phorphiex | 4fa85000e62565501a8bfa3ad994fc6b18036bdb13b0554707a7b895df10f9a2

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe
Size

16.1MB
MD5

f14371b96093c609b697479c4a1eaac5
SHA1

5274a947d3833d08fad808d5ce2deeffe2765fe1
SHA256

4fa85000e62565501a8bfa3ad994fc6b18036bdb13b0554707a7b895df10f9a2
SHA512

a36adfc3367ed597015de263c61a12a5e337e69e752383bed0f88bece43d1ab074bb0b6d6ca67bbf2a774540785bbace795b4afcbd8e0a0a02f37e5f67548e80
SSDEEP

393216:HaXeImCdLacjZ5kbCkXExEK5s0srK5rqNkEbDST7:MhmMlNWbCwKe0s1bD

Score

10^/10

phorphiex xmrig evasion loader miner persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

http://193.233.132.177/

http://5.42.96.117/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Attributes

mutex
ax765638x6xa
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

Signatures

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

F82B.exesyslmgrsvc.exewinblpsrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	F82B.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	winblpsrcs.exe

Phorphiex payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\F82B.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2829512683.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

1213623399.exewupgrdsv.exe

description	pid	process	target process
PID 2956 created 3364	2956	1213623399.exe	Explorer.EXE
PID 2956 created 3364	2956	1213623399.exe	Explorer.EXE
PID 3284 created 3364	3284	wupgrdsv.exe	Explorer.EXE
PID 3284 created 3364	3284	wupgrdsv.exe	Explorer.EXE

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

F82B.exesyslmgrsvc.exewinblpsrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	F82B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	F82B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	F82B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	F82B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	F82B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	F82B.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\562a5174-3745-4253-bd75-2112bea76b5d.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3284-168-0x00007FF7F8E40000-0x00007FF7F93B6000-memory.dmp	xmrig
behavioral2/memory/4440-188-0x00007FF735840000-0x00007FF73602F000-memory.dmp	xmrig
behavioral2/memory/4440-195-0x00007FF735840000-0x00007FF73602F000-memory.dmp	xmrig
behavioral2/memory/4440-202-0x00007FF735840000-0x00007FF73602F000-memory.dmp	xmrig
behavioral2/memory/4440-209-0x00007FF735840000-0x00007FF73602F000-memory.dmp	xmrig
behavioral2/memory/4440-212-0x00007FF735840000-0x00007FF73602F000-memory.dmp	xmrig
behavioral2/memory/4440-213-0x00007FF735840000-0x00007FF73602F000-memory.dmp	xmrig
behavioral2/memory/4440-216-0x00007FF735840000-0x00007FF73602F000-memory.dmp	xmrig
behavioral2/memory/4440-221-0x00007FF735840000-0x00007FF73602F000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 21 IoCs

Processes:

F82B.exe562a5174-3745-4253-bd75-2112bea76b5d.exeE53.exe2829512683.exesyslmgrsvc.exe131385785.exe1640427011.exe2497829921.exe2836919196.exe2868321237.exe1213623399.exe1586810815.exe1873312399.exewinblpsrcs.exewupgrdsv.exe222492490.exe3146129908.exe1782026521.exe1866821328.exe1167413715.exe3150223490.exe

pid	process
1900	F82B.exe
3376	562a5174-3745-4253-bd75-2112bea76b5d.exe
820	E53.exe
1348	2829512683.exe
4896	syslmgrsvc.exe
1004	131385785.exe
4176	1640427011.exe
2984	2497829921.exe
4356	2836919196.exe
1948	2868321237.exe
2956	1213623399.exe
3192	1586810815.exe
2516	1873312399.exe
5112	winblpsrcs.exe
3284	wupgrdsv.exe
1312	222492490.exe
4456	3146129908.exe
1680	1782026521.exe
1564	1866821328.exe
4380	1167413715.exe
4048	3150223490.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exe562a5174-3745-4253-bd75-2112bea76b5d.exeDllHost.exe

pid process

2984 regsvr32.exe
3376 562a5174-3745-4253-bd75-2112bea76b5d.exe
2348 DllHost.exe

pid	process
2984	regsvr32.exe
3376	562a5174-3745-4253-bd75-2112bea76b5d.exe
2348	DllHost.exe

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winblpsrcs.exeF82B.exesyslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	F82B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	F82B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	F82B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	F82B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	F82B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winblpsrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	F82B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	F82B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winblpsrcs.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

F82B.exe2829512683.exe1873312399.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvratrel.exe"	F82B.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysvratrel.exe"	F82B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslmgrsvc.exe"	2829512683.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winblpsrcs.exe"	1873312399.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wupgrdsv.exe

description pid process target process

PID 3284 set thread context of 4440 3284 wupgrdsv.exe notepad.exe

description	pid	process	target process
PID 3284 set thread context of 4440	3284	wupgrdsv.exe	notepad.exe

