0146aca5c73ba4135d9605e8750e8cbd77a74bb5d607e7f3b304014df51de121

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

discordapp.exe
Size

164.7MB
MD5

f2d0574cabbc53fa49a48ea393bc0e08
SHA1

559efe7cae86f5eeb78e6e49875d25a5caeedb3c
SHA256

f660ed4f629400fcea51c34686858c1268a4aad6dbc6c75485116bdf3ff734da
SHA512

8d1315d3bb1fb6faa54c292bd4b79d6835d73ed10c82330ba5f98a13b6f2ae9d33c5058bb30768f1cb187371ba76d989a8eac371463d79427bdbee63a4a15134
SSDEEP

1572864:htRb5j0Jo3k4uaSwrkaxMnHo/qVfZanrCfYbmLlEkwPT15+ztDTeNokbaGMZAHmM:hTlBaHTf7x+Un

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4732	discordapp.exe
4732	discordapp.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ipinfo.io
33	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	discordapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	discordapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	discordapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	discordapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	discordapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	discordapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	discordapp.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
7136	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
8060	tasklist.exe
8052	tasklist.exe
8428	tasklist.exe
8512	tasklist.exe
8592	tasklist.exe
8444	tasklist.exe
8272	tasklist.exe
8128	tasklist.exe
7680	tasklist.exe
7664	tasklist.exe
8412	tasklist.exe
8504	tasklist.exe
8328	tasklist.exe
8016	tasklist.exe
8296	tasklist.exe
7396	tasklist.exe
7716	tasklist.exe
7984	tasklist.exe
7948	tasklist.exe
7748	tasklist.exe
7740	tasklist.exe
7524	tasklist.exe
7924	tasklist.exe
7804	tasklist.exe
7604	tasklist.exe
8112	tasklist.exe
8104	tasklist.exe
7836	tasklist.exe
7956	tasklist.exe
7788	tasklist.exe
8568	tasklist.exe
8248	tasklist.exe
7772	tasklist.exe
7940	tasklist.exe
7696	tasklist.exe
7596	tasklist.exe
7516	tasklist.exe
8376	tasklist.exe
8496	tasklist.exe
8304	tasklist.exe
7532	tasklist.exe
7900	tasklist.exe
7884	tasklist.exe
7724	tasklist.exe
8400	tasklist.exe
8340	tasklist.exe
7652	tasklist.exe
7828	tasklist.exe
8000	tasklist.exe
8584	tasklist.exe
8488	tasklist.exe
8096	tasklist.exe
8068	tasklist.exe
7388	tasklist.exe
7612	tasklist.exe
8312	tasklist.exe
8288	tasklist.exe
8264	tasklist.exe
8184	tasklist.exe
8660	tasklist.exe
8280	tasklist.exe
7892	tasklist.exe
7820	tasklist.exe
7732	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4732	discordapp.exe
4732	discordapp.exe
4732	discordapp.exe
4732	discordapp.exe
4732	discordapp.exe
4732	discordapp.exe
10984	powershell.exe
10984	powershell.exe
10984	powershell.exe
11144	powershell.exe
11144	powershell.exe
11144	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	tasklist.exe
Token: SeShutdownPrivilege	4732	discordapp.exe
Token: SeCreatePagefilePrivilege	4732	discordapp.exe
Token: SeIncreaseQuotaPrivilege	3472	WMIC.exe
Token: SeSecurityPrivilege	3472	WMIC.exe
Token: SeTakeOwnershipPrivilege	3472	WMIC.exe
Token: SeLoadDriverPrivilege	3472	WMIC.exe
Token: SeSystemProfilePrivilege	3472	WMIC.exe
Token: SeSystemtimePrivilege	3472	WMIC.exe
Token: SeProfSingleProcessPrivilege	3472	WMIC.exe
Token: SeIncBasePriorityPrivilege	3472	WMIC.exe
Token: SeCreatePagefilePrivilege	3472	WMIC.exe
Token: SeBackupPrivilege	3472	WMIC.exe
Token: SeRestorePrivilege	3472	WMIC.exe
Token: SeShutdownPrivilege	3472	WMIC.exe
Token: SeDebugPrivilege	3472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3472	WMIC.exe
Token: SeRemoteShutdownPrivilege	3472	WMIC.exe
Token: SeUndockPrivilege	3472	WMIC.exe
Token: SeManageVolumePrivilege	3472	WMIC.exe
Token: 33	3472	WMIC.exe
Token: 34	3472	WMIC.exe
Token: 35	3472	WMIC.exe
