phorphiex | hxxp://aefieiaehfiaehr[.]top/tdrpload[.]exe

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://aefieiaehfiaehr.top/tdrpload.exe

Score

10^/10

phorphiex xmrig evasion loader miner persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://5.42.96.117/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Attributes

mutex
hh7788536a
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

tdrpload.exewinblrsnrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	tdrpload.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	winblrsnrcs.exe

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\sysblardsv.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

3887637993.exewupgrdsv.exe

description	pid	process	target process
PID 4484 created 3540	4484	3887637993.exe	Explorer.EXE
PID 4484 created 3540	4484	3887637993.exe	Explorer.EXE
PID 2708 created 3540	2708	wupgrdsv.exe	Explorer.EXE
PID 2708 created 3540	2708	wupgrdsv.exe	Explorer.EXE

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winblrsnrcs.exetdrpload.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	tdrpload.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	tdrpload.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	tdrpload.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	tdrpload.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	tdrpload.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	tdrpload.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winblrsnrcs.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2708-77-0x00007FF68EE60000-0x00007FF68F3D6000-memory.dmp	xmrig
behavioral1/memory/2288-95-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp	xmrig
behavioral1/memory/2288-102-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp	xmrig
behavioral1/memory/2288-109-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp	xmrig
behavioral1/memory/2288-110-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp	xmrig
behavioral1/memory/2288-111-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp	xmrig
behavioral1/memory/2288-112-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp	xmrig
behavioral1/memory/2288-114-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp	xmrig
behavioral1/memory/2288-115-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

sysblardsv.exesysblardsv.exesysblardsv.exe442020686.exe2462411897.exe3887637993.exe228093112.exewupgrdsv.exe1838027143.exewinblrsnrcs.exe1678411850.exe2048933166.exe2158024530.exe

pid	process
2400	sysblardsv.exe
1692	sysblardsv.exe
1088	sysblardsv.exe
548	442020686.exe
1892	2462411897.exe
4484	3887637993.exe
852	228093112.exe
2708	wupgrdsv.exe
736	1838027143.exe
3784	winblrsnrcs.exe
4716	1678411850.exe
4284	2048933166.exe
4884	2158024530.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winblrsnrcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winblrsnrcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winblrsnrcs.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1838027143.exetdrpload.exetdrpload.exetdrpload.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winblrsnrcs.exe"	1838027143.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysblardsv.exe"	tdrpload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysblardsv.exe"	tdrpload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sysblardsv.exe"	tdrpload.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wupgrdsv.exe

description pid process target process

PID 2708 set thread context of 2288 2708 wupgrdsv.exe notepad.exe

description	pid	process	target process
PID 2708 set thread context of 2288	2708	wupgrdsv.exe	notepad.exe

Drops file in Windows directory 7 IoCs

Processes:

1838027143.exetdrpload.exetdrpload.exetdrpload.exetdrpload.exe

description	ioc	process
File created	C:\Windows\winblrsnrcs.exe	1838027143.exe
File opened for modification	C:\Windows\winblrsnrcs.exe	1838027143.exe
File created	C:\Windows\sysblardsv.exe	tdrpload.exe
File opened for modification	C:\Windows\sysblardsv.exe	tdrpload.exe
File created	C:\Windows\sysblardsv.exe	tdrpload.exe
File created	C:\Windows\sysblardsv.exe	tdrpload.exe
File created	C:\Windows\sysblardsv.exe	tdrpload.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

