258015504f0b0063b34019c355d73ce1cd03c50734a15bd8346deed9fbc23e59

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-04-2023 22:35

Target

LuSlower_Discord_Debloat (2) - copia.exe
Size

376KB
MD5

9a9b1b4b284d5b5d8d2083afbcda51df
SHA1

777217ce433c0133e71f995d5133dafa89e8cf79
SHA256

258015504f0b0063b34019c355d73ce1cd03c50734a15bd8346deed9fbc23e59
SHA512

c25a9917d59c9f6c51a101a957bd0b6f6eef1b7925960252d134cab86be5570932f9f3e7d6a43e609e71c3aad7fd8d5a26bbe251210f48122210d24a475583f1
SSDEEP

1536:M7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfywepp65rLvAL:C7DhdC6kzWypvaQ0FxyNTBfyPvSvvAL

Score

1^/10

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1728	1992	LuSlower_Discord_Debloat (2) - copia.exe	29
PID 1992 wrote to memory of 1728	1992	LuSlower_Discord_Debloat (2) - copia.exe	29
PID 1992 wrote to memory of 1728	1992	LuSlower_Discord_Debloat (2) - copia.exe	29
PID 1992 wrote to memory of 1728	1992	LuSlower_Discord_Debloat (2) - copia.exe	29
PID 1728 wrote to memory of 1952	1728	cmd.exe	30
PID 1728 wrote to memory of 1952	1728	cmd.exe	30
PID 1728 wrote to memory of 1952	1728	cmd.exe	30
PID 1952 wrote to memory of 1968	1952	cmd.exe	31
PID 1952 wrote to memory of 1968	1952	cmd.exe	31
PID 1952 wrote to memory of 1968	1952	cmd.exe	31
PID 1952 wrote to memory of 920	1952	cmd.exe	32
PID 1952 wrote to memory of 920	1952	cmd.exe	32
PID 1952 wrote to memory of 920	1952	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\LuSlower_Discord_Debloat (2) - copia.exe
"C:\Users\Admin\AppData\Local\Temp\LuSlower_Discord_Debloat (2) - copia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FD34.tmp\FD35.tmp\FD36.bat "C:\Users\Admin\AppData\Local\Temp\LuSlower_Discord_Debloat (2) - copia.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Discord" /v "DisplayVersion"|findstr /v "HK"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Discord" /v "DisplayVersion"
      4⤵
      PID:1968
  - - C:\Windows\system32\findstr.exe
      findstr /v "HK"
      4⤵
      PID:920

C:\Users\Admin\AppData\Local\Temp\FD34.tmp\FD35.tmp\FD36.bat

Filesize
8KB

MD5
f991c0ec0b83348f7879f7648a7e1d6e

SHA1
008ee6b17ffb02a38b667bcde243a3b242864ec2

SHA256
7cadfac70d72d4be853344e20e868f535c0d53475f17e5de26e5d34bd5d72ef0

SHA512
14ad5eab923afd7257f2a41f81d088025630c01eaa7270a17dbad3a7b882886f25a16efc4c081f2801e527080d3ee3e5c33357e058bc4a5865bef4ac2b4b01be

Download Submit