Drops file in Windows directory 6 IoCs

Processes:

2829512683.exe1873312399.exeF82B.exe

description	ioc	process
File created	C:\Windows\syslmgrsvc.exe	2829512683.exe
File opened for modification	C:\Windows\syslmgrsvc.exe	2829512683.exe
File created	C:\Windows\winblpsrcs.exe	1873312399.exe
File opened for modification	C:\Windows\winblpsrcs.exe	1873312399.exe
File created	C:\Windows\sysvratrel.exe	F82B.exe
File opened for modification	C:\Windows\sysvratrel.exe	F82B.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe562a5174-3745-4253-bd75-2112bea76b5d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54443D5A-BDB6-412F-BA96-89D201C48B58}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3749B415-C395-4119-A5D6-879ED1862936}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77CBCC35-1A76-49BA-A6C6-89CFC04A380E}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1CA50EA7-257C-431A-B135-3557D340775A}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	562a5174-3745-4253-bd75-2112bea76b5d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EDC0D9F-1736-43A3-A4DA-4B4FD239227A}\ = "GeoIpStruct Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0EA5836-36DB-483D-9925-5B5E13830387}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{604C0BAB-BF6F-414D-BFB7-CD901BB2F1A9}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3749B415-C395-4119-A5D6-879ED1862936}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB98134F-EADE-4ADC-95BF-587A5568918C}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0EA5836-36DB-483D-9925-5B5E13830387}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4806C689-4A64-443B-A0F3-D2607868FE31}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2860C0AD-EBCF-4D84-AB22-E6D16FB6DBA3}\ = "IOptionItemInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0EA5836-36DB-483D-9925-5B5E13830387}\InprocServer32\ = "C:\\ProgramData\\PDF Architect 8\\Installation\\Statistics.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5F3B540-7B68-4A85-941F-D49F6428ABA8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C20E9433-7988-4F4D-83DC-DD01AFEA709F}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44634B83-6440-460A-AA50-BA46D2E613F1}\ = "ICancelDataStruct"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5F37043-6297-4DDD-9497-89510F7AC0F1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5172A176-4A3B-488D-BEEF-7261637B49D0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6EDC0D9F-1736-43A3-A4DA-4B4FD239227A}\InprocServer32\ = "C:\\ProgramData\\PDF Architect 8\\Installation\\Statistics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5F3B540-7B68-4A85-941F-D49F6428ABA8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5F3B540-7B68-4A85-941F-D49F6428ABA8}\InprocServer32\ = "C:\\ProgramData\\PDF Architect 8\\Installation\\Statistics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92049030-622C-4EC6-80C7-47A9A14775CA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A66DEC6-E2EF-4538-89B6-9BC6CB07DE47}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E77B33F9-61B9-4913-8BFE-12136791E21F}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4806C689-4A64-443B-A0F3-D2607868FE31}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4806C689-4A64-443B-A0F3-D2607868FE31}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CEFB9717-3FCB-49F1-B860-10A71F87A9B4}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B8A4468-88E2-45F1-AE44-E35B1B96AAB6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74077FEA-4703-46DE-8D11-DF02C8522F45}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D9FFF48-E815-46BA-9F83-9FC5D7E0ECAA}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B8A4468-88E2-45F1-AE44-E35B1B96AAB6}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A2B73845-2567-41E1-A349-36F902256EC8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEFAF143-E08F-47B0-B3ED-569C0C0A42EB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DCC1187-5D8C-490A-8A26-E093D15009F1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F83A792A-DFF2-4B37-9C94-3CD05AD921E2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3749B415-C395-4119-A5D6-879ED1862936}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6B70917-D6C3-4C8C-9333-4F81C867D8CD}\ = "DownloadItemModule3_1 Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5F3B540-7B68-4A85-941F-D49F6428ABA8}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03F30963-27B0-4532-930E-82E999BE4FCA}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9D083AA-9230-4B30-854D-00A70A31E1CC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54443D5A-BDB6-412F-BA96-89D201C48B58}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AEFAF143-E08F-47B0-B3ED-569C0C0A42EB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92049030-622C-4EC6-80C7-47A9A14775CA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE5FBD85-3B41-4370-B4B4-67E49F455F2D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5172A176-4A3B-488D-BEEF-7261637B49D0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E58DC2E-EF79-4EED-AD03-D7C0C6DD8F08}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DCC1187-5D8C-490A-8A26-E093D15009F1}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E876DC39-B292-4A7C-ADB7-A8A35C31DBCC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{715AC9D5-1BE4-4C6C-928E-4E5C21CF8D1C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E6F6EB8-BE33-44D8-8C4F-59E4BF7245A8}\InprocServer32\ = "C:\\ProgramData\\PDF Architect 8\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03F30963-27B0-4532-930E-82E999BE4FCA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5071D282-CA64-4C10-A768-D65487224202}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C33BF73-F324-4875-A394-C6408D67C6EA}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{604C0BAB-BF6F-414D-BFB7-CD901BB2F1A9}\InprocServer32\ = "C:\\ProgramData\\PDF Architect 8\\Installation\\Statistics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44634B83-6440-460A-AA50-BA46D2E613F1}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE554E4A-F654-40D3-8D51-FED3B58803BE}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54443D5A-BDB6-412F-BA96-89D201C48B58}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEFAF143-E08F-47B0-B3ED-569C0C0A42EB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB98134F-EADE-4ADC-95BF-587A5568918C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E77B33F9-61B9-4913-8BFE-12136791E21F}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2832BE8A-B2B3-4C6E-BAD6-2064ADDCCC13}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03F30963-27B0-4532-930E-82E999BE4FCA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2860C0AD-EBCF-4D84-AB22-E6D16FB6DBA3}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F83A792A-DFF2-4B37-9C94-3CD05AD921E2}\TypeLib\ = "{C20E9433-7988-4F4D-83DC-DD01AFEA709F}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