3887637993.exepowershell.exewupgrdsv.exepowershell.exe

pid	process
4484	3887637993.exe
4484	3887637993.exe
2652	powershell.exe
2652	powershell.exe
2652	powershell.exe
4484	3887637993.exe
4484	3887637993.exe
2708	wupgrdsv.exe
2708	wupgrdsv.exe
3392	powershell.exe
3392	powershell.exe
3392	powershell.exe
2708	wupgrdsv.exe
2708	wupgrdsv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeIncreaseQuotaPrivilege	2652	powershell.exe
Token: SeSecurityPrivilege	2652	powershell.exe
Token: SeTakeOwnershipPrivilege	2652	powershell.exe
Token: SeLoadDriverPrivilege	2652	powershell.exe
Token: SeSystemProfilePrivilege	2652	powershell.exe
Token: SeSystemtimePrivilege	2652	powershell.exe
Token: SeProfSingleProcessPrivilege	2652	powershell.exe
Token: SeIncBasePriorityPrivilege	2652	powershell.exe
Token: SeCreatePagefilePrivilege	2652	powershell.exe
Token: SeBackupPrivilege	2652	powershell.exe
Token: SeRestorePrivilege	2652	powershell.exe
Token: SeShutdownPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeSystemEnvironmentPrivilege	2652	powershell.exe
Token: SeRemoteShutdownPrivilege	2652	powershell.exe
Token: SeUndockPrivilege	2652	powershell.exe
Token: SeManageVolumePrivilege	2652	powershell.exe
Token: 33	2652	powershell.exe
Token: 34	2652	powershell.exe
Token: 35	2652	powershell.exe
Token: 36	2652	powershell.exe
Token: SeIncreaseQuotaPrivilege	2652	powershell.exe
Token: SeSecurityPrivilege	2652	powershell.exe
Token: SeTakeOwnershipPrivilege	2652	powershell.exe
Token: SeLoadDriverPrivilege	2652	powershell.exe
Token: SeSystemProfilePrivilege	2652	powershell.exe
Token: SeSystemtimePrivilege	2652	powershell.exe
Token: SeProfSingleProcessPrivilege	2652	powershell.exe
Token: SeIncBasePriorityPrivilege	2652	powershell.exe
Token: SeCreatePagefilePrivilege	2652	powershell.exe
Token: SeBackupPrivilege	2652	powershell.exe
Token: SeRestorePrivilege	2652	powershell.exe
Token: SeShutdownPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeSystemEnvironmentPrivilege	2652	powershell.exe
Token: SeRemoteShutdownPrivilege	2652	powershell.exe
Token: SeUndockPrivilege	2652	powershell.exe
Token: SeManageVolumePrivilege	2652	powershell.exe
Token: 33	2652	powershell.exe
Token: 34	2652	powershell.exe
Token: 35	2652	powershell.exe
Token: 36	2652	powershell.exe
Token: SeIncreaseQuotaPrivilege	2652	powershell.exe
Token: SeSecurityPrivilege	2652	powershell.exe
Token: SeTakeOwnershipPrivilege	2652	powershell.exe
Token: SeLoadDriverPrivilege	2652	powershell.exe
Token: SeSystemProfilePrivilege	2652	powershell.exe
Token: SeSystemtimePrivilege	2652	powershell.exe
Token: SeProfSingleProcessPrivilege	2652	powershell.exe
Token: SeIncBasePriorityPrivilege	2652	powershell.exe
Token: SeCreatePagefilePrivilege	2652	powershell.exe
Token: SeBackupPrivilege	2652	powershell.exe
Token: SeRestorePrivilege	2652	powershell.exe
Token: SeShutdownPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeSystemEnvironmentPrivilege	2652	powershell.exe
Token: SeRemoteShutdownPrivilege	2652	powershell.exe
Token: SeUndockPrivilege	2652	powershell.exe
Token: SeManageVolumePrivilege	2652	powershell.exe
Token: 33	2652	powershell.exe
Token: 34	2652	powershell.exe
Token: 35	2652	powershell.exe
Token: 36	2652	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

tdrpload.exetdrpload.exetdrpload.exetdrpload.exe2462411897.exewupgrdsv.exe1838027143.exewinblrsnrcs.exe

description	pid	process	target process
PID 4164 wrote to memory of 2400	4164	tdrpload.exe	sysblardsv.exe
PID 4164 wrote to memory of 2400	4164	tdrpload.exe	sysblardsv.exe
PID 4164 wrote to memory of 2400	4164	tdrpload.exe	sysblardsv.exe
PID 2588 wrote to memory of 1692	2588	tdrpload.exe	sysblardsv.exe
PID 2588 wrote to memory of 1692	2588	tdrpload.exe	sysblardsv.exe
PID 2588 wrote to memory of 1692	2588	tdrpload.exe	sysblardsv.exe
PID 2336 wrote to memory of 1088	2336	tdrpload.exe	sysblardsv.exe
PID 2336 wrote to memory of 1088	2336	tdrpload.exe	sysblardsv.exe
PID 2336 wrote to memory of 1088	2336	tdrpload.exe	sysblardsv.exe
PID 2972 wrote to memory of 548	2972	tdrpload.exe	442020686.exe
PID 2972 wrote to memory of 548	2972	tdrpload.exe	442020686.exe
PID 2972 wrote to memory of 548	2972	tdrpload.exe	442020686.exe
PID 2972 wrote to memory of 1892	2972	tdrpload.exe	2462411897.exe
PID 2972 wrote to memory of 1892	2972	tdrpload.exe	2462411897.exe
PID 2972 wrote to memory of 1892	2972	tdrpload.exe	2462411897.exe
PID 1892 wrote to memory of 4484	1892	2462411897.exe	3887637993.exe
PID 1892 wrote to memory of 4484	1892	2462411897.exe	3887637993.exe
PID 2972 wrote to memory of 852	2972	tdrpload.exe	228093112.exe
PID 2972 wrote to memory of 852	2972	tdrpload.exe	228093112.exe
PID 2972 wrote to memory of 852	2972	tdrpload.exe	228093112.exe
PID 2972 wrote to memory of 736	2972	tdrpload.exe	1838027143.exe
PID 2972 wrote to memory of 736	2972	tdrpload.exe	1838027143.exe
PID 2972 wrote to memory of 736	2972	tdrpload.exe	1838027143.exe
PID 2708 wrote to memory of 2288	2708	wupgrdsv.exe	notepad.exe
PID 736 wrote to memory of 3784	736	1838027143.exe	winblrsnrcs.exe
PID 736 wrote to memory of 3784	736	1838027143.exe	winblrsnrcs.exe
PID 736 wrote to memory of 3784	736	1838027143.exe	winblrsnrcs.exe
PID 3784 wrote to memory of 4716	3784	winblrsnrcs.exe	1678411850.exe
PID 3784 wrote to memory of 4716	3784	winblrsnrcs.exe	1678411850.exe
PID 3784 wrote to memory of 4716	3784	winblrsnrcs.exe	1678411850.exe
PID 3784 wrote to memory of 4284	3784	winblrsnrcs.exe	2048933166.exe
PID 3784 wrote to memory of 4284	3784	winblrsnrcs.exe	2048933166.exe
PID 3784 wrote to memory of 4284	3784	winblrsnrcs.exe	2048933166.exe
PID 3784 wrote to memory of 4884	3784	winblrsnrcs.exe	2158024530.exe
PID 3784 wrote to memory of 4884	3784	winblrsnrcs.exe	2158024530.exe
PID 3784 wrote to memory of 4884	3784	winblrsnrcs.exe	2158024530.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://aefieiaehfiaehr.top/tdrpload.exe
  2⤵
  PID:2892
- C:\Users\Admin\Downloads\tdrpload.exe
  "C:\Users\Admin\Downloads\tdrpload.exe"
  2⤵
  PID:3268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3392
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4984,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:1
1⤵
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4668,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:1
1⤵
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:1
1⤵
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5468,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:8
1⤵
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5488,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=5564 /prefetch:8
1⤵
PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5980,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:1
1⤵
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=4268,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:8
1⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=4728,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:1
1⤵
PID:1588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5244,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=5232 /prefetch:8
1⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=4376,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:8
1⤵
PID:1828

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x378 0x448
1⤵
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=6992,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=7088 /prefetch:8
1⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7004,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=7084 /prefetch:8
1⤵
PID:3560

C:\Users\Admin\Downloads\tdrpload.exe
"C:\Users\Admin\Downloads\tdrpload.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\sysblardsv.exe
  C:\Windows\sysblardsv.exe
  2⤵
  - Executes dropped EXE
  PID:2400

C:\Users\Admin\Downloads\tdrpload.exe
"C:\Users\Admin\Downloads\tdrpload.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\sysblardsv.exe
  C:\Users\Admin\sysblardsv.exe
  2⤵
  - Executes dropped EXE
  PID:1692

