Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2025 05:57
Behavioral task
behavioral1
Sample
discordupdate.exe
Resource
win7-20240903-en
General
-
Target
discordupdate.exe
-
Size
3.1MB
-
MD5
25befffc195ce47401f74afbe942f3ff
-
SHA1
287aacd0350f05308e08c6b4b8b88baf56f56160
-
SHA256
b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f
-
SHA512
a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e
-
SSDEEP
49152:rv+I22SsaNYfdPBldt698dBcjH0gR04RoGdNdTHHB72eh2NT:rvz22SsaNYfdPBldt6+dBcjH0gR0k
Malware Config
Extracted
quasar
1.4.1
bot
wexos47815-61484.portmap.host:61484
06e2bb33-968c-4ca7-97dc-f23fbd5c3092
-
encryption_key
8924CB3C9515DA437A37F5AE598376261E5528FC
-
install_name
msinfo32.exe
-
log_directory
Update
-
reconnect_delay
3000
-
startup_key
Discordupdate
-
subdirectory
dll32
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4312-1-0x0000000000500000-0x0000000000824000-memory.dmp family_quasar behavioral2/files/0x000a000000023b67-6.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msinfo32.exe -
Executes dropped EXE 15 IoCs
pid Process 1112 msinfo32.exe 1800 msinfo32.exe 1448 msinfo32.exe 1612 msinfo32.exe 3256 msinfo32.exe 3788 msinfo32.exe 1760 msinfo32.exe 1116 msinfo32.exe 5092 msinfo32.exe 2024 msinfo32.exe 4312 msinfo32.exe 3204 msinfo32.exe 3508 msinfo32.exe 452 msinfo32.exe 1912 msinfo32.exe -
Drops file in System32 directory 33 IoCs
description ioc Process File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe discordupdate.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe File created C:\Windows\system32\dll32\msinfo32.exe discordupdate.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32 discordupdate.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe File opened for modification C:\Windows\system32\dll32 msinfo32.exe File opened for modification C:\Windows\system32\dll32\msinfo32.exe msinfo32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2032 PING.EXE 3932 PING.EXE 4236 PING.EXE 1416 PING.EXE 2892 PING.EXE 4456 PING.EXE 4036 PING.EXE 4100 PING.EXE 452 PING.EXE 4748 PING.EXE 684 PING.EXE 1992 PING.EXE 4208 PING.EXE 2560 PING.EXE 1164 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1164 PING.EXE 2892 PING.EXE 452 PING.EXE 4036 PING.EXE 4100 PING.EXE 684 PING.EXE 4236 PING.EXE 1992 PING.EXE 2560 PING.EXE 1416 PING.EXE 2032 PING.EXE 3932 PING.EXE 4748 PING.EXE 4208 PING.EXE 4456 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1564 schtasks.exe 3092 schtasks.exe 4068 schtasks.exe 2960 schtasks.exe 4576 schtasks.exe 4440 schtasks.exe 3768 schtasks.exe 1164 schtasks.exe 4064 schtasks.exe 4144 schtasks.exe 1532 schtasks.exe 4388 schtasks.exe 5080 schtasks.exe 4420 schtasks.exe 2688 schtasks.exe 3508 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4312 discordupdate.exe Token: SeDebugPrivilege 1112 msinfo32.exe Token: SeDebugPrivilege 1800 msinfo32.exe Token: SeDebugPrivilege 1448 msinfo32.exe Token: SeDebugPrivilege 1612 msinfo32.exe Token: SeDebugPrivilege 3256 msinfo32.exe Token: SeDebugPrivilege 3788 msinfo32.exe Token: SeDebugPrivilege 1760 msinfo32.exe Token: SeDebugPrivilege 1116 msinfo32.exe Token: SeDebugPrivilege 5092 msinfo32.exe Token: SeDebugPrivilege 2024 msinfo32.exe Token: SeDebugPrivilege 4312 msinfo32.exe Token: SeDebugPrivilege 3204 msinfo32.exe Token: SeDebugPrivilege 3508 msinfo32.exe Token: SeDebugPrivilege 452 msinfo32.exe Token: SeDebugPrivilege 1912 msinfo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4312 wrote to memory of 2688 4312 discordupdate.exe 82 PID 4312 wrote to memory of 2688 4312 discordupdate.exe 82 PID 4312 wrote to memory of 1112 4312 discordupdate.exe 84 PID 4312 wrote to memory of 1112 4312 discordupdate.exe 84 PID 1112 wrote to memory of 3092 1112 msinfo32.exe 85 PID 1112 wrote to memory of 3092 1112 msinfo32.exe 85 