562a5174-3745-4253-bd75-2112bea76b5d.exe1213623399.exepowershell.exewupgrdsv.exepowershell.exe

pid	process
3376	562a5174-3745-4253-bd75-2112bea76b5d.exe
3376	562a5174-3745-4253-bd75-2112bea76b5d.exe
3376	562a5174-3745-4253-bd75-2112bea76b5d.exe
3376	562a5174-3745-4253-bd75-2112bea76b5d.exe
2956	1213623399.exe
2956	1213623399.exe
2340	powershell.exe
2340	powershell.exe
2340	powershell.exe
2956	1213623399.exe
2956	1213623399.exe
3284	wupgrdsv.exe
3284	wupgrdsv.exe
4252	powershell.exe
4252	powershell.exe
4252	powershell.exe
3284	wupgrdsv.exe
3284	wupgrdsv.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

syslmgrsvc.exe

pid process

4896 syslmgrsvc.exe

pid	process
656

pid	process
4896	syslmgrsvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeIncreaseQuotaPrivilege	2340	powershell.exe
Token: SeSecurityPrivilege	2340	powershell.exe
Token: SeTakeOwnershipPrivilege	2340	powershell.exe
Token: SeLoadDriverPrivilege	2340	powershell.exe
Token: SeSystemProfilePrivilege	2340	powershell.exe
Token: SeSystemtimePrivilege	2340	powershell.exe
Token: SeProfSingleProcessPrivilege	2340	powershell.exe
Token: SeIncBasePriorityPrivilege	2340	powershell.exe
Token: SeCreatePagefilePrivilege	2340	powershell.exe
Token: SeBackupPrivilege	2340	powershell.exe
Token: SeRestorePrivilege	2340	powershell.exe
Token: SeShutdownPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeSystemEnvironmentPrivilege	2340	powershell.exe
Token: SeRemoteShutdownPrivilege	2340	powershell.exe
Token: SeUndockPrivilege	2340	powershell.exe
Token: SeManageVolumePrivilege	2340	powershell.exe
Token: 33	2340	powershell.exe
Token: 34	2340	powershell.exe
Token: 35	2340	powershell.exe
Token: 36	2340	powershell.exe
Token: SeIncreaseQuotaPrivilege	2340	powershell.exe
Token: SeSecurityPrivilege	2340	powershell.exe
Token: SeTakeOwnershipPrivilege	2340	powershell.exe
Token: SeLoadDriverPrivilege	2340	powershell.exe
Token: SeSystemProfilePrivilege	2340	powershell.exe
Token: SeSystemtimePrivilege	2340	powershell.exe
Token: SeProfSingleProcessPrivilege	2340	powershell.exe
Token: SeIncBasePriorityPrivilege	2340	powershell.exe
Token: SeCreatePagefilePrivilege	2340	powershell.exe
Token: SeBackupPrivilege	2340	powershell.exe
Token: SeRestorePrivilege	2340	powershell.exe
Token: SeShutdownPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeSystemEnvironmentPrivilege	2340	powershell.exe
Token: SeRemoteShutdownPrivilege	2340	powershell.exe
Token: SeUndockPrivilege	2340	powershell.exe
Token: SeManageVolumePrivilege	2340	powershell.exe
Token: 33	2340	powershell.exe
Token: 34	2340	powershell.exe
Token: 35	2340	powershell.exe
Token: 36	2340	powershell.exe
Token: SeIncreaseQuotaPrivilege	2340	powershell.exe
Token: SeSecurityPrivilege	2340	powershell.exe
Token: SeTakeOwnershipPrivilege	2340	powershell.exe
Token: SeLoadDriverPrivilege	2340	powershell.exe
Token: SeSystemProfilePrivilege	2340	powershell.exe
Token: SeSystemtimePrivilege	2340	powershell.exe
Token: SeProfSingleProcessPrivilege	2340	powershell.exe
Token: SeIncBasePriorityPrivilege	2340	powershell.exe
Token: SeCreatePagefilePrivilege	2340	powershell.exe
Token: SeBackupPrivilege	2340	powershell.exe
Token: SeRestorePrivilege	2340	powershell.exe
Token: SeShutdownPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeSystemEnvironmentPrivilege	2340	powershell.exe
Token: SeRemoteShutdownPrivilege	2340	powershell.exe
Token: SeUndockPrivilege	2340	powershell.exe
Token: SeManageVolumePrivilege	2340	powershell.exe
Token: 33	2340	powershell.exe
Token: 34	2340	powershell.exe
Token: 35	2340	powershell.exe
Token: 36	2340	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

