OP 02 March, 2023 - 11:11 PM
Any time you see this in a config, it is executing a stealer. I had this happen to me and when we sat there and looked at what it did, we came back to this:
https://github.com/w4sp-book/w4sp-lab
This is what it led back to.
It will look like this:
Or very similar.
I'm not even gonna lie, this is a genius way to do this, but once you run the config it (somehow) spreads to all your other configs. When you send them to anyone, the process starts again. As it is a stealer, it will steal your information. And this is one of the many reasons i suggest running configs on an RDP.
This is similar to the malicious API thing, but smarter as most people won't recognize it as anything.