C:\Users\Admin\Downloads\tdrpload.exe
"C:\Users\Admin\Downloads\tdrpload.exe"
1⤵
PID:4912

C:\Users\Admin\Downloads\tdrpload.exe
"C:\Users\Admin\Downloads\tdrpload.exe"
1⤵
PID:1188

C:\Users\Admin\Downloads\tdrpload.exe
"C:\Users\Admin\Downloads\tdrpload.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\sysblardsv.exe
  C:\Users\Admin\AppData\Local\Temp\sysblardsv.exe
  2⤵
  - Executes dropped EXE
  PID:1088

C:\Users\Admin\Downloads\tdrpload.exe
"C:\Users\Admin\Downloads\tdrpload.exe"
1⤵
PID:2580

C:\Users\Admin\Downloads\tdrpload.exe
"C:\Users\Admin\Downloads\tdrpload.exe"
1⤵
- Modifies security service
- Windows security bypass
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\442020686.exe
  C:\Users\Admin\AppData\Local\Temp\442020686.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Users\Admin\AppData\Local\Temp\2462411897.exe
  C:\Users\Admin\AppData\Local\Temp\2462411897.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\3887637993.exe
    C:\Users\Admin\AppData\Local\Temp\3887637993.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4484
- C:\Users\Admin\AppData\Local\Temp\228093112.exe
  C:\Users\Admin\AppData\Local\Temp\228093112.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Users\Admin\AppData\Local\Temp\1838027143.exe
  C:\Users\Admin\AppData\Local\Temp\1838027143.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\winblrsnrcs.exe
    C:\Windows\winblrsnrcs.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Users\Admin\AppData\Local\Temp\1678411850.exe
      C:\Users\Admin\AppData\Local\Temp\1678411850.exe
      4⤵
      Executes dropped EXE
      PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\2048933166.exe
      C:\Users\Admin\AppData\Local\Temp\2048933166.exe
      4⤵
      Executes dropped EXE
      PID:4284
  - - C:\Users\Admin\AppData\Local\Temp\2158024530.exe
      C:\Users\Admin\AppData\Local\Temp\2158024530.exe
      4⤵
      Executes dropped EXE
      PID:4884

C:\Users\Admin\Downloads\tdrpload.exe
"C:\Users\Admin\Downloads\tdrpload.exe"
1⤵
PID:2708

C:\Users\Admin\Downloads\tdrpload.exe
"C:\Users\Admin\Downloads\tdrpload.exe"
1⤵
PID:3288

C:\Users\Admin\Downloads\tdrpload.exe
"C:\Users\Admin\Downloads\tdrpload.exe"
1⤵
PID:4404

C:\Users\Admin\Downloads\tdrpload.exe
"C:\Users\Admin\Downloads\tdrpload.exe"
1⤵
PID:1268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6900,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=6284 /prefetch:8
1⤵
PID:4404

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5356,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:8
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fee026663fcb662152188784794028ee

SHA1
3c02a26a9cb16648fad85c6477b68ced3cb0cb45

SHA256
dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

SHA512
7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc35bf2367ee5c6feb084ab39f5c26eb

SHA1
cd9742c05391a92780a81fe836797a5909c7f9c1

SHA256
7ad08f1c2e7df4102eb3a6d213f4a0c245300c275fd53e463655a8ab9fa3ec64

SHA512
0b6662ea93907902c9f5db98bed4e9d322a69e7b8df921f6b8bd8026fdbfa556b0afe29013e3ecc8982a6339c48b4fe371ba587f02c39de72cb3840ed0e6747b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1678411850.exe

Filesize
8KB

MD5
87b22e975994246dc5b7c2a3adbf85a5

SHA1
1e6528987190f0f5188240cdac553388c39e8590

SHA256
17399263a05a9144c1571e8ef88175fd08c61a38e3fcb3a955279d4a2bb9a919

SHA512
58c33379879fc75679902d1fe3db0bf1c854151cb6e4bf10496a1d657a8778699be70976bd8bba1ddd3949b24b6ae44cbc0421dd0a8cea13ef5e00179d6599db