562a5174-3745-4253-bd75-2112bea76b5d.exe

pid process

3376 562a5174-3745-4253-bd75-2112bea76b5d.exe
3376 562a5174-3745-4253-bd75-2112bea76b5d.exe
3376 562a5174-3745-4253-bd75-2112bea76b5d.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe562a5174-3745-4253-bd75-2112bea76b5d.exeF82B.exe2829512683.exesyslmgrsvc.exe2497829921.exe1873312399.exewupgrdsv.exewinblpsrcs.exe

description	pid	process	target process
PID 4292 wrote to memory of 1900	4292	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	F82B.exe
PID 4292 wrote to memory of 1900	4292	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	F82B.exe
PID 4292 wrote to memory of 1900	4292	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	F82B.exe
PID 4292 wrote to memory of 3376	4292	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	562a5174-3745-4253-bd75-2112bea76b5d.exe
PID 4292 wrote to memory of 3376	4292	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	562a5174-3745-4253-bd75-2112bea76b5d.exe
PID 4292 wrote to memory of 3376	4292	2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe	562a5174-3745-4253-bd75-2112bea76b5d.exe
PID 3376 wrote to memory of 820	3376	562a5174-3745-4253-bd75-2112bea76b5d.exe	E53.exe
PID 3376 wrote to memory of 820	3376	562a5174-3745-4253-bd75-2112bea76b5d.exe	E53.exe
PID 3376 wrote to memory of 820	3376	562a5174-3745-4253-bd75-2112bea76b5d.exe	E53.exe
PID 3376 wrote to memory of 2984	3376	562a5174-3745-4253-bd75-2112bea76b5d.exe	regsvr32.exe
PID 3376 wrote to memory of 2984	3376	562a5174-3745-4253-bd75-2112bea76b5d.exe	regsvr32.exe
PID 3376 wrote to memory of 2984	3376	562a5174-3745-4253-bd75-2112bea76b5d.exe	regsvr32.exe
PID 1900 wrote to memory of 1348	1900	F82B.exe	2829512683.exe
PID 1900 wrote to memory of 1348	1900	F82B.exe	2829512683.exe
PID 1900 wrote to memory of 1348	1900	F82B.exe	2829512683.exe
PID 1348 wrote to memory of 4896	1348	2829512683.exe	syslmgrsvc.exe
PID 1348 wrote to memory of 4896	1348	2829512683.exe	syslmgrsvc.exe
PID 1348 wrote to memory of 4896	1348	2829512683.exe	syslmgrsvc.exe
PID 1900 wrote to memory of 1004	1900	F82B.exe	131385785.exe
PID 1900 wrote to memory of 1004	1900	F82B.exe	131385785.exe
PID 1900 wrote to memory of 1004	1900	F82B.exe	131385785.exe
PID 4896 wrote to memory of 4176	4896	syslmgrsvc.exe	1640427011.exe
PID 4896 wrote to memory of 4176	4896	syslmgrsvc.exe	1640427011.exe
PID 4896 wrote to memory of 4176	4896	syslmgrsvc.exe	1640427011.exe
PID 1900 wrote to memory of 2984	1900	F82B.exe	2497829921.exe
PID 1900 wrote to memory of 2984	1900	F82B.exe	2497829921.exe
PID 1900 wrote to memory of 2984	1900	F82B.exe	2497829921.exe
PID 4896 wrote to memory of 4356	4896	syslmgrsvc.exe	2836919196.exe
PID 4896 wrote to memory of 4356	4896	syslmgrsvc.exe	2836919196.exe
PID 4896 wrote to memory of 4356	4896	syslmgrsvc.exe	2836919196.exe
PID 1900 wrote to memory of 1948	1900	F82B.exe	2868321237.exe
PID 1900 wrote to memory of 1948	1900	F82B.exe	2868321237.exe
PID 1900 wrote to memory of 1948	1900	F82B.exe	2868321237.exe
PID 2984 wrote to memory of 2956	2984	2497829921.exe	1213623399.exe
PID 2984 wrote to memory of 2956	2984	2497829921.exe	1213623399.exe
