Malware Analysis Report

2024-11-30 06:44

Sample ID 240604-bz4qvsgg3v
Target 3f1414acc122559e44c9760949639fa6.bin
SHA256 d6eed977741825badacec5402690aab5ee64622e405102d7e88a38c5b615fdf1
Tags
execution persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6eed977741825badacec5402690aab5ee64622e405102d7e88a38c5b615fdf1

Threat Level: Known bad

The file 3f1414acc122559e44c9760949639fa6.bin was found to be: Known bad.

Malicious Activity Summary

execution persistence spyware stealer

Modifies WinLogon for persistence

Process spawned unexpected child process

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:35

Reported

2024-06-04 01:39

Platform

win7-20240220-en

Max time kernel

122s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\cmd.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\System.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\cmd.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\System.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\dwm.exe\", \"C:\\Windows\\PLA\\System\\Idle.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\cmd.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\System.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\dwm.exe\", \"C:\\Windows\\PLA\\System\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\Updater.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\cmd.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\System.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\cmd.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\System.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Windows\PLA\System\Idle.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\Updater.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\PLA\\System\\Idle.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\PLA\\System\\Idle.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\Updater.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Uninstall Information\\System.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Uninstall Information\\System.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC546E58EF9FE748CFA913A7BFB5C246.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\u7e72d.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\cmd.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\ebf1f9fa8afd6d C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\dwm.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\6cb0b6c459d5d3 C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File created C:\Program Files (x86)\Uninstall Information\System.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File created C:\Program Files (x86)\Uninstall Information\27d1bcfc3c54e0 C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\PLA\System\Idle.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File created C:\Windows\PLA\System\6ccacd8608530f C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File created C:\Windows\PLA\System\Idle.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\PLA\System\Idle.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\PLA\System\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe C:\Windows\SysWOW64\WScript.exe
PID 3056 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe C:\Windows\SysWOW64\WScript.exe
PID 3056 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe C:\Windows\SysWOW64\WScript.exe
PID 3056 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe C:\Windows\SysWOW64\WScript.exe
PID 2924 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe
PID 2624 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe
PID 2624 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe
PID 2624 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe
PID 2648 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2648 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2648 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2656 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2656 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2656 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2648 wrote to memory of 488 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 488 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 488 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 744 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 744 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 744 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 588 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 588 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 588 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 616 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 616 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 616 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\cmd.exe
PID 2648 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\cmd.exe
PID 2648 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\cmd.exe
PID 2100 wrote to memory of 1540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2100 wrote to memory of 1540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2100 wrote to memory of 1540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2100 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2100 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2100 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2100 wrote to memory of 2176 N/A C:\Windows\System32\cmd.exe C:\Windows\PLA\System\Idle.exe
PID 2100 wrote to memory of 2176 N/A C:\Windows\System32\cmd.exe C:\Windows\PLA\System\Idle.exe
PID 2100 wrote to memory of 2176 N/A C:\Windows\System32\cmd.exe C:\Windows\PLA\System\Idle.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe

"C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Discord\9tSGBPS8pWt1OE8agSDDS3cSF0YOLizU75DcXK0Ue9E3Zn.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Discord\gLyE3U6eAnmR1VUbYVGQU6SNbmGDptj5w0rMd8Qkc1gQF.bat" "

C:\Users\Admin\AppData\Roaming\Discord\Updater.exe

"C:\Users\Admin\AppData\Roaming\Discord/Updater.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\cmd.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zteisswt\zteisswt.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1323.tmp" "c:\Windows\System32\CSC546E58EF9FE748CFA913A7BFB5C246.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\System\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "UpdaterU" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Updater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "UpdaterU" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\System\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k0JXvbX1ZX.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\PLA\System\Idle.exe

"C:\Windows\PLA\System\Idle.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 333376cm.n9shteam1.top udp
US 104.21.22.205:80 333376cm.n9shteam1.top tcp
US 104.21.22.205:80 333376cm.n9shteam1.top tcp

Files

C:\Users\Admin\AppData\Roaming\Discord\9tSGBPS8pWt1OE8agSDDS3cSF0YOLizU75DcXK0Ue9E3Zn.vbe

MD5 a3efcfccea29fadeac3e1939b9d86e09
SHA1 bcca91cdc90c1f1b092c63d93f3fc0513ec4d5c8
SHA256 da6753778123b5e236261193f3c2ead026f6d1ea90798340e5c1014cc7de393e
SHA512 f4c347d6f34f369ed5628ac21102a391bf5a657bf5179497469e00ed695d71194d10532337f4a6ff1b6c4e0d17ec43fc28af59804cfd8ca6020d48547b7c3470

C:\Users\Admin\AppData\Roaming\Discord\gLyE3U6eAnmR1VUbYVGQU6SNbmGDptj5w0rMd8Qkc1gQF.bat