PID 1112 wrote to memory of 4404 1112 msinfo32.exe 87 PID 1112 wrote to memory of 4404 1112 msinfo32.exe 87 PID 4404 wrote to memory of 3928 4404 cmd.exe 89 PID 4404 wrote to memory of 3928 4404 cmd.exe 89 PID 4404 wrote to memory of 1992 4404 cmd.exe 90 PID 4404 wrote to memory of 1992 4404 cmd.exe 90 PID 4404 wrote to memory of 1800 4404 cmd.exe 96 PID 4404 wrote to memory of 1800 4404 cmd.exe 96 PID 1800 wrote to memory of 3508 1800 msinfo32.exe 97 PID 1800 wrote to memory of 3508 1800 msinfo32.exe 97 PID 1800 wrote to memory of 3816 1800 msinfo32.exe 99 PID 1800 wrote to memory of 3816 1800 msinfo32.exe 99 PID 3816 wrote to memory of 900 3816 cmd.exe 101 PID 3816 wrote to memory of 900 3816 cmd.exe 101 PID 3816 wrote to memory of 4456 3816 cmd.exe 102 PID 3816 wrote to memory of 4456 3816 cmd.exe 102 PID 3816 wrote to memory of 1448 3816 cmd.exe 105 PID 3816 wrote to memory of 1448 3816 cmd.exe 105 PID 1448 wrote to memory of 1164 1448 msinfo32.exe 106 PID 1448 wrote to memory of 1164 1448 msinfo32.exe 106 PID 1448 wrote to memory of 4716 1448 msinfo32.exe 108 PID 1448 wrote to memory of 4716 1448 msinfo32.exe 108 PID 4716 wrote to memory of 2700 4716 cmd.exe 110 PID 4716 wrote to memory of 2700 4716 cmd.exe 110 PID 4716 wrote to memory of 2032 4716 cmd.exe 111 PID 4716 wrote to memory of 2032 4716 cmd.exe 111 PID 4716 wrote to memory of 1612 4716 cmd.exe 113 PID 4716 wrote to memory of 1612 4716 cmd.exe 113 PID 1612 wrote to memory of 4144 1612 msinfo32.exe 115 PID 1612 wrote to memory of 4144 1612 msinfo32.exe 115 PID 1612 wrote to memory of 392 1612 msinfo32.exe 117 PID 1612 wrote to memory of 392 1612 msinfo32.exe 117 PID 392 wrote to memory of 4540 392 cmd.exe 119 PID 392 wrote to memory of 4540 392 cmd.exe 119 PID 392 wrote to memory of 4036 392 cmd.exe 120 PID 392 wrote to memory of 4036 392 cmd.exe 120 PID 392 wrote to memory of 3256 392 cmd.exe 121 PID 392 wrote to memory of 3256 392 cmd.exe 121 PID 3256 wrote to memory of 4068 3256 msinfo32.exe 122 PID 3256 wrote to memory of 4068 3256 msinfo32.exe 122 PID 3256 wrote to memory of 4876 3256 msinfo32.exe 124 PID 3256 wrote to memory of 4876 3256 msinfo32.exe 124 PID 4876 wrote to memory of 3928 4876 cmd.exe 126 PID 4876 wrote to memory of 3928 4876 cmd.exe 126 PID 4876 wrote to memory of 2560 4876 cmd.exe 127 PID 4876 wrote to memory of 2560 4876 cmd.exe 127 PID 4876 wrote to memory of 3788 4876 cmd.exe 128 PID 4876 wrote to memory of 3788 4876 cmd.exe 128 PID 3788 wrote to memory of 2960 3788 msinfo32.exe 129 PID 3788 wrote to memory of 2960 3788 msinfo32.exe 129 PID 3788 wrote to memory of 3344 3788 msinfo32.exe 131 PID 3788 wrote to memory of 3344 3788 msinfo32.exe 131 PID 3344 wrote to memory of 4544 3344 cmd.exe 133 PID 3344 wrote to memory of 4544 3344 cmd.exe 133 PID 3344 wrote to memory of 4100 3344 cmd.exe 134 PID 3344 wrote to memory of 4100 3344 cmd.exe 134 PID 3344 wrote to memory of 1760 3344 cmd.exe 135 PID 3344 wrote to memory of 1760 3344 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\discordupdate.exe"C:\Users\Admin\AppData\Local\Temp\discordupdate.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2688
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gFO2PHgnthRH.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1992
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:3508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O5INo1X1PHAF.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:900
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4456
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGUJG4miU135.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2700
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2032
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l4KMd0ooNfnB.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4540
