Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 01:21
Behavioral task
behavioral1
Sample
3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
Resource
win10v2004-20240508-en
General
-
Target
3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
-
Size
144KB
-
MD5
319218e4eb0d6637a76668a228e32de3
-
SHA1
20523303d722a7747deb6154a5d4401e1b932d56
-
SHA256
3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358
-
SHA512
db3d1637c178bdf3c8c5b754fe72c388a3da176b2d0a7727e89f2c257bcb93b1574eda1de7f6ea25e493949f47157c07637fbe1169fe6c9481cc42d925293fe6
-
SSDEEP
3072:HGNhvhNC38S7gzQ/cmD4ULz82nyLOLt/w/HOWJbG5vcX+skwEKEAm31D5:EzQ/2my2w/uWJbGFsREKQ1
Malware Config
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 5088 powershell.exe 3904 powershell.exe 4496 powershell.exe 1352 powershell.exe 3824 powershell.exe 3832 powershell.exe 3000 powershell.exe 4576 powershell.exe 1104 powershell.exe 1844 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe" 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
Processes:
3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command\ 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 1352 powershell.exe 1352 powershell.exe 4496 powershell.exe 4496 powershell.exe 1352 powershell.exe 4496 powershell.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe 3824 powershell.exe 3824 powershell.exe 3832 powershell.exe 3832 powershell.exe 3000 powershell.exe 3000 powershell.exe 5088 powershell.exe 5088 powershell.exe 3904 powershell.exe 4576 powershell.exe 3904 powershell.exe 3904 powershell.exe 4576 powershell.exe 1104 powershell.exe 1844 powershell.exe 1104 powershell.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeDebugPrivilege 4496 powershell.exe Token: SeDebugPrivilege 3824 powershell.exe Token: SeDebugPrivilege 3832 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 5088 powershell.exe Token: SeDebugPrivilege 3904 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeDebugPrivilege 1104 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3340 wrote to memory of 1196 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 1196 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 4892 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 4892 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 1196 wrote to memory of 4496 1196 cmd.exe powershell.exe PID 1196 wrote to memory of 4496 1196 cmd.exe powershell.exe PID 4892 wrote to memory of 1352 4892 cmd.exe powershell.exe PID 4892 wrote to memory of 1352 4892 cmd.exe powershell.exe PID 3340 wrote to memory of 2920 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 2920 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 2512 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 2512 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 2920 wrote to memory of 3824 2920 cmd.exe powershell.exe PID 2920 wrote to memory of 3824 2920 cmd.exe powershell.exe PID 2512 wrote to memory of 3832 2512 cmd.exe powershell.exe PID 2512 wrote to memory of 3832 2512 cmd.exe powershell.exe PID 3340 wrote to memory of 1104 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 1104 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 4948 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 4948 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 1104 wrote to memory of 3000 1104 cmd.exe powershell.exe PID 1104 wrote to memory of 3000 1104 cmd.exe powershell.exe PID 4948 wrote to memory of 5088 4948 cmd.exe powershell.exe PID 4948 wrote to memory of 5088 4948 cmd.exe powershell.exe PID 3340 wrote to memory of 5056 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 5056 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 4924 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 4924 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 5056 wrote to memory of 3904 5056 cmd.exe powershell.exe PID 5056 wrote to memory of 3904 5056 cmd.exe powershell.exe PID 4924 wrote to memory of 4576 4924 cmd.exe powershell.exe PID 4924 wrote to memory of 4576 4924 cmd.exe powershell.exe PID 3340 wrote to memory of 3972 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 3972 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 3656 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3340 wrote to memory of 3656 3340 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe cmd.exe PID 3972 wrote to memory of 1104 3972 cmd.exe powershell.exe PID 3972 wrote to memory of 1104 3972 cmd.exe powershell.exe PID 3656 wrote to memory of 1844 3656 cmd.exe powershell.exe PID 3656 wrote to memory of 1844 3656 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe"C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:81⤵PID:3684
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eixq010l.v1a.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1352-4-0x0000020E64FA0000-0x0000020E64FC2000-memory.dmpFilesize
136KB
-
memory/3340-0-0x0000027ADBDF0000-0x0000027ADBE1A000-memory.dmpFilesize
168KB
-
memory/3340-1-0x00007FFF43283000-0x00007FFF43285000-memory.dmpFilesize
8KB
-
memory/3340-2-0x00007FFF43280000-0x00007FFF43D41000-memory.dmpFilesize
10.8MB
-
memory/3340-27-0x00007FFF43283000-0x00007FFF43285000-memory.dmpFilesize
8KB
-
memory/3340-28-0x00007FFF43280000-0x00007FFF43D41000-memory.dmpFilesize
10.8MB