Download Submit
C:\Users\Admin\AppData\Local\Temp\1838027143.exe

Filesize
18KB

MD5
30dca8b68825d5b3db7a685aa3da0a13

SHA1
07320822d14d6caf8825dd6d806c0cde398584f3

SHA256
f2dc635cb5fe8b8815ea98d909b67016975ca8e5a43cb39e47595ecd01038a96

SHA512
b5f3be086d3f7c751028d8d8a025069743b2472cec10252627f5583492383a5a865e88ad5839d83bf3a3c31b5b630753e77a2c02433d7fbe90aa11acd0f35f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2158024530.exe

Filesize
8KB

MD5
9b8a3fb66b93c24c52e9c68633b00f37

SHA1
2a9290e32d1582217eac32b977961ada243ada9a

SHA256
8a169cf165f635ecb6c55cacecb2c202c5fc6ef5fa82ec9cdb7d4b0300f35293

SHA512
117da1ec9850212e4cafce6669c2cfffc8078627f5c3ccdfd6a1bf3bee2d351290071087a4c206578d23852fa5e69c2ebefd71905c85b1eaed4220932bb71a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\228093112.exe

Filesize
11KB

MD5
cafd277c4132f5d0f202e7ea07a27d5c

SHA1
72c8c16a94cce56a3e01d91bc1276dafc65b351d

SHA256
e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e

SHA512
7c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196

Download Submit
C:\Users\Admin\AppData\Local\Temp\2462411897.exe

Filesize
10KB

MD5
6567b839ec69322ba1aa41b15fbd1e64

SHA1
0a2a0770afe094765a5eb88f6201847bf642bea9

SHA256
8a4b87ed94fc50767d0bc91291a8b8a436b941b273b29ab0d442ba1cc10b76fb

SHA512
2e4798244bf3891beea64ee0b0d106c6f47b7c7d6daf222af6192874dc0ef67491c82e93821c1ff9fbd25cf9ec50178e959adb466b210ff9754dd4e8387a30cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3887637993.exe

Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
C:\Users\Admin\AppData\Local\Temp\442020686.exe

Filesize
7KB

MD5
77eed2bbe1769686fbfaba7c0fca9f79

SHA1
d70bbf046b40f09420aa8938dcb49890db48f976

SHA256
94084872fe25303309a1a35fadae3b75ae99c9ffb94926e1c7640f8d3469d0e2

SHA512
e3e0d1d4f25553c13343bd80e59fcdfc690c20605f8ade8e86ba0eef9a6d20249f9f8f46b5fde494e781b2dcc28cc00c7143f8e425d8edcf2dfa6a2a03b89ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vg1shqbz.mp5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\sysblardsv.exe

Filesize
104KB

MD5
9a24a00438a4d06d64fe4820061a1b45

SHA1
6e59989652dff276a6dfa0f287b6c468a2f04842

SHA256
66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54

SHA512
80e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629

Download Submit
memory/2288-110-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp

Filesize
7.9MB

Download
memory/2288-78-0x000001911CF00000-0x000001911CF20000-memory.dmp

Filesize
128KB

Download
memory/2288-95-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp

Filesize
7.9MB

Download
memory/2288-102-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp

Filesize
7.9MB

Download
memory/2288-109-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp

Filesize
7.9MB

Download
memory/2288-111-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp

Filesize
7.9MB

Download
memory/2288-112-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp

Filesize
7.9MB

Download
memory/2288-114-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp

Filesize
7.9MB

Download
memory/2288-115-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp

Filesize
7.9MB

Download
memory/2288-116-0x00007FF67E9F0000-0x00007FF67F1DF000-memory.dmp

Filesize
7.9MB

Download
memory/2652-42-0x000001C36D3D0000-0x000001C36D3F2000-memory.dmp

Filesize
136KB

Download
memory/2708-77-0x00007FF68EE60000-0x00007FF68F3D6000-memory.dmp

Filesize
5.5MB

Download
memory/4484-54-0x00007FF6E3660000-0x00007FF6E3BD6000-memory.dmp

Filesize
5.5MB

Download