MD5 da082c1722499065454aa616e631bd1f
SHA1 1926813a10570b3430e886610932697fd3a1be1d
SHA256 c9dabf9ea5db5c85219b896ca6045613ec95b64374f2dc0d132da1be1aa67915
SHA512 21e1e8f817f28a84b8c1b8e4180fcf4a2230cc6e22a80555677addefc4b8f4b7557e6774732de7f675475c6485dde5e150aa206b896a69a1506d518bc06c6ed5

C:\Users\Admin\AppData\Roaming\Discord\Updater.exe

MD5 e9b6a10f75763366fb2ca9d1d570d148
SHA1 bed46215af229c6b60efd96eb06e4fad259fa85d
SHA256 02f925d7e27fd7660e781f8ea1ca09d52ce6e1f6d8abe6b3c6e120fbb1b5faa3
SHA512 7be614b25b7d35910cb9931ef96731ed6ec1bcd3c0bdf1b66580c72b6e92981320dc572ed63537ba79f2a5baca700f7c7d3abe03090b90031ceb9bb4db8690cc

memory/2648-13-0x00000000001F0000-0x00000000003CA000-memory.dmp

memory/2648-15-0x0000000000460000-0x000000000046E000-memory.dmp

memory/2648-19-0x00000000008C0000-0x00000000008D8000-memory.dmp

memory/2648-21-0x0000000000470000-0x000000000047C000-memory.dmp

memory/2648-17-0x0000000000490000-0x00000000004AC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zteisswt\zteisswt.cmdline

MD5 d3a9b2c44f907a0a5786b2f76ca4b71e
SHA1 f59dcd8ac9501bac9f4130b0bab44835a70f8637
SHA256 01228254674e728c5ec64e7ba9777dbecc306df03b928cecf95bdf847c5be5b5
SHA512 618357122b6b7069143e2633e5ddd152ae729b1528c01090b9e29e275487e547e2c03da02505815b1a484fae3dda3c5da73b14470169a499f8401553cc3eb1f6

\??\c:\Users\Admin\AppData\Local\Temp\zteisswt\zteisswt.0.cs

MD5 98af596e0d06441c0e1016a4526a92d7
SHA1 fd9893e89a1abbb22472eca66364b9b3e117116c
SHA256 1fcb717d195d47cf28cdde9f6de4f5c22b065c65820cbc67ed69efabd1a06cdf
SHA512 608743154377b5861a7e23e60631feae20a6ab57669c4f9e9bcaffc352aacf38a4bc29913073b5a0e311c515151649267df73f5f4507f72d0ae915619e4fa4aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 762a5fbb149eeae952d056399d9794aa
SHA1 0cee0c1d763a60972b0285f9863a2a2848a4e652
SHA256 9e1488d927a250484d84bba1edf57b078a7a03846b8401a6890bcabeec6bb1b5
SHA512 711be3e1fa7c873ae19084bb74d56ba06926536d8d8d62712d1c62efc14b983588ca72762c623087aa9c3a4d5a4957f27d9ef46243e008332c6c4d42b4e4adae

memory/488-64-0x000000001B6A0000-0x000000001B982000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\k0JXvbX1ZX.bat

MD5 ea23d93ae26c4452991f9503b84e4f03
SHA1 cac9e62cfeddedf92c82f16c7363a88827eac911
SHA256 fbbb911716ea6d7aecf00a778c7e4104cfbe01486d44785286cec0bb612b10c9
SHA512 91e6daf0aedc2181aa7c31831f0d0462d91416b43b46c71acb94b53285f453d4496fdeaa1fee64b603df652e3adf12f20ddf912a3aaaaf9593ad4d605233caed

memory/1408-65-0x0000000002240000-0x0000000002248000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES1323.tmp

MD5 71d1ccd678a69a2de0557c52d1213aae
SHA1 9977eb7a0410caffb5952ccaca8320d5f8b477e4
SHA256 11f7e83b4ee84475bd2880f08d6c324307b9efc28ecd4c6a9d1905ea1f7126d4
SHA512 471b092a4686e3765317165af26e1e0439b9791c921d8ca3e3bbe26a38d1fa3b8d5c143144712f9007c7359d3017dea4f4d01c05883181388d8f506e27f71637

\??\c:\Windows\System32\CSC546E58EF9FE748CFA913A7BFB5C246.TMP

MD5 984924caf6574026769de34f35c2358e
SHA1 6dd41e492235d812252231912aa025f47fa7a9e7
SHA256 2bf5f65c8161575847113a1b4194625204c6ddce042f9b3432011c31348bb986
SHA512 5918fdc8d27ff5421dea1455df93c6cf85738e94c5079701ba7fded59b01bda482b70e2a500ba2c2aebedb6d2b0815d094d9bb271133de738f9e630167f6be46

memory/2176-83-0x00000000003D0000-0x00000000005AA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:35