PID 4896 wrote to memory of 3192	4896	syslmgrsvc.exe	1586810815.exe
PID 4896 wrote to memory of 3192	4896	syslmgrsvc.exe	1586810815.exe
PID 4896 wrote to memory of 3192	4896	syslmgrsvc.exe	1586810815.exe
PID 1900 wrote to memory of 2516	1900	F82B.exe	1873312399.exe
PID 1900 wrote to memory of 2516	1900	F82B.exe	1873312399.exe
PID 1900 wrote to memory of 2516	1900	F82B.exe	1873312399.exe
PID 2516 wrote to memory of 5112	2516	1873312399.exe	winblpsrcs.exe
PID 2516 wrote to memory of 5112	2516	1873312399.exe	winblpsrcs.exe
PID 2516 wrote to memory of 5112	2516	1873312399.exe	winblpsrcs.exe
PID 4896 wrote to memory of 1312	4896	syslmgrsvc.exe	222492490.exe
PID 4896 wrote to memory of 1312	4896	syslmgrsvc.exe	222492490.exe
PID 4896 wrote to memory of 1312	4896	syslmgrsvc.exe	222492490.exe
PID 3284 wrote to memory of 4440	3284	wupgrdsv.exe	notepad.exe
PID 5112 wrote to memory of 4456	5112	winblpsrcs.exe	3146129908.exe
PID 5112 wrote to memory of 4456	5112	winblpsrcs.exe	3146129908.exe
PID 5112 wrote to memory of 4456	5112	winblpsrcs.exe	3146129908.exe
PID 4896 wrote to memory of 1680	4896	syslmgrsvc.exe	1782026521.exe
PID 4896 wrote to memory of 1680	4896	syslmgrsvc.exe	1782026521.exe
PID 4896 wrote to memory of 1680	4896	syslmgrsvc.exe	1782026521.exe
PID 5112 wrote to memory of 1564	5112	winblpsrcs.exe	1866821328.exe
PID 5112 wrote to memory of 1564	5112	winblpsrcs.exe	1866821328.exe
PID 5112 wrote to memory of 1564	5112	winblpsrcs.exe	1866821328.exe
PID 5112 wrote to memory of 4380	5112	winblpsrcs.exe	1167413715.exe
PID 5112 wrote to memory of 4380	5112	winblpsrcs.exe	1167413715.exe
PID 5112 wrote to memory of 4380	5112	winblpsrcs.exe	1167413715.exe
PID 5112 wrote to memory of 4048	5112	winblpsrcs.exe	3150223490.exe
PID 5112 wrote to memory of 4048	5112	winblpsrcs.exe	3150223490.exe
PID 5112 wrote to memory of 4048	5112	winblpsrcs.exe	3150223490.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3364
- C:\Users\Admin\AppData\Local\Temp\2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-06-10_f14371b96093c609b697479c4a1eaac5_avoslocker_magniber_revil.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\F82B.exe
    "C:\Users\Admin\AppData\Local\Temp\F82B.exe"
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\2829512683.exe
      C:\Users\Admin\AppData\Local\Temp\2829512683.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Windows\syslmgrsvc.exe
        
        C:\Windows\syslmgrsvc.exe
        5⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: SetClipboardViewer
        Suspicious use of WriteProcessMemory
        
        PID:4896
      - C:\Users\Admin\AppData\Local\Temp\1640427011.exe
        
        C:\Users\Admin\AppData\Local\Temp\1640427011.exe
        6⤵
        Executes dropped EXE
        
        PID:4176
      - C:\Users\Admin\AppData\Local\Temp\2836919196.exe
        
        C:\Users\Admin\AppData\Local\Temp\2836919196.exe
        6⤵
        Executes dropped EXE
        
        PID:4356
      - C:\Users\Admin\AppData\Local\Temp\1586810815.exe
        
        C:\Users\Admin\AppData\Local\Temp\1586810815.exe
        6⤵
        Executes dropped EXE
        
        PID:3192
      - C:\Users\Admin\AppData\Local\Temp\222492490.exe
        
        C:\Users\Admin\AppData\Local\Temp\222492490.exe
        6⤵
        Executes dropped EXE
        
        PID:1312
      - C:\Users\Admin\AppData\Local\Temp\1782026521.exe
        
        C:\Users\Admin\AppData\Local\Temp\1782026521.exe
        6⤵
        Executes dropped EXE
        
        PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\131385785.exe
      C:\Users\Admin\AppData\Local\Temp\131385785.exe
      4⤵
      Executes dropped EXE
      PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\2497829921.exe
      C:\Users\Admin\AppData\Local\Temp\2497829921.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Users\Admin\AppData\Local\Temp\1213623399.exe
        
        C:\Users\Admin\AppData\Local\Temp\1213623399.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\2868321237.exe
      C:\Users\Admin\AppData\Local\Temp\2868321237.exe
      4⤵
      Executes dropped EXE
      PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\1873312399.exe
      C:\Users\Admin\AppData\Local\Temp\1873312399.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\winblpsrcs.exe
        
        C:\Windows\winblpsrcs.exe
        5⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Suspicious use of WriteProcessMemory
        
        PID:5112
      - C:\Users\Admin\AppData\Local\Temp\3146129908.exe
        
        C:\Users\Admin\AppData\Local\Temp\3146129908.exe
        6⤵
        Executes dropped EXE
        
        PID:4456
      - C:\Users\Admin\AppData\Local\Temp\1866821328.exe
        
        C:\Users\Admin\AppData\Local\Temp\1866821328.exe
        6⤵
        Executes dropped EXE
        
        PID:1564
      - C:\Users\Admin\AppData\Local\Temp\1167413715.exe
        
        C:\Users\Admin\AppData\Local\Temp\1167413715.exe
        6⤵
        Executes dropped EXE
        
        PID:4380
      - C:\Users\Admin\AppData\Local\Temp\3150223490.exe
        
        C:\Users\Admin\AppData\Local\Temp\3150223490.exe
        6⤵
        Executes dropped EXE
        
        PID:4048
- - C:\Users\Admin\AppData\Local\Temp\562a5174-3745-4253-bd75-2112bea76b5d.exe
    C:\Users\Admin\AppData\Local\Temp\562a5174-3745-4253-bd75-2112bea76b5d.exe /update=start
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\E53.exe
      "C:\Users\Admin\AppData\Local\Temp\E53.exe"
      4⤵
      Executes dropped EXE
      PID:820
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\ProgramData\PDF Architect 8\Installation\Statistics.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:4308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  PID:4440

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{43AA5A41-DF5E-43C1-96E9-82917AF857D6}
1⤵
- Loads dropped DLL
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4484 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:5004

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PDF Architect 8\Installation\Statistics.dll

Filesize
2.7MB

MD5
5ba200ea982b2e3e58eaf4099e35dfc4

SHA1
88101e0db52a4b9164ecf2d8689f3ab2a148f8a8

SHA256
7173f4282531a73991171ce00cb411f7eac7c123acc4814c7a08cd35a4016649

SHA512
d20ab79c0e5453ac919912308cb94ad9c6ed67a827c3038494bba2c3f02985d59f01c6586c5c19918ff78a4f46528bd99502f54db8ecdf722b331eccd6e37f3c

Download Submit
C:\ProgramData\PDF Architect 8\Installation\common-data.dat

Filesize
631B

MD5
77d79d68a6c3f63241e322ba3ca38bc5

SHA1
4f15553e0fe7bff7913c353bf77f0c60ad339f0e

SHA256
bee57ab741bbf4fdf4529df006db42a862c8f1f4cf3069c77661f41f3a4b6e21

SHA512
e46af8c2d48c97940e6767d744b6d8cbee3ce16e4e26ba8fb54341311aedd4ceb72d4ee3aead8e43f235181feb3f59befb2f133300858bb3655df0b5a40de436

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
5563b3a80c29851fdc23ac15a51f4465

SHA1
c396ab4b7021d35191755a236058bea7eca8dc6b

SHA256
da725244df230f451bb9e10e719b618a618245474a9fd9907303c6a1b4306283

SHA512
61893b080c2f677ac700eb4a1ae8d4200a413ef57045261a4192ad1908bff8d4ec6d7cd6e3faeca0e7bf1fe28c9348081653b56d2d31bc8aa747bdea9d4ddf18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
a6cf9d156c0a6bcb6c4245b2f4036a84

