da14f3a37747b1623c51a34e6c7ceaa224b1fb6fac199753055dbb68cc898f8b

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Client.exe
Size

167KB
MD5

08c8b0a5d89a76d82087ea85f9c8ba03
SHA1

7990fd4e83976009f0b5e3f78ada27405488c896
SHA256

da14f3a37747b1623c51a34e6c7ceaa224b1fb6fac199753055dbb68cc898f8b
SHA512

92ce62dd6a5ce72026b8eb51ee069dfcb7e477a9cf931863e430b124fb205dd5dce753d00b349e1a4f3b0f77a47c12f6b4bedd2fcd0f76cc468cd2d72b0e51f0
SSDEEP

3072:lAMADoN36tnQviFCtABnGfWl9zqaF9bYYvMJUJ8T2SXZyrgoBJtbN/3MCK2kevEz:lpW9zvvM1/JdSI5eb

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe	New Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe	New Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.url	New Client.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .."	New Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .."	New Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	pastebin.com
19	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Kills process with taskkill 63 IoCs

evasion

pid	Process
2124	taskkill.exe
4988	taskkill.exe
3308	taskkill.exe
1660	taskkill.exe
1044	taskkill.exe
3652	taskkill.exe
2992	taskkill.exe
4496	taskkill.exe
5044	taskkill.exe
2136	taskkill.exe
3184	taskkill.exe
4444	taskkill.exe
2100	taskkill.exe
1060	taskkill.exe
2708	taskkill.exe
4928	taskkill.exe
2688	taskkill.exe
3388	taskkill.exe
2792	taskkill.exe
2388	taskkill.exe
4164	taskkill.exe
4108	taskkill.exe
1272	taskkill.exe
640	taskkill.exe
2676	taskkill.exe
4880	taskkill.exe
400	taskkill.exe
2556	taskkill.exe
3416	taskkill.exe
4128	taskkill.exe
3036	taskkill.exe
4536	taskkill.exe
2776	taskkill.exe
316	taskkill.exe
548	taskkill.exe
228	taskkill.exe
2940	taskkill.exe
5052	taskkill.exe
456	taskkill.exe
244	taskkill.exe
2172	taskkill.exe
3044	taskkill.exe
3268	taskkill.exe
976	taskkill.exe
4464	taskkill.exe
2084	taskkill.exe
1980	taskkill.exe
3088	taskkill.exe
1716	taskkill.exe
2548	taskkill.exe
1840	taskkill.exe
4856	taskkill.exe
1776	taskkill.exe
5108	taskkill.exe
1520	taskkill.exe
4512	taskkill.exe
3780	taskkill.exe
4208	taskkill.exe
4780	taskkill.exe
2148	taskkill.exe
812	taskkill.exe
4056	taskkill.exe
3580	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe
2780	New Client.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	New Client.exe
Token: SeDebugPrivilege	2276	taskmgr.exe
Token: SeSystemProfilePrivilege	2276	taskmgr.exe
Token: SeCreateGlobalPrivilege	2276	taskmgr.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe
Token: 33	2780	New Client.exe
Token: SeIncBasePriorityPrivilege	2780	New Client.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe
2276	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3388	2780	New Client.exe	90
PID 2780 wrote to memory of 3388	2780	New Client.exe	90
PID 2780 wrote to memory of 3388	2780	New Client.exe	90
PID 2780 wrote to memory of 1716	2780	New Client.exe	92
PID 2780 wrote to memory of 1716	2780	New Client.exe	92
PID 2780 wrote to memory of 1716	2780	New Client.exe	92
PID 2780 wrote to memory of 5108	2780	New Client.exe	95
PID 2780 wrote to memory of 5108	2780	New Client.exe	95
PID 2780 wrote to memory of 5108	2780	New Client.exe	95
PID 2780 wrote to memory of 3268	2780	New Client.exe	99
PID 2780 wrote to memory of 3268	2780	New Client.exe	99
PID 2780 wrote to memory of 3268	2780	New Client.exe	99
PID 2780 wrote to memory of 4780	2780	New Client.exe	101
PID 2780 wrote to memory of 4780	2780	New Client.exe	101
PID 2780 wrote to memory of 4780	2780	New Client.exe	101
PID 2780 wrote to memory of 1660	2780	New Client.exe	103
PID 2780 wrote to memory of 1660	2780	New Client.exe	103
PID 2780 wrote to memory of 1660	2780	New Client.exe	103
PID 2780 wrote to memory of 2100	2780	New Client.exe	105
PID 2780 wrote to memory of 2100	2780	New Client.exe	105
PID 2780 wrote to memory of 2100	2780	New Client.exe	105
PID 2780 wrote to memory of 2940	2780	New Client.exe	107
PID 2780 wrote to memory of 2940	2780	New Client.exe	107
PID 2780 wrote to memory of 2940	2780	New Client.exe	107
PID 2780 wrote to memory of 2148	2780	New Client.exe	109
PID 2780 wrote to memory of 2148	2780	New Client.exe	109
PID 2780 wrote to memory of 2148	2780	New Client.exe	109
PID 2780 wrote to memory of 812	2780	New Client.exe	111
PID 2780 wrote to memory of 812	2780	New Client.exe	111
PID 2780 wrote to memory of 812	2780	New Client.exe	111
PID 2780 wrote to memory of 2792	2780	New Client.exe	114
PID 2780 wrote to memory of 2792	2780	New Client.exe	114
PID 2780 wrote to memory of 2792	2780	New Client.exe	114
PID 2780 wrote to memory of 2136	2780	New Client.exe	117
PID 2780 wrote to memory of 2136	2780	New Client.exe	117
PID 2780 wrote to memory of 2136	2780	New Client.exe	117
PID 2780 wrote to memory of 4928	2780	New Client.exe	119
PID 2780 wrote to memory of 4928	2780	New Client.exe	119
PID 2780 wrote to memory of 4928	2780	New Client.exe	119
PID 2780 wrote to memory of 1520	2780	New Client.exe	121
PID 2780 wrote to memory of 1520	2780	New Client.exe	121
PID 2780 wrote to memory of 1520	2780	New Client.exe	121
PID 2780 wrote to memory of 2776	2780	New Client.exe	123
PID 2780 wrote to memory of 2776	2780	New Client.exe	123
PID 2780 wrote to memory of 2776	2780	New Client.exe	123
PID 2780 wrote to memory of 4056	2780	New Client.exe	125
PID 2780 wrote to memory of 4056	2780	New Client.exe	125
PID 2780 wrote to memory of 4056	2780	New Client.exe	125
PID 2780 wrote to memory of 2124	2780	New Client.exe	127
PID 2780 wrote to memory of 2124	2780	New Client.exe	127
PID 2780 wrote to memory of 2124	2780	New Client.exe	127
PID 2780 wrote to memory of 2548	2780	New Client.exe	129
PID 2780 wrote to memory of 2548	2780	New Client.exe	129
PID 2780 wrote to memory of 2548	2780	New Client.exe	129
PID 2780 wrote to memory of 1060	2780	New Client.exe	131
PID 2780 wrote to memory of 1060	2780	New Client.exe	131
PID 2780 wrote to memory of 1060	2780	New Client.exe	131
PID 2780 wrote to memory of 3416	2780	New Client.exe	133
PID 2780 wrote to memory of 3416	2780	New Client.exe	133
PID 2780 wrote to memory of 3416	2780	New Client.exe	133
PID 2780 wrote to memory of 316	2780	New Client.exe	135
PID 2780 wrote to memory of 316	2780	New Client.exe	135
PID 2780 wrote to memory of 316	2780	New Client.exe	135
PID 2780 wrote to memory of 2388	2780	New Client.exe	137

