxmbnNkYWZoYXNkZmhrYWxm

tls, http

$77SecurityHealthSystray.exe.exe

747 B
5.2kB
7
7

HTTP Request

GET https://api.fast.com/netflix/speedtest/?https=True&urlCount=5&token=YXNkZmFzZGxmbnNkYWZoYXNkZmhrYWxm

HTTP Response

200
45.57.68.135:80

http://45.57.68.135/speedtest?c=gb&n=174&v=21&e=1736425947&t=e_7TnGiPUErhcX3cPcnUVRUpsX_UrLgk3EzwBw

http

$77SecurityHealthSystray.exe.exe

142.6kB
7.5MB
2993
5354

HTTP Request

GET http://45.57.68.135/speedtest?c=gb&n=174&v=21&e=1736425947&t=e_7TnGiPUErhcX3cPcnUVRUpsX_UrLgk3EzwBw

HTTP Response

200
45.57.69.138:80

http://45.57.69.138/speedtest?c=gb&n=174&v=21&e=1736425947&t=p8CY9dHH-HZ6D1-kz83rG0fXbmUBvKgn9q0hqQ

http

$77SecurityHealthSystray.exe.exe

62.9kB
3.0MB
1307
2181

HTTP Request

GET http://45.57.69.138/speedtest?c=gb&n=174&v=21&e=1736425947&t=p8CY9dHH-HZ6D1-kz83rG0fXbmUBvKgn9q0hqQ

HTTP Response

200
147.185.221.25:2217

speed-janet.gl.at.ply.gg

tls

$77SecurityHealthSystray.exe.exe

432 B
132 B
4
3

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

14.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.160.190.20.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

speed-janet.gl.at.ply.gg

dns

$77SecurityHealthSystray.exe.exe

70 B
86 B
1
1

DNS Request

speed-janet.gl.at.ply.gg

DNS Response

147.185.221.25
8.8.8.8:53

25.221.185.147.in-addr.arpa

dns

73 B
130 B
1
1

DNS Request

25.221.185.147.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

fast.com

dns

$77SecurityHealthSystray.exe.exe

54 B
70 B
1
1

DNS Request

fast.com

DNS Response

104.124.161.107
8.8.8.8:53

api.fast.com

dns

$77SecurityHealthSystray.exe.exe

58 B
260 B
1
1

DNS Request

api.fast.com

DNS Response

63.35.136.11

34.249.148.94

34.242.3.84
8.8.8.8:53

107.161.124.104.in-addr.arpa

dns

74 B
141 B
1
1

DNS Request

107.161.124.104.in-addr.arpa
8.8.8.8:53

11.136.35.63.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

11.136.35.63.in-addr.arpa
8.8.8.8:53

135.68.57.45.in-addr.arpa

dns

71 B
124 B
1
1

DNS Request

135.68.57.45.in-addr.arpa
8.8.8.8:53

138.69.57.45.in-addr.arpa

dns

71 B
124 B
1
1

DNS Request

138.69.57.45.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery