phorphiex | fa6fcf2e154c0b18b12ab86267ccd38d79cc9c27e7e261a7e9201a0a9dd9d0bb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2025, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c52cf849be8954638925c242e0cc976.exe
Size

10KB
MD5

4c52cf849be8954638925c242e0cc976
SHA1

949ba0061ea9dbe3b9059bb2a7b20caa74861280
SHA256

fa6fcf2e154c0b18b12ab86267ccd38d79cc9c27e7e261a7e9201a0a9dd9d0bb
SHA512

c11572dcd274bdcb5e94cf38ec36aa65e4d5605df250ee8887cd5098b044e3e2e71be3b3292118b967e27bc752b5cf5d9c8da5ac2834b7c156302c307abe123b
SSDEEP

96:/L0paShFKPqYTdGLDad04DCcR+58DsrVJQsfuJxGEOaRh2qhRC7tCEMSI:/2hBMGtkR+iDswsWJxTOchthyMB

Score

10^/10

phorphiex defense_evasion discovery execution loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://91.202.233.141/

http://45.93.20.18/

Wallets

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

0xCa90599132C4D88907Bd8E046540284aa468a035

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

Attributes

mutex
k993947s89
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

phorphiex

http://91.202.233.141

Signatures

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00060000000216b8-3.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Downloads MZ/PE file 12 IoCs

flow	pid	Process
35	2612	4c52cf849be8954638925c242e0cc976.exe
49	992	2268224696.exe
49	992	2268224696.exe
49	992	2268224696.exe
49	992	2268224696.exe
49	992	2268224696.exe
49	992	2268224696.exe
49	992	2268224696.exe
49	992	2268224696.exe
49	992	2268224696.exe
49	992	2268224696.exe
49	992	2268224696.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	1923515665.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	564818971.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	2258611357.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	600812264.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	325130124.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	588814500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	1398431337.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	1919632450.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	82863348.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	2808327033.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	3068128195.exe

Executes dropped EXE 15 IoCs

pid	Process
3928	463128737.exe
1896	sysludpvs.exe
992	2268224696.exe
2208	171859021.exe
4932	2808327033.exe
3184	2258611357.exe
2060	3068128195.exe
3584	600812264.exe
1372	325130124.exe
2732	588814500.exe
2400	1398431337.exe
4820	1923515665.exe
484	1919632450.exe
4740	564818971.exe
4768	82863348.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysludpvs.exe"	463128737.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
1764	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysludpvs.exe	463128737.exe
File opened for modification	C:\Windows\sysludpvs.exe	463128737.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4920	sc.exe
3384	sc.exe
4180	sc.exe
4104	sc.exe
4692	sc.exe
3772	sc.exe
960	sc.exe
3836	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	463128737.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysludpvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2268224696.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c52cf849be8954638925c242e0cc976.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82863348.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
2416	taskkill.exe
4616	taskkill.exe
2808	taskkill.exe
3776	taskkill.exe
3172	taskkill.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4748	conhost.exe
4932	2808327033.exe
3184	2258611357.exe
2060	3068128195.exe
2060	3068128195.exe
3584	600812264.exe
1372	325130124.exe
1372	325130124.exe
2732	588814500.exe
2400	1398431337.exe
2400	1398431337.exe
4820	1923515665.exe
484	1919632450.exe
4740	564818971.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	conhost.exe
Token: SeDebugPrivilege	4932	2808327033.exe
Token: SeDebugPrivilege	3184	2258611357.exe
Token: SeDebugPrivilege	2060	3068128195.exe
Token: SeDebugPrivilege	3584	600812264.exe
Token: SeDebugPrivilege	1372	325130124.exe
Token: SeDebugPrivilege	2732	588814500.exe
Token: SeDebugPrivilege	2400	1398431337.exe
Token: SeDebugPrivilege	4820	1923515665.exe
Token: SeDebugPrivilege	484	1919632450.exe
Token: SeDebugPrivilege	4740	564818971.exe
Token: SeDebugPrivilege	3172	taskkill.exe
Token: SeDebugPrivilege	4616	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeCreateGlobalPrivilege	3712	dwm.exe
Token: SeChangeNotifyPrivilege	3712	dwm.exe
Token: 33	3712	dwm.exe
Token: SeIncBasePriorityPrivilege	3712	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 3928	2612	4c52cf849be8954638925c242e0cc976.exe	89
PID 2612 wrote to memory of 3928	2612	4c52cf849be8954638925c242e0cc976.exe	89
PID 2612 wrote to memory of 3928	2612	4c52cf849be8954638925c242e0cc976.exe	89
PID 3928 wrote to memory of 1896	3928	463128737.exe	94
PID 3928 wrote to memory of 1896	3928	463128737.exe	94
PID 3928 wrote to memory of 1896	3928	463128737.exe	94
PID 1896 wrote to memory of 992	1896	sysludpvs.exe	99
PID 1896 wrote to memory of 992	1896	sysludpvs.exe	99
PID 1896 wrote to memory of 992	1896	sysludpvs.exe	99
PID 992 wrote to memory of 2208	992	2268224696.exe	100
PID 992 wrote to memory of 2208	992	2268224696.exe	100
PID 2208 wrote to memory of 4748	2208	171859021.exe	101
PID 2208 wrote to memory of 4748	2208	171859021.exe	101
PID 2208 wrote to memory of 4748	2208	171859021.exe	101
PID 4748 wrote to memory of 1036	4748	conhost.exe	102
PID 4748 wrote to memory of 1036	4748	conhost.exe	102
PID 1036 wrote to memory of 4060	1036	cmd.exe	104
PID 1036 wrote to memory of 4060	1036	cmd.exe	104
PID 992 wrote to memory of 4932	992	2268224696.exe	105
PID 992 wrote to memory of 4932	992	2268224696.exe	105
PID 4932 wrote to memory of 1468	4932	2808327033.exe	106
PID 4932 wrote to memory of 1468	4932	2808327033.exe	106
PID 1468 wrote to memory of 3836	1468	cmd.exe	108
PID 1468 wrote to memory of 3836	1468	cmd.exe	108
PID 1468 wrote to memory of 1312	1468	cmd.exe	109
PID 1468 wrote to memory of 1312	1468	cmd.exe	109
PID 992 wrote to memory of 3184	992	2268224696.exe	110
PID 992 wrote to memory of 3184	992	2268224696.exe	110
PID 3184 wrote to memory of 2864	3184	2258611357.exe	111
PID 3184 wrote to memory of 2864	3184	2258611357.exe	111
PID 2864 wrote to memory of 4920	2864	cmd.exe	113
PID 2864 wrote to memory of 4920	2864	cmd.exe	113
PID 2864 wrote to memory of 3644	2864	cmd.exe	114
PID 2864 wrote to memory of 3644	2864	cmd.exe	114
PID 992 wrote to memory of 2060	992	2268224696.exe	122
PID 992 wrote to memory of 2060	992	2268224696.exe	122
PID 2060 wrote to memory of 4720	2060	3068128195.exe	123
PID 2060 wrote to memory of 4720	2060	3068128195.exe	123
PID 4720 wrote to memory of 3384	4720	cmd.exe	125
PID 4720 wrote to memory of 3384	4720	cmd.exe	125
PID 4720 wrote to memory of 1936	4720	cmd.exe	126
PID 4720 wrote to memory of 1936	4720	cmd.exe	126
PID 992 wrote to memory of 3584	992	2268224696.exe	132
PID 992 wrote to memory of 3584	992	2268224696.exe	132
PID 3584 wrote to memory of 1700	3584	600812264.exe	133
PID 3584 wrote to memory of 1700	3584	600812264.exe	133
PID 1700 wrote to memory of 4180	1700	cmd.exe	135
PID 1700 wrote to memory of 4180	1700	cmd.exe	135
PID 1700 wrote to memory of 3128	1700	cmd.exe	136
PID 1700 wrote to memory of 3128	1700	cmd.exe	136
PID 992 wrote to memory of 1372	992	2268224696.exe	137
PID 992 wrote to memory of 1372	992	2268224696.exe	137
PID 1372 wrote to memory of 3772	1372	325130124.exe	138
PID 1372 wrote to memory of 3772	1372	325130124.exe	138
PID 1372 wrote to memory of 1432	1372	325130124.exe	140
PID 1372 wrote to memory of 1432	1372	325130124.exe	140
PID 3772 wrote to memory of 4284	3772	cmd.exe	142
PID 3772 wrote to memory of 4284	3772	cmd.exe	142
PID 1432 wrote to memory of 1540	1432	cmd.exe	143
PID 1432 wrote to memory of 1540	1432	cmd.exe	143
PID 992 wrote to memory of 2732	992	2268224696.exe	144
PID 992 wrote to memory of 2732	992	2268224696.exe	144
PID 2732 wrote to memory of 4768	2732	588814500.exe	145
PID 2732 wrote to memory of 4768	2732	588814500.exe	145

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4c52cf849be8954638925c242e0cc976.exe
"C:\Users\Admin\AppData\Local\Temp\4c52cf849be8954638925c242e0cc976.exe"
1⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\463128737.exe
  C:\Users\Admin\AppData\Local\Temp\463128737.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\sysludpvs.exe
    C:\Windows\sysludpvs.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\2268224696.exe
      C:\Users\Admin\AppData\Local\Temp\2268224696.exe
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Users\Admin\AppData\Local\Temp\171859021.exe
        
        C:\Users\Admin\AppData\Local\Temp\171859021.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" ""
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "winsrvcs" & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "winsrvcs"
        8⤵
        
        PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\2808327033.exe
        
        C:\Users\Admin\AppData\Local\Temp\2808327033.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4932
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc delete "Windows Services" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\system32\sc.exe
        
        sc delete "Windows Services"
        7⤵
        Launches sc.exe
        
        PID:3836
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f
        7⤵
        
        PID:1312
    - - C:\Users\Admin\AppData\Local\Temp\2258611357.exe
        
        C:\Users\Admin\AppData\Local\Temp\2258611357.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3184
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc delete "WinSrvcsDrv" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSrvcsDrv" /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinSrvcsDrv"
        7⤵
        Launches sc.exe
        
        PID:4920
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSrvcsDrv" /f
        7⤵
        
        PID:3644
    - - C:\Users\Admin\AppData\Local\Temp\3068128195.exe
        
        C:\Users\Admin\AppData\Local\Temp\3068128195.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc delete "WinUpla" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpla" /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinUpla"
        7⤵
        Launches sc.exe
        
        PID:3384
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpla" /f
        7⤵
        
        PID:1936
    - - C:\Users\Admin\AppData\Local\Temp\600812264.exe
        
        C:\Users\Admin\AppData\Local\Temp\600812264.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc delete "WinSrvcsDrv" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSrvcsDrv" /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinSrvcsDrv"
        7⤵
        Launches sc.exe
        
        PID:4180
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSrvcsDrv" /f
        7⤵
        
        PID:3128
    - - C:\Users\Admin\AppData\Local\Temp\325130124.exe
        
        C:\Users\Admin\AppData\Local\Temp\325130124.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Service" /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Service" /f
        7⤵
        
        PID:4284
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Service"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Service"
        7⤵
        
        PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\588814500.exe
        
        C:\Users\Admin\AppData\Local\Temp\588814500.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc delete "WinDrvUpd" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinDrvUpd" /f
        6⤵
        
        PID:4768
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDrvUpd"
        7⤵
        Launches sc.exe
        
        PID:4104
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinDrvUpd" /f
        7⤵
        
        PID:3964
    - - C:\Users\Admin\AppData\Local\Temp\1398431337.exe
        
        C:\Users\Admin\AppData\Local\Temp\1398431337.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:3928
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:4396
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:1604
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\1923515665.exe
        
        C:\Users\Admin\AppData\Local\Temp\1923515665.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc delete "WinUpdt" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f
        6⤵
        
        PID:232
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinUpdt"
        7⤵
        Launches sc.exe
        
        PID:4692
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f
        7⤵
        
        PID:2124
    - - C:\Users\Admin\AppData\Local\Temp\1919632450.exe
        
        C:\Users\Admin\AppData\Local\Temp\1919632450.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc delete "WinMngr" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinMngr" /f
        6⤵
        
        PID:4844
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinMngr"
        7⤵
        Launches sc.exe
        
        PID:3772
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinMngr" /f
        7⤵
        
        PID:4520
    - - C:\Users\Admin\AppData\Local\Temp\564818971.exe
        
        C:\Users\Admin\AppData\Local\Temp\564818971.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc delete "WinSvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
        6⤵
        
        PID:3008
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinSvcs"
        7⤵
        Launches sc.exe
        
        PID:960
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
        7⤵
        
        PID:2524
    - - C:\Users\Admin\AppData\Local\Temp\82863348.exe
        
        C:\Users\Admin\AppData\Local\Temp\82863348.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4768
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /Delete /TN "Microsoft Windows Security" /F
        6⤵
        Indicator Removal: Clear Persistence
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "Microsoft Windows Security" /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM dwm.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM conhost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM conhost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM conhost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM conhost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\325130124.exe.log

Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1398431337.exe

Filesize
28KB

MD5
02320b5a9ffb3aa91fc2fe0f0906c575

SHA1
5209092f99ed5f1e2fd50e8d57b639160440b76d

SHA256
03349521a6994d528817f755d1d6c4ee74cda6cc6036525b911a06f8cc7707c9

SHA512
7addb20d4edb8678c6bc02654d841a5401408e8dc07cb5e3df9eee96feb9d480fcf343578ef3c1774724e3ec29e947a4191bbe5af5c4cebc076b92b427c68353

Download Submit
C:\Users\Admin\AppData\Local\Temp\171859021.exe

Filesize
50KB

MD5
64d97ceac5d0fbb39f316eb8707c5af4

SHA1
3114d530f716e3dc9e07d78703e0ad34256b8e1c

SHA256
3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9

SHA512
19a0468aee08521640a5934e57411f91492c6287a07bf9aa331ef5855c16f7e54ae13c678b2cf86ae363987205925e2c7c9e0cab233f6341a602b78391b3c2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1919632450.exe

Filesize
28KB

MD5
8f1f692c2e839e6f821e42057f8b1c01

SHA1
54ab2dec09e3b76114aaab1cc32c6ba5b4c2f7c8

SHA256
8f3c4a66f4c66b34d7d79fbcccb03b81d0139a279789981c16de5e66e6678cb5

SHA512
1296065ba17657e3ad1fe88c58b9d36f3def89e8bd44893d10d42a5ba5d0c8a2e5a0da23d46ca2d0b5a88dc2b4b9716d38b6e926c1f7f66a66808310c80fcf4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1923515665.exe

Filesize
8KB

MD5
9f3b28cd269f23eb326c849cb6d8ed3d

SHA1
db2cab47fffa3770f19c7f16b1c7807da17ac9fd

SHA256
90164053f4c19004a051638a1a47ea3fe7cb9f004b5dd623de928f0bc2b06a81

SHA512
ba18b44914469be2696a8e5b61b88844aa6a8c8dd5f1942c48918734a699045b143b555c4e274f4cf3d040e115340dc5a74c4eda639e6669fca1b2c2b383ca8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2258611357.exe

Filesize
8KB

MD5
38c5ce383f70dc49175cc5843f017ff9

SHA1
4c3ae746f22a1de56b4e1a6d26b7353f39f1cdfd

SHA256
c69a0f757d1ac585078fe3fecb4a4a925b55f412904f581cdbcfcfa72292ada3

SHA512
3f418ac147d4d3acfd5830cd1085b6e87afaf02497332780eb9126bb71d35eedc6ca695ef534bcba3a220f6a3960b80d3b778787e8506bad029fb41bdbc99688

Download Submit
C:\Users\Admin\AppData\Local\Temp\2268224696.exe

Filesize
10KB

MD5
c87843a4c7972d85f0d739e0e32f61ad

SHA1
20a4925cdd2da59ed77ee2c5b063761ac6f5001d

SHA256
503ed0e7fd3fccbc90ac11dbaf199df03c238cb58c5c4e8358d0c69e90582378

SHA512
024d18e841ed1c1d169c34e8bf9ea9379f4ea521c2fed9f77aeacfd3ba80c0d99ea3d0fc2a1a8b6bf7ddf69ecfae30ff045de442a9a3502df3a5a2868017d13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2808327033.exe

Filesize
28KB

MD5
b1c1d77e69753d822893438b35b2e7cc

SHA1
1573a0dc3dd72af4e6b1215591e81b3d2fb7d2d0

SHA256
f4a5fa872a3df6d3092c68259d2f071e34c1f5420c97a72c2eaeed3a7f5d3fc8

SHA512
dc6214203bbedee6cf5e6e28d68f9345cb687b8e38bea183827b14e51bdf9898bd1f2cb606ba2047a9e8f826d6a8fbf0596989b202097454da6afcde9082cfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\3068128195.exe