Reported

2024-06-04 01:39

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\Updater.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\Updater.exe\", \"C:\\Users\\Default User\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\Updater.exe\", \"C:\\Users\\Default User\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\Updater.exe\", \"C:\\Users\\Default User\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\upfc.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\Updater.exe\", \"C:\\Users\\Default User\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\Updater.exe\", \"C:\\Users\\Default User\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\Updater.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\Updater.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\Updater.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "\"C:\\Program Files (x86)\\Internet Explorer\\en-US\\Updater.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default User\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\upfc.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\upfc.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "\"C:\\Program Files (x86)\\Internet Explorer\\en-US\\Updater.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default User\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCEA3722EF16D74F7BAE49D12D948984.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\ovp_du.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\en-US\68c7e5829acfa3 C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\sppsvc.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\0a1fd5f707cd16 C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\sppsvc.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\0a1fd5f707cd16 C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File created C:\Program Files (x86)\Internet Explorer\en-US\Updater.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\sppsvc.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\upfc.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\ea1d8f6d871115 C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4688 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe C:\Windows\SysWOW64\WScript.exe
PID 4688 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe C:\Windows\SysWOW64\WScript.exe
PID 4688 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe C:\Windows\SysWOW64\WScript.exe
PID 1912 wrote to memory of 4372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 4372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 4372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe
PID 4372 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe
PID 4904 wrote to memory of 8 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4904 wrote to memory of 8 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 8 wrote to memory of 3940 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 8 wrote to memory of 3940 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4904 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\cmd.exe
PID 4904 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Roaming\Discord\Updater.exe C:\Windows\System32\cmd.exe
PID 4296 wrote to memory of 4768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4296 wrote to memory of 4768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4296 wrote to memory of 4700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4296 wrote to memory of 4700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4296 wrote to memory of 3096 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe
PID 4296 wrote to memory of 3096 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\Discord\Updater.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe

"C:\Users\Admin\AppData\Local\Temp\a2f115298e7e2a6641f1af6447139aae7a272396e05255cf3f46aad126095168.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Discord\9tSGBPS8pWt1OE8agSDDS3cSF0YOLizU75DcXK0Ue9E3Zn.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Discord\gLyE3U6eAnmR1VUbYVGQU6SNbmGDptj5w0rMd8Qkc1gQF.bat" "

C:\Users\Admin\AppData\Roaming\Discord\Updater.exe

"C:\Users\Admin\AppData\Roaming\Discord/Updater.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "UpdaterU" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Updater.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Updater" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Updater.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "UpdaterU" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Updater.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0o2tpiht\0o2tpiht.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52E3.tmp" "c:\Windows\System32\CSCEA3722EF16D74F7BAE49D12D948984.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "UpdaterU" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Updater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "UpdaterU" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\Updater.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.151\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gnkt59pwrR.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Roaming\Discord\Updater.exe

"C:\Users\Admin\AppData\Roaming\Discord\Updater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 333376cm.n9shteam1.top udp
US 104.21.22.205:80 333376cm.n9shteam1.top tcp
US 104.21.22.205:80 333376cm.n9shteam1.top tcp
US 8.8.8.8:53 205.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Discord\9tSGBPS8pWt1OE8agSDDS3cSF0YOLizU75DcXK0Ue9E3Zn.vbe

MD5 a3efcfccea29fadeac3e1939b9d86e09
SHA1 bcca91cdc90c1f1b092c63d93f3fc0513ec4d5c8
SHA256 da6753778123b5e236261193f3c2ead026f6d1ea90798340e5c1014cc7de393e
SHA512 f4c347d6f34f369ed5628ac21102a391bf5a657bf5179497469e00ed695d71194d10532337f4a6ff1b6c4e0d17ec43fc28af59804cfd8ca6020d48547b7c3470

C:\Users\Admin\AppData\Roaming\Discord\gLyE3U6eAnmR1VUbYVGQU6SNbmGDptj5w0rMd8Qkc1gQF.bat

MD5 da082c1722499065454aa616e631bd1f
SHA1 1926813a10570b3430e886610932697fd3a1be1d
SHA256 c9dabf9ea5db5c85219b896ca6045613ec95b64374f2dc0d132da1be1aa67915
SHA512 21e1e8f817f28a84b8c1b8e4180fcf4a2230cc6e22a80555677addefc4b8f4b7557e6774732de7f675475c6485dde5e150aa206b896a69a1506d518bc06c6ed5

C:\Users\Admin\AppData\Roaming\Discord\Updater.exe

MD5 e9b6a10f75763366fb2ca9d1d570d148
SHA1 bed46215af229c6b60efd96eb06e4fad259fa85d
SHA256 02f925d7e27fd7660e781f8ea1ca09d52ce6e1f6d8abe6b3c6e120fbb1b5faa3
SHA512 7be614b25b7d35910cb9931ef96731ed6ec1bcd3c0bdf1b66580c72b6e92981320dc572ed63537ba79f2a5baca700f7c7d3abe03090b90031ceb9bb4db8690cc

memory/4904-12-0x00007FFA8EB63000-0x00007FFA8EB65000-memory.dmp

memory/4904-13-0x0000000000030000-0x000000000020A000-memory.dmp

memory/4904-15-0x0000000000A20000-0x0000000000A2E000-memory.dmp

memory/4904-20-0x0000000000AC0000-0x0000000000AD8000-memory.dmp

memory/4904-22-0x0000000000A30000-0x0000000000A3C000-memory.dmp

memory/4904-18-0x000000001B010000-0x000000001B060000-memory.dmp

memory/4904-17-0x0000000000AA0000-0x0000000000ABC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\0o2tpiht\0o2tpiht.cmdline

MD5 eed49e1c8d5215a226f7d973301ed5b7
SHA1 d65e9888281db928b57125fd5aee496707066960
SHA256 3d26e406d6da6b4da43e3482921520cb7d2651eb1707bf89bc81fcc15e96ef76
SHA512 f277ecf9e63ab1357bea59856b1197a75ef999170d2bdd8a09972ec2f95cd0afb01b67e9ac8bd7a596ffe68fb251afa0726b9e9f44630ab7ee6a389120461e62

\??\c:\Users\Admin\AppData\Local\Temp\0o2tpiht\0o2tpiht.0.cs

MD5 4750d72a1695ede2763d38e217ac91f0
SHA1 4017a45e6cf082ffe5f4313194f4d4c707a2be1b
SHA256 851fcb1f7c0134b7f9a70f8ca98f22d476e1593ec49f233894a69ef378095e41
SHA512 85713c9b1e0d58772ec7f365bdf8d075037b79d5d32878d894a749c9d6c542a6d792e4aa31b98583d9d701c836196efbb4546925637cc5a88b36a15120ba15be

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xmmc1sj.lri.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1964-60-0x000001D7F41B0000-0x000001D7F41D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gnkt59pwrR.bat

MD5 51bc873410643536fa56bfbef2ea7522
SHA1 18d910f143074fe0c195098abb2f78ab4f565775
SHA256 5a6de5a2b687726be48d0b26de5cf04f8aff7f31406c3ce4e764e1f33597f739
SHA512 ec9f67087214c6e78fe48c29ef8cd1ed5338f7d47c27725209afee002ec20d239c8b7eade09f15b4f18d17147e2d9ce2679425a5748547493e1fb0147ba3dd97

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0a8eae4356acd258dbc1d39462ee0d7a
SHA1 b420df23a4c5cafcc321fe31ad9334d815c45c3f
SHA256 6c3d9c8da7fc4f7c3a1750b7619e5f8f08dd7965739edf22b5d1faa83d6b2855
SHA512 57dd3ac069d0c858f0ce964b5fec49056d96d888dde3e477baf8c380fa7cdbc776bb867096eb9464956a0ab2d2c2442d2cf83d9fd1dcc9d62d339a6e1f6ddd04

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Temp\RES52E3.tmp

MD5 c9d57e49a667a69ec253b5e239f8bf09
SHA1 a68f1aa8c0fa793ff2beca21e1a41ccca580542f
SHA256 15e5504ebf6ccaf617e5928d6c085749bef5d645365224004bca83b8d96f6c04
SHA512 34d1a69413e8cf24f157bdea4e49f09e8b88bc3a2e00920d65879c0200f5cfbca3bfbee42eb84ad218f29c24e6a1e98bd3ba0024de55784bd067a93e62955e33

\??\c:\Windows\System32\CSCEA3722EF16D74F7BAE49D12D948984.TMP

MD5 88c5195a3b5509621a4a4acbc50a503f
SHA1 a72db1c734707bfe2b7febb9e3372fc2a28de953
SHA256 2c703a6c00c75d082e9af0787e595edd826632148141fdafb6265fe7b4fb2ee5
SHA512 f54f5745518dd20cda117b23086583d6fa366f848ad1081b72051e91ea77a38fb6740af2b961dba30e53fae043575130c0a6e9aee46095b0b72e60adb9914fd4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Updater.exe.log

MD5 af6acd95d59de87c04642509c30e81c1
SHA1 f9549ae93fdb0a5861a79a08f60aa81c4b32377b
SHA256 7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6
SHA512 93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a