C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3388
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1716
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5108
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3268
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4780
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1660
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2100
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2148
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:812
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2792
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2136
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4928
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1520
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2776
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4056
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2124
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2548
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1060
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3416
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:316
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2388
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1840
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4164
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4128
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3580
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4464
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3652
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5052
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:640
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:456
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2992
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2708
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2676
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:976
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4880
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:244
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4512
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3780
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3308
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2172
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4856
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1776
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1980
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4108
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4496
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3036
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4536
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3184
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:400
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2556
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4444
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:228
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:548
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3088
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4208
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1272
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im discord.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2688

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2276-16-0x000001ABF41D0000-0x000001ABF41D1000-memory.dmp

Filesize
4KB

Download
memory/2276-14-0x000001ABF41D0000-0x000001ABF41D1000-memory.dmp

Filesize
4KB

Download
memory/2276-12-0x000001ABF41D0000-0x000001ABF41D1000-memory.dmp

Filesize
4KB

Download
memory/2276-6-0x000001ABF41D0000-0x000001ABF41D1000-memory.dmp

Filesize
4KB

Download
memory/2276-13-0x000001ABF41D0000-0x000001ABF41D1000-memory.dmp

Filesize
4KB

Download
memory/2276-7-0x000001ABF41D0000-0x000001ABF41D1000-memory.dmp

Filesize
4KB

Download
memory/2276-17-0x000001ABF41D0000-0x000001ABF41D1000-memory.dmp

Filesize
4KB

Download
memory/2276-18-0x000001ABF41D0000-0x000001ABF41D1000-memory.dmp

Filesize
4KB

Download
memory/2276-8-0x000001ABF41D0000-0x000001ABF41D1000-memory.dmp

Filesize
4KB

Download
memory/2276-15-0x000001ABF41D0000-0x000001ABF41D1000-memory.dmp

Filesize
4KB

Download
memory/2780-1-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/2780-0-0x0000000074812000-0x0000000074813000-memory.dmp

Filesize
4KB

Download
memory/2780-2-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/2780-19-0x0000000074812000-0x0000000074813000-memory.dmp

Filesize
4KB

Download
memory/2780-20-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/2780-21-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download