Filesize
8KB

MD5
9e1aafb6d1c75d75f7e1a8e135f9c508

SHA1
745cd643e657281c0c198d895d1daf53dcba29ba

SHA256
41307ffc2c8273962750cec20533c2c043d8456379885e82151c843af3d31615

SHA512
b97b10881ab4ec24bf5d615169932ed6cd09661c21f1ba631cbbef146ff81bdf9ee61ed1b85f76fdb602ccc553a0a98c8189967a515d729c42b4ac04e44cdefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\325130124.exe

Filesize
28KB

MD5
11bfaecfb780b663434e2ccc81873c64

SHA1
f2242e55e331bbea0ea24906af36bf214a5c7f01

SHA256
609d535d5720b26a7214d9d2d68ab2a3e7f607bf7a89441c03943565031abc0e

SHA512
95dea7f4429eff5f28eb46dc79268cae7d1516661dac11d09a296c85faed0bd7b3c91d9f1a8eaf540ed4e580edeaae5905b2ac9a13ab01bec8f8a949fef4049b

Download Submit
C:\Users\Admin\AppData\Local\Temp\463128737.exe

Filesize
87KB

MD5
87dce6b601da9e68982ef5bc7628468c

SHA1
48b0e84e5749bd48b282ae1b7597094aa2a5cdf9

SHA256
2246262e2df5b143d4bff663aceb85d7633ebcb91f2f641c2ab7936c942a8eb2

SHA512
94cb5e917716db718e3c912e52976f321afa15aa8a533f6930585f5cc878d7edc434ebdea0eb1ec26ec3d79797304bdcb9cfaec62e472872036fc9320e047ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\564818971.exe

Filesize
28KB

MD5
354b172c63f7693310212e3eba68e4ba

SHA1
843cec7cf78015f5b226d439f046c9a42064cfe2

SHA256
f68c61db632448996936440c7d7ea0e1f46007fb157ab59d48028765875ded00

SHA512
e7e35a4791a73629b92a07a17ca3278f73a788ac8563b05fa37d47f0be9af8f952886ccc02a7478d292a2deccc1bf9f42fa40e7b824a5d976f4b229a85c1a460

Download Submit
C:\Users\Admin\AppData\Local\Temp\588814500.exe

Filesize
8KB

MD5
5e24b9457135b737012cde5e30cf124b

SHA1
58575839926a1e6ae798867bbba0ed4db088d85e

SHA256
d3a4c4f0557019d5fe04b57486e9ed0b9c823e9d1d137138feab200e96dd9abf

SHA512
7192d902a9f1a51ea34291bdcb2fc09e802148f7cc415e498c67414ef2377c796b93f11dcd6b08968ea9fa6a99b7516c9bdd297ee4cab906949d41d3cebce1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\82863348.exe

Filesize
9KB

MD5
b2538637e195d5c118c483e990ab3582

SHA1
bdccd15c2f3905f54e2ba20eb7382c84152d71a1

SHA256
07e5897c7e1d54ea431ec39d9f2b86a17a6dcde61c6d3d2dfb472f12c1cc3009

SHA512
e86b3d4d4a098acbd56765b5cd0f279b254fb7c8ec2377bd15798b80fada87d53e9e1af236e026a7909e4878fb10f25fc664cd9a258027759a9bd0c2ae0aad6e

Download Submit
memory/484-87-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/1372-58-0x0000000000A40000-0x0000000000A46000-memory.dmp

Filesize
24KB

Download
memory/2060-45-0x0000000000C80000-0x0000000000C86000-memory.dmp

Filesize
24KB

Download
memory/2400-73-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2732-65-0x0000000000A50000-0x0000000000A56000-memory.dmp

Filesize
24KB

Download
memory/3184-38-0x0000000000F20000-0x0000000000F26000-memory.dmp

Filesize
24KB

Download
memory/4740-94-0x00000000000C0000-0x00000000000C6000-memory.dmp

Filesize
24KB

Download
memory/4748-23-0x00000226006D0000-0x00000226006D6000-memory.dmp

Filesize
24KB

Download
memory/4748-22-0x00000226660F0000-0x00000226660F6000-memory.dmp

Filesize
24KB

Download
memory/4820-80-0x0000000000FF0000-0x0000000000FF6000-memory.dmp

Filesize
24KB

Download
memory/4932-29-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download