silverrat | 632afc11c1652f563a31015c766ce4d8f0d7ea34a5668511e7c08113e657cd3d

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	$77SecurityHealthSystray.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SilverClient.exe

Executes dropped EXE 1 IoCs

pid	Process
2408	$77SecurityHealthSystray.exe.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
400	powershell.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	$77SecurityHealthSystray.exe.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MBWHYVVlEJ.jpg"	$77SecurityHealthSystray.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2668	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2812	schtasks.exe
2920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
5056	SilverClient.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
2408	$77SecurityHealthSystray.exe.exe
400	powershell.exe
400	powershell.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4360	taskmgr.exe
2408	$77SecurityHealthSystray.exe.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	SilverClient.exe
Token: SeDebugPrivilege	4360	taskmgr.exe
Token: SeSystemProfilePrivilege	4360	taskmgr.exe
Token: SeCreateGlobalPrivilege	4360	taskmgr.exe
Token: SeDebugPrivilege	2408	$77SecurityHealthSystray.exe.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	5144	powershell.exe
Token: SeDebugPrivilege	5476	powershell.exe
Token: SeDebugPrivilege	5312	powershell.exe
Token: SeDebugPrivilege	5836	powershell.exe
Token: SeDebugPrivilege	5976	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	6076	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	6416	powershell.exe
Token: SeDebugPrivilege	6672	powershell.exe
Token: SeDebugPrivilege	6828	powershell.exe
Token: SeDebugPrivilege	7096	powershell.exe
Token: SeDebugPrivilege	6720	powershell.exe
Token: SeDebugPrivilege	6356	powershell.exe
Token: SeDebugPrivilege	7344	powershell.exe
Token: SeDebugPrivilege	7512	powershell.exe
Token: SeDebugPrivilege	7748	powershell.exe
Token: SeDebugPrivilege	7964	powershell.exe
Token: SeDebugPrivilege	7184	powershell.exe
Token: SeDebugPrivilege	6272	powershell.exe
Token: SeDebugPrivilege	8240	powershell.exe
Token: SeDebugPrivilege	8492	powershell.exe
Token: SeDebugPrivilege	8680	powershell.exe
Token: SeDebugPrivilege	8872	powershell.exe
Token: SeDebugPrivilege	7276	powershell.exe
Token: SeDebugPrivilege	9128	powershell.exe
Token: SeDebugPrivilege	8636	powershell.exe
Token: 33	4360	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4360	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe
4360	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2408	$77SecurityHealthSystray.exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4288	5056	SilverClient.exe	83
PID 5056 wrote to memory of 4288	5056	SilverClient.exe	83
PID 5056 wrote to memory of 4332	5056	SilverClient.exe	85
PID 5056 wrote to memory of 4332	5056	SilverClient.exe	85
PID 5056 wrote to memory of 4680	5056	SilverClient.exe	103
PID 5056 wrote to memory of 4680	5056	SilverClient.exe	103
PID 4680 wrote to memory of 2668	4680	cmd.exe	105
PID 4680 wrote to memory of 2668	4680	cmd.exe	105
PID 4680 wrote to memory of 2408	4680	cmd.exe	106
PID 4680 wrote to memory of 2408	4680	cmd.exe	106
PID 2408 wrote to memory of 1188	2408	$77SecurityHealthSystray.exe.exe	107
PID 2408 wrote to memory of 1188	2408	$77SecurityHealthSystray.exe.exe	107
PID 2408 wrote to memory of 2920	2408	$77SecurityHealthSystray.exe.exe	109
PID 2408 wrote to memory of 2920	2408	$77SecurityHealthSystray.exe.exe	109
PID 2408 wrote to memory of 1592	2408	$77SecurityHealthSystray.exe.exe	111
PID 2408 wrote to memory of 1592	2408	$77SecurityHealthSystray.exe.exe	111
PID 2408 wrote to memory of 400	2408	$77SecurityHealthSystray.exe.exe	113
PID 2408 wrote to memory of 400	2408	$77SecurityHealthSystray.exe.exe	113
PID 2408 wrote to memory of 2812	2408	$77SecurityHealthSystray.exe.exe	114
PID 2408 wrote to memory of 2812	2408	$77SecurityHealthSystray.exe.exe	114
PID 2408 wrote to memory of 4420	2408	$77SecurityHealthSystray.exe.exe	122
PID 2408 wrote to memory of 4420	2408	$77SecurityHealthSystray.exe.exe	122
PID 2408 wrote to memory of 4012	2408	$77SecurityHealthSystray.exe.exe	125
PID 2408 wrote to memory of 4012	2408	$77SecurityHealthSystray.exe.exe	125
PID 2408 wrote to memory of 1520	2408	$77SecurityHealthSystray.exe.exe	127
PID 2408 wrote to memory of 1520	2408	$77SecurityHealthSystray.exe.exe	127
PID 2408 wrote to memory of 2768	2408	$77SecurityHealthSystray.exe.exe	129
PID 2408 wrote to memory of 2768	2408	$77SecurityHealthSystray.exe.exe	129
PID 2408 wrote to memory of 4416	2408	$77SecurityHealthSystray.exe.exe	131
PID 2408 wrote to memory of 4416	2408	$77SecurityHealthSystray.exe.exe	131
PID 2408 wrote to memory of 232	2408	$77SecurityHealthSystray.exe.exe	133
PID 2408 wrote to memory of 232	2408	$77SecurityHealthSystray.exe.exe	133
PID 2408 wrote to memory of 532	2408	$77SecurityHealthSystray.exe.exe	135
PID 2408 wrote to memory of 532	2408	$77SecurityHealthSystray.exe.exe	135
PID 2408 wrote to memory of 116	2408	$77SecurityHealthSystray.exe.exe	137
PID 2408 wrote to memory of 116	2408	$77SecurityHealthSystray.exe.exe	137
PID 2408 wrote to memory of 3936	2408	$77SecurityHealthSystray.exe.exe	139
PID 2408 wrote to memory of 3936	2408	$77SecurityHealthSystray.exe.exe	139
PID 2408 wrote to memory of 4496	2408	$77SecurityHealthSystray.exe.exe	141
PID 2408 wrote to memory of 4496	2408	$77SecurityHealthSystray.exe.exe	141
PID 2408 wrote to memory of 5008	2408	$77SecurityHealthSystray.exe.exe	143
PID 2408 wrote to memory of 5008	2408	$77SecurityHealthSystray.exe.exe	143
PID 2408 wrote to memory of 3968	2408	$77SecurityHealthSystray.exe.exe	145
PID 2408 wrote to memory of 3968	2408	$77SecurityHealthSystray.exe.exe	145
PID 2408 wrote to memory of 4624	2408	$77SecurityHealthSystray.exe.exe	147
PID 2408 wrote to memory of 4624	2408	$77SecurityHealthSystray.exe.exe	147
PID 2408 wrote to memory of 4664	2408	$77SecurityHealthSystray.exe.exe	149
PID 2408 wrote to memory of 4664	2408	$77SecurityHealthSystray.exe.exe	149
PID 2408 wrote to memory of 1076	2408	$77SecurityHealthSystray.exe.exe	151
PID 2408 wrote to memory of 1076	2408	$77SecurityHealthSystray.exe.exe	151
PID 2408 wrote to memory of 2636	2408	$77SecurityHealthSystray.exe.exe	153
PID 2408 wrote to memory of 2636	2408	$77SecurityHealthSystray.exe.exe	153
PID 2408 wrote to memory of 412	2408	$77SecurityHealthSystray.exe.exe	155
PID 2408 wrote to memory of 412	2408	$77SecurityHealthSystray.exe.exe	155
PID 2408 wrote to memory of 4952	2408	$77SecurityHealthSystray.exe.exe	157
PID 2408 wrote to memory of 4952	2408	$77SecurityHealthSystray.exe.exe	157
PID 2408 wrote to memory of 1104	2408	$77SecurityHealthSystray.exe.exe	159
PID 2408 wrote to memory of 1104	2408	$77SecurityHealthSystray.exe.exe	159
PID 2408 wrote to memory of 2084	2408	$77SecurityHealthSystray.exe.exe	161
PID 2408 wrote to memory of 2084	2408	$77SecurityHealthSystray.exe.exe	161
PID 2408 wrote to memory of 4932	2408	$77SecurityHealthSystray.exe.exe	163
PID 2408 wrote to memory of 4932	2408	$77SecurityHealthSystray.exe.exe	163
PID 2408 wrote to memory of 2244	2408	$77SecurityHealthSystray.exe.exe	165
PID 2408 wrote to memory of 2244	2408	$77SecurityHealthSystray.exe.exe	165