SHA1
97c9930c07731d393d446ab9feac65db817ca97f

SHA256
9698d2dbb1fa3149f97809cf88d8cb8d4f33aa4edd38aaad55cade6dcdd1d275

SHA512
2f8dde688853905cdcd2f94336187811319775a1b783d4e7d78575db9827cb596b68fbf50f53f812810f1ed097e97c01b2b52f08d684b1ae1ea80184b836d899

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
399048daec09a38e58edfb910412e5fc

SHA1
768c7ca65451efccceba002894c8b6aaffd955a6

SHA256
b8256c5117a65b6c4fbdb55008b287d3697e58a1077032eb1400d59db66dfc7f

SHA512
74b939801f561b282455b91f5323146d24fbb92177eec1d0d10ef321530604114aabe74501e2673bf8e26bc38381376efcdb6cdd7a79bc68b4578c808402a8d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fee026663fcb662152188784794028ee

SHA1
3c02a26a9cb16648fad85c6477b68ced3cb0cb45

SHA256
dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

SHA512
7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b07006e57b8aec31047596deb0dd0883

SHA1
34f0cb0205478c43560e3aa59808318b7189b938

SHA256
fd43235729e0374afdc358a5f9d55d344ee094dd09f0d7db0e73cf7bdf99345c

SHA512
0619dd0eb492405257071cafd6c4cc1dd60a1250f49b255fc88cf64a6c5f87533f709b9c3b4b1fa1b9a2b38ff3071a32a608c34c35c7d9b5e9bb5e5ee5002bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1167413715.exe

Filesize
8KB

MD5
9b8a3fb66b93c24c52e9c68633b00f37

SHA1
2a9290e32d1582217eac32b977961ada243ada9a

SHA256
8a169cf165f635ecb6c55cacecb2c202c5fc6ef5fa82ec9cdb7d4b0300f35293

SHA512
117da1ec9850212e4cafce6669c2cfffc8078627f5c3ccdfd6a1bf3bee2d351290071087a4c206578d23852fa5e69c2ebefd71905c85b1eaed4220932bb71a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\1213623399.exe

Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
C:\Users\Admin\AppData\Local\Temp\131385785.exe

Filesize
7KB

MD5
77eed2bbe1769686fbfaba7c0fca9f79

SHA1
d70bbf046b40f09420aa8938dcb49890db48f976

SHA256
94084872fe25303309a1a35fadae3b75ae99c9ffb94926e1c7640f8d3469d0e2

SHA512
e3e0d1d4f25553c13343bd80e59fcdfc690c20605f8ade8e86ba0eef9a6d20249f9f8f46b5fde494e781b2dcc28cc00c7143f8e425d8edcf2dfa6a2a03b89ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1873312399.exe

Filesize
18KB

MD5
0aed3b7eae97833e810814ba810efce0

SHA1
b9de8d683d2b7193928c38bd7b92312d22d1968e

SHA256
a5b313b71318ae8e71ee73810fc385e7f73e64fd0109d450fa88b1775ca8d462

SHA512
f7fd73beecac1f4ee4d4af813b32088933770154814c4dd40b1c413fd135ff9c7be5e0d9a2e1c99d8bfcf51c764cb4265bfaa0bc370bd3b3ef4e06a7b06b5a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\2158818245.exe

Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\222492490.exe

Filesize
11KB

MD5
5c2f49dd60a69e1d1aaa39f872551585

SHA1
bdd4b2cafa1779cf61c7badfb7833ee4c953efad

SHA256
babf2231a52bfe5c7dbd026f80ce2494811ec706637d13c24eeca071e23f35d2

SHA512
46f3845c05d710ae5084fd6aabce9be7c2c8b0dd7a0b65472a5a736f7bbeb1f4904093ff29d03463008f8d77905ec4c940a7e3a3b124c937ebf3251c332164c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2497829921.exe

Filesize
10KB

MD5
c8cf446ead193a3807472fbd294c5f23

SHA1
2162f28c919222f75ce5f52e4bb1155255ae5368

SHA256
e5d12658a690c62af7d4fc7b26735affc7210e3bfb6b2241de1bf90aebdc0717

SHA512
fc94014fabf204ecd57990db4b05b81cbda0a314b621cbfa755296ddf5493ec55fb129d12eff5f92863d9f1d7fea679dc2aeb62baf898791448cb4fe34b595c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2829512683.exe

Filesize
93KB

MD5
a318cc45e79498b93e40d5e5b9b76be4

SHA1
4ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5

SHA256
4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2

SHA512
3131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2836919196.exe

Filesize
7KB

MD5
6d6a422ab4089b5ec720116896855ce0

SHA1
50135863b6aa807a29c03d8dd82348f937614b21

SHA256
368927939220e40d7df53e1727616f59c0853c50f86fd692359b1a840375e525

SHA512
46fff8cd702e9afa35ff0c5c50adb13da1e69d81511293b4973664c2fd166c27b86bf8513e1781da73064a9aa59518ea905fd844ec5fe863adffc2181a5f9337