Token: 36	3472	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3472	WMIC.exe
Token: SeSecurityPrivilege	3472	WMIC.exe
Token: SeTakeOwnershipPrivilege	3472	WMIC.exe
Token: SeLoadDriverPrivilege	3472	WMIC.exe
Token: SeSystemProfilePrivilege	3472	WMIC.exe
Token: SeSystemtimePrivilege	3472	WMIC.exe
Token: SeProfSingleProcessPrivilege	3472	WMIC.exe
Token: SeIncBasePriorityPrivilege	3472	WMIC.exe
Token: SeCreatePagefilePrivilege	3472	WMIC.exe
Token: SeBackupPrivilege	3472	WMIC.exe
Token: SeRestorePrivilege	3472	WMIC.exe
Token: SeShutdownPrivilege	3472	WMIC.exe
Token: SeDebugPrivilege	3472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3472	WMIC.exe
Token: SeRemoteShutdownPrivilege	3472	WMIC.exe
Token: SeUndockPrivilege	3472	WMIC.exe
Token: SeManageVolumePrivilege	3472	WMIC.exe
Token: 33	3472	WMIC.exe
Token: 34	3472	WMIC.exe
Token: 35	3472	WMIC.exe
Token: 36	3472	WMIC.exe
Token: SeShutdownPrivilege	4732	discordapp.exe
Token: SeCreatePagefilePrivilege	4732	discordapp.exe
Token: SeShutdownPrivilege	4732	discordapp.exe
Token: SeCreatePagefilePrivilege	4732	discordapp.exe
Token: SeDebugPrivilege	7176	tasklist.exe
Token: SeDebugPrivilege	7396	tasklist.exe
Token: SeDebugPrivilege	7388	tasklist.exe
Token: SeDebugPrivilege	7516	tasklist.exe
Token: SeDebugPrivilege	7604	tasklist.exe
Token: SeDebugPrivilege	7772	tasklist.exe
Token: SeDebugPrivilege	7636	tasklist.exe
Token: SeDebugPrivilege	7680	tasklist.exe
Token: SeDebugPrivilege	7644	tasklist.exe
Token: SeDebugPrivilege	7704	tasklist.exe
Token: SeDebugPrivilege	7652	tasklist.exe
Token: SeDebugPrivilege	7764	tasklist.exe
Token: SeDebugPrivilege	7628	tasklist.exe
Token: SeDebugPrivilege	7696	tasklist.exe
Token: SeDebugPrivilege	7524	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 1720	4732	discordapp.exe	89
PID 4732 wrote to memory of 1720	4732	discordapp.exe	89
PID 1720 wrote to memory of 4988	1720	cmd.exe	91
PID 1720 wrote to memory of 4988	1720	cmd.exe	91
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 428	4732	discordapp.exe	92
PID 4732 wrote to memory of 4328	4732	discordapp.exe	93
PID 4732 wrote to memory of 4328	4732	discordapp.exe	93
PID 4732 wrote to memory of 5020	4732	discordapp.exe	95
PID 4732 wrote to memory of 5020	4732	discordapp.exe	95
PID 5020 wrote to memory of 3472	5020	cmd.exe	97
PID 5020 wrote to memory of 3472	5020	cmd.exe	97
PID 4732 wrote to memory of 5072	4732	discordapp.exe	98
PID 4732 wrote to memory of 5072	4732	discordapp.exe	98
PID 4732 wrote to memory of 4036	4732	discordapp.exe	99
PID 4732 wrote to memory of 4036	4732	discordapp.exe	99
PID 4732 wrote to memory of 2860	4732	discordapp.exe	100
PID 4732 wrote to memory of 2860	4732	discordapp.exe	100
PID 4732 wrote to memory of 3988	4732	discordapp.exe	102
PID 4732 wrote to memory of 3988	4732	discordapp.exe	102
PID 4732 wrote to memory of 4312	4732	discordapp.exe	103
PID 4732 wrote to memory of 4312	4732	discordapp.exe	103
PID 4732 wrote to memory of 4588	4732	discordapp.exe	105
PID 4732 wrote to memory of 4588	4732	discordapp.exe	105
PID 4732 wrote to memory of 2744	4732	discordapp.exe	106
PID 4732 wrote to memory of 2744	4732	discordapp.exe	106
PID 4732 wrote to memory of 860	4732	discordapp.exe	107
PID 4732 wrote to memory of 860	4732	discordapp.exe	107
PID 4732 wrote to memory of 1076	4732	discordapp.exe	108
PID 4732 wrote to memory of 1076	4732	discordapp.exe	108
PID 4732 wrote to memory of 4052	4732	discordapp.exe	109
PID 4732 wrote to memory of 4052	4732	discordapp.exe	109
PID 4732 wrote to memory of 1016	4732	discordapp.exe	110
PID 4732 wrote to memory of 1016	4732	discordapp.exe	110
PID 4732 wrote to memory of 516	4732	discordapp.exe	111
PID 4732 wrote to memory of 516	4732	discordapp.exe	111

C:\Users\Admin\AppData\Local\Temp\discordapp.exe
"C:\Users\Admin\AppData\Local\Temp\discordapp.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4988
- C:\Users\Admin\AppData\Local\Temp\discordapp.exe
  "C:\Users\Admin\AppData\Local\Temp\discordapp.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\fay" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1724 --field-trial-handle=1728,i,6413009300765206949,17867974471073257244,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:428
- C:\Users\Admin\AppData\Local\Temp\discordapp.exe
  "C:\Users\Admin\AppData\Local\Temp\discordapp.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\fay" --mojo-platform-channel-handle=1900 --field-trial-handle=1728,i,6413009300765206949,17867974471073257244,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4732 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=4732 get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5072
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4036
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2860
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3988
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4312
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4588
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2744
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:860
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1076
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4052
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1016
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:516
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:836
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1548
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1956
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2176
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4684
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:916
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4980
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4620
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3484
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4064
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1068
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:628
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3292
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3656
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2852
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4160
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1900
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4932
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1680
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3712
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1652
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2236
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2620
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1484
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4928
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3940
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4112
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2028
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:832
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3936
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1432
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1872
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4760
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1860
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4536
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1760
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3500
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3728
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3224
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2944
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4480
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3552
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3724
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2564
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4452
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2928
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4068
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4428
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:212
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4496
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4608
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1800
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4888
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4792
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5044
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3748
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2720
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2844
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2600
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:468
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:748
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2084
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2032
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1368
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4748
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4672
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2280
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2184
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5124
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5144
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5176
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5184
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5200
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5216
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5244
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5256
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5280
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5300
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5316
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5340
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:5356
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:8436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:9564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
  2⤵
  PID:5376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:5408
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:8084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:5424
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:8392
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:8608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:11132
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:11172
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:11180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:11228
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:7136
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:5356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:3276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:10984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
  2⤵
  PID:5428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:11144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:10892
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:9632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\90ca23d5-261a-475b-8e6b-e640f8e5c53d.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0c1ebdbo.kmo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec872bff-e483-4e95-b76b-6ba8d41cabe3.tmp.node

Filesize
151KB

MD5
0c2337c54bb3970114f6caa6dd53c103

SHA1
7de94811f6a6fbe372e586503c6872dfeeb1068f

SHA256
500982b9fd29d69f0bb6ce1234ee5ca3fa52896e5ac8ec84df6223ea93041a80

SHA512
1feebb1f57f163a13c69f15cec37c3bb27c9e428c3f828548f336ea256a0c6aa4aa343f86b59cd5aa921a7620aa85df63e1446f62fd5e04fd607b19caddfbf2e

Download Submit
memory/10984-26-0x000002A632560000-0x000002A632582000-memory.dmp

Filesize
136KB

Download