asyncrat | 1001e70668789e08f7979484610e5246fa3c760142bc3ca8a55ce3da2301907a

Analysis

max time kernel
136s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dropper.exe
Size

18.0MB
MD5

392b044ac8ee5751045a163b2d1a358f
SHA1

56429e69619c0e69128732051db6e0e9bc40c18c
SHA256

1001e70668789e08f7979484610e5246fa3c760142bc3ca8a55ce3da2301907a
SHA512

2d0fd9963373132fde1d442d742efc95e8510f61325518aead420eeffb70e2a7566d95d3015ad930c4beddd2aa3d5b937b5711d0b0d09ee795eb6136aa26409b
SSDEEP

393216:m9YidhKRmmb1TfHqO1UyXMCHWUjlVg74wdugWIPPVBFVVJo8W:m9Yidh0MyXMb8PDwduGPPVNV+8W

Score

10^/10

asyncrat xworm default collection defense_evasion discovery execution persistence privilege_escalation pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

192.168.1.222:6606

192.168.1.222:7707

192.168.1.222:8808

Mutex

mA2752pAY1JK

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

192.168.1.222:7000

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023b55-27.dat	family_xworm
behavioral2/memory/3120-43-0x00000000006D0000-0x00000000006E8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023ca3-6.dat	family_asyncrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3408	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	Dropper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	pile.exe

Clipboard Data 1 TTPs 1 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5400	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
1652	AsyncClient2.exe
2400	pile.exe
3120	XClient.exe
5080	trap1.exe
3548	0.exe
216	1.exe
1804	trap1.exe

Loads dropped DLL 40 IoCs

pid	Process
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe
1804	trap1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3772	powershell.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com
15	checkip.amazonaws.com
16	checkip.amazonaws.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	trap1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	trap1.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000023ca7-45.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dropper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1100	taskkill.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3772	powershell.exe
3772	powershell.exe
5400	powershell.exe
5400	powershell.exe
5400	powershell.exe
3772	powershell.exe
5508	powershell.exe
5508	powershell.exe
5508	powershell.exe
8	powershell.exe
8	powershell.exe
8	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3120	XClient.exe
Token: SeDebugPrivilege	216	1.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5416	wmic.exe
Token: SeSecurityPrivilege	5416	wmic.exe
Token: SeTakeOwnershipPrivilege	5416	wmic.exe
Token: SeLoadDriverPrivilege	5416	wmic.exe
Token: SeSystemProfilePrivilege	5416	wmic.exe
Token: SeSystemtimePrivilege	5416	wmic.exe
Token: SeProfSingleProcessPrivilege	5416	wmic.exe
Token: SeIncBasePriorityPrivilege	5416	wmic.exe
Token: SeCreatePagefilePrivilege	5416	wmic.exe
Token: SeBackupPrivilege	5416	wmic.exe
Token: SeRestorePrivilege	5416	wmic.exe
Token: SeShutdownPrivilege	5416	wmic.exe
Token: SeDebugPrivilege	5416	wmic.exe
Token: SeSystemEnvironmentPrivilege	5416	wmic.exe
Token: SeRemoteShutdownPrivilege	5416	wmic.exe
Token: SeUndockPrivilege	5416	wmic.exe
Token: SeManageVolumePrivilege	5416	wmic.exe
Token: 33	5416	wmic.exe
Token: 34	5416	wmic.exe
Token: 35	5416	wmic.exe
Token: 36	5416	wmic.exe
Token: SeDebugPrivilege	5400	powershell.exe
Token: SeDebugPrivilege	5508	powershell.exe
Token: SeIncreaseQuotaPrivilege	5416	wmic.exe
Token: SeSecurityPrivilege	5416	wmic.exe
Token: SeTakeOwnershipPrivilege	5416	wmic.exe
Token: SeLoadDriverPrivilege	5416	wmic.exe
Token: SeSystemProfilePrivilege	5416	wmic.exe
Token: SeSystemtimePrivilege	5416	wmic.exe
Token: SeProfSingleProcessPrivilege	5416	wmic.exe
Token: SeIncBasePriorityPrivilege	5416	wmic.exe
Token: SeCreatePagefilePrivilege	5416	wmic.exe
Token: SeBackupPrivilege	