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4036
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vfhPJ4TWeaoF.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:3928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2560
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2TJhPrBIKbCr.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4544
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4100
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1760 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7r7jEpNYI6VD.bat" "15⤵PID:3608
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:5108
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:452
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1116 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4WSBULneLEuc.bat" "17⤵PID:3816
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1692
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1164
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5092 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GxfYdSbECzJy.bat" "19⤵PID:388
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:4572
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3932
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:4388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hHM7UQiwOGVS.bat" "21⤵PID:4036
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2324
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4748
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4312 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dVBoHjsvnIge.bat" "23⤵PID:4280
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2952
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:684
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3204 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:4064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gHx6um8nYzic.bat" "25⤵PID:884
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3692
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4236
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3508 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:5080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b91ZNEbs7EiT.bat" "27⤵PID:5108
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:3824
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4208
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:452 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hFhVu1GH2xup.bat" "29⤵PID:2304
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:4704
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1416
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KH2OZhrTeXiP.bat" "31⤵PID:2588
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2980
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
197B
MD5512663341e021470cb45d1c80078046e
SHA14df2423d3c6d5c1b291fbf2512b0b4b21bb7c67f
SHA2566e3389893bb54cfef925caccc30ac64c220ddb39d74b6cba85b230b112f07eed
SHA51241784220f01436b321812bcd578b8f8c7a9b6ff3218542af6885b53687921f6bf29af73fa82241761f68e1152fcb6560df22eca19dabf6b866534434377cbc6d
-
Filesize
197B
MD5e3b1bcb4af7fabf0ba89d1af763ec32a
SHA15331a516542833e2a154e6bb23dc506a0df73aca
SHA25657c2bb56421e52a631686856a29ebe02577f78f47d42975358b41fb461d9a926
SHA512b4304923f19fc0e3a06f445db934ad859e22f1d15da09aec1096081593d06fd9408063079445424bad8b8533300a71cf004c3936e05a46d843eb2da877592f5f
-
Filesize
197B
MD533509d576cce42ae2ee273f8daa560f0
SHA127d6869d08d74201300e611cba0ba4032b843cdd
SHA2564dc0ee973b74e67e27d47dc970d32cbb93f58a37205e1d3d9c8338247ae65314
SHA512f0db98da2473ae5b753cd96b66a4d0263ca0e1d6bba673d8ff5bdb323ed1f0f530cb510b8ad736007af52fbf3f1523fde9b0def723fd4ce50601aba2ba4dd3e2
-
Filesize
197B
MD54d25d5f00f7b73b8525a00599dca0562
SHA1c0da8dca026d294b4410d93e57c81c30d3852fda
SHA256c0c9d8f3d37e97edda28bae7f1278faeaceac5e3e6c755d7f1fd200dc155119b
SHA512bdcfde499efcf519827bbcf9f506857fd3557ccfc90c0369fec3510e0361347b6507d83617e7cfe1cc88e6c31b11f8e423b240b8f18ecafa3be6a04e23fea540
-
Filesize
197B
MD59ab07f47bae0826a7365706871dcbe96
SHA13381ee78f40f2c7fb7eabbee31a61e8da62b047e
SHA2561886e9ed45876dd1f6f3b95c52240d6f1274f5edb0825dcfcab7bd2ae3251d1a
SHA51209e9811d421b48c28e32701b29ff246b426b44413422dbe3df0b3a2f623ac46f7a73ded22cccc1ff8869d1750027f148361b11deff2c24588ad57c94c9b1e1e7
-
Filesize
197B
MD5953c8ec0bc2fec89283c1840959e8478
SHA18dc0108961606eb89177df27a6de356fe7e6aded
SHA25668e284a54b55de3084d4cfac8f9ec1ec3032397f459cebd6bd83f2f3734265a8
SHA51228376016b9a8242c29cfd76a915a825d604a21e69a347b0bebaddeb97cc94cf6537fa581dee2f3afa2eadb03231752aa6651a017d3074f7d3dcceec6ef6350f9
-
Filesize
197B
MD5fc208520ceec9c33b0903bbfa7143041
SHA16a8c1fc603bdd3af528d376723e2f482de8fa91f
SHA2563d11ce8ca21adcf8ddfe0f9aef16f4e1ee2b37a9f1f745437983d5eeef45aece
SHA51253aeb3dbbca97f923e1c35a7d45bd703c06a9581490982ba70d26d5099844cbfdbd236264e9c8cf36bef5766ace4e42c875d821136c35b419fafb628db52624b
-
Filesize
197B
MD5da45a3b9ce06a8348df210830b45b205
SHA10e59efc41e88ee1ca61bbacc30c69749ef1df304
SHA2567ccd8cd7a97f2e309b486a13eba002130b19d80f99871a822631ab3330bcd4c1
SHA512d9b230368e56d48e537f3611e47c031b5fdd15545020ea129c049e627df902041a1851d3c28b630e8884834dedba24f5180f9ac06789cb6c92c150026464b025
-
Filesize
197B
MD53d060bfcd828132a922f3193bdba864b
SHA1561f83326ef5b11d2248ebc135affd7eccc27222
SHA256f3370b736bb627d9748def49d5d5d97af103eef01e76df81db437df24b1af2ce
SHA512e0bab746a1c8fe6158cc6c848208b43a630ac5dcd2a8760f534f4d6287f1ef9c98b65da333e676e53f5c0da92b6a3a803bf07193ccf6487b4feeee7f7a6e01d5
-
Filesize
197B
MD5247c91ee93d54de58345e4c207444d83
SHA1c55e98f6e17eea19b0e014e411644cbf1be863ca
SHA256c1b2481dc6119ceea72a10836284f468d3c55fcefc702ede1c62714f4095c5e6
SHA5127fc2ada45eb9e69f4626188c27d577fe4c6cb1b96e330180088814188dbf88652c32331d44cc3806b70e93cde2317ff9674fe8f1895156e345cb26c27f803d1c
-
Filesize
197B
MD5fc58f40db57aeaed5d4c04d3646a1b50
SHA1c7cc9626c1b616cb8820a0f9e5e38e97744b8685
SHA25635639144941b281cb2dc373eed4efb0e2dbef88bc8cb538b172d24edde41c63a
SHA51207f07ff2fe1e8db8ce6cacfd8d2f88da6ebc2b15a88b4506be9708edf51dd9f108da6139fc4ac9015f85c6e8d437a36045b4ead726415d95dadbf84e6c0b7f8d
-
Filesize
197B
MD598848180d68b36f7b0661e5f52f5ba0b
SHA1c30632c450392917b59ac138b6a342549c2f0592
SHA256375201a5c63f189784b93ae135b1ab5d5edf4712b9f88f72ea9eec45e44131d8
SHA512a8febafe2aad38381264e41d6699eef57c65b79716c70a9ee1360af3beda2329a0a6195dab3b6cb32c0677c457874f4f26262484274edae793c654bd56fef881
-
Filesize
197B
MD52dd12240eed1d0002c039e58cd2f093f
SHA13ccb32cae0b7848857129be535dac0234ee0099f
SHA256f4f595a66313a39175910bdecf38982d4ba4baba8f923f0cd467c39298226d5e
SHA51212af52de3078397803dbb8960490d65a863a81adb86f715d75610e1f0e33576c021b2a0688a8992509ae3a1299371ca0602a2a49e9ba129e24bcf102b8925104
-
Filesize
197B
MD52c638daae1b8b3d0f153b9730ced8be7
SHA13d767d5fe2e67fe3c054ccc641b1a2430be7a0a8
SHA25679c144c177d7b58b257cbb5a80af18ed97fcb19c3abe50f512ba621638082b55
SHA512018e1ec125c0bb9cd795d18e8c767af1ec1f7b30ded7add9936728c2b1f87c00ef5d72524975baa2ef29d5c94968924d9aaeb878dfaf08da29861261df79ef90
-
Filesize
197B
MD50bac50f9961e7c44dfb6ec0aaed7a2c4
SHA111a7ec7b873d330b53a09321c97040d36a20fd39
SHA2567fad0cf05fe7e862947fbdb4b618572915c3f21baadc23d140efc25fecaf0a1d
SHA512030f478c57937c88624eb1cfcdb8d78cc9e335aff40e72d15df5d028d2edf5f975f1b585493d807687cf57e095e26c70b114731c1e06ebb35af281a520f4d641
-
Filesize
3.1MB
MD525befffc195ce47401f74afbe942f3ff
SHA1287aacd0350f05308e08c6b4b8b88baf56f56160
SHA256b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f
SHA512a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e