Download Submit
C:\Users\Admin\AppData\Local\Temp\2868321237.exe

Filesize
11KB

MD5
cafd277c4132f5d0f202e7ea07a27d5c

SHA1
72c8c16a94cce56a3e01d91bc1276dafc65b351d

SHA256
e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e

SHA512
7c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196

Download Submit
C:\Users\Admin\AppData\Local\Temp\3146129908.exe

Filesize
8KB

MD5
87b22e975994246dc5b7c2a3adbf85a5

SHA1
1e6528987190f0f5188240cdac553388c39e8590

SHA256
17399263a05a9144c1571e8ef88175fd08c61a38e3fcb3a955279d4a2bb9a919

SHA512
58c33379879fc75679902d1fe3db0bf1c854151cb6e4bf10496a1d657a8778699be70976bd8bba1ddd3949b24b6ae44cbc0421dd0a8cea13ef5e00179d6599db

Download Submit
C:\Users\Admin\AppData\Local\Temp\562a5174-3745-4253-bd75-2112bea76b5d.exe

Filesize
16.1MB

MD5
f14371b96093c609b697479c4a1eaac5

SHA1
5274a947d3833d08fad808d5ce2deeffe2765fe1

SHA256
4fa85000e62565501a8bfa3ad994fc6b18036bdb13b0554707a7b895df10f9a2

SHA512
a36adfc3367ed597015de263c61a12a5e337e69e752383bed0f88bece43d1ab074bb0b6d6ca67bbf2a774540785bbace795b4afcbd8e0a0a02f37e5f67548e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\F82B.exe

Filesize
84KB

MD5
36010b83bccfcd1032971df9fc5082a1

SHA1
9967b83065e3ad82cd6c0c3b02cf08ab707fde3e

SHA256
99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98

SHA512
c8008923315d86c06b57e47d9bf81cec47cda0dec6d9f8aa57d7b4c57c7138997486a6f60eb0015bc99755afeb3d943bc8d9ba83dbb8c9219fa4990296de1def

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sb4rndwi.xq2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
d73cf76255ed3e90e72d98d28e8eddd3

SHA1
d58abac9bb8e4bb30cea4ef3ba7aa19186189fb5

SHA256
bfcb5f4589729deeeb57b92842933b144322a672cfe3ce11586f1aec83472781

SHA512
20ef064050ba23e5163435c595bc9c81422ca3b8ac82338ff965961a954bd9c0da9b13f489997015565908d1105784b712ccc2b3a478fe990e4b99e071bfa9b2

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
2beb5c1669fafb1f2d5f792335b8d9e7

SHA1
9769f22c73625c76061e01bf8eb9115ec9dce7c3

SHA256
ce0bc19d5f837e9f525339babc65a2db9771c10149e9533d9213a3e714925c0f

SHA512
44e73d48e2f82225d33ec5c5ffb179bee3056335ff7c6955e27db4e1bc47c8f9650afcf2a644b361a4c0bf3acc23e99f98d7f29a3b1ab39326b4b929c40dc584

Download Submit
memory/2340-117-0x00000219B45F0000-0x00000219B4612000-memory.dmp

Filesize
136KB

Download
memory/2956-129-0x00007FF7C6A40000-0x00007FF7C6FB6000-memory.dmp

Filesize
5.5MB

Download
memory/3284-168-0x00007FF7F8E40000-0x00007FF7F93B6000-memory.dmp

Filesize
5.5MB

Download
memory/4440-169-0x0000012359610000-0x0000012359630000-memory.dmp

Filesize
128KB

Download
memory/4440-195-0x00007FF735840000-0x00007FF73602F000-memory.dmp

Filesize
7.9MB

Download
memory/4440-202-0x00007FF735840000-0x00007FF73602F000-memory.dmp

Filesize
7.9MB

Download
memory/4440-209-0x00007FF735840000-0x00007FF73602F000-memory.dmp

Filesize
7.9MB

Download
memory/4440-212-0x00007FF735840000-0x00007FF73602F000-memory.dmp

Filesize
7.9MB

Download
memory/4440-213-0x00007FF735840000-0x00007FF73602F000-memory.dmp

Filesize
7.9MB

Download
memory/4440-188-0x00007FF735840000-0x00007FF73602F000-memory.dmp

Filesize
7.9MB

Download
memory/4440-216-0x00007FF735840000-0x00007FF73602F000-memory.dmp

Filesize
7.9MB

Download
memory/4440-221-0x00007FF735840000-0x00007FF73602F000-memory.dmp

Filesize
7.9MB

Download