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4288	attrib.exe
4332	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\root"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4288
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\root\$77SecurityHealthSystray.exe.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE86C.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2668
- - C:\Users\Admin\root\$77SecurityHealthSystray.exe.exe
    "C:\Users\Admin\root\$77SecurityHealthSystray.exe.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77SecurityHealthSystray.exe.exe
      4⤵
      PID:1188
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77SecurityHealthSystray.exe.exe" /TR "C:\Users\Admin\root\$77SecurityHealthSystray.exe.exe \"\$77SecurityHealthSystray.exe.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2920
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77SecurityHealthSystray.exe.exe
      4⤵
      PID:1592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:400
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "SecurityHealthSystray.exe_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2812
  - - C:\Windows\SYSTEM32\Cmd.exe
      "Cmd"
      4⤵
      PID:4420
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4416
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:532
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3936
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5008
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4624
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:412
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1104
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4932
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4780
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2248
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5144
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5476
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5836
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5976
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4300
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2712
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6416
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6672
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6828
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7096
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7096" "2456" "2056" "2460" "0" "0" "2464" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9648
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6720
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6720" "2460" "2400" "2464" "0" "0" "2468" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:8900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6356
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6356" "2536" "2508" "2540" "0" "0" "2544" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7344
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7512
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7512" "2644" "2536" "2648" "0" "0" "2652" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:7712
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7748
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7748" "2668" "2596" "2672" "0" "0" "2676" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9012
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7964
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7184
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6272
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8240
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8680
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:9128
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "9128" "2432" "2360" "2436" "0" "0" "2440" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9480
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7276
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8636
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9484
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9676
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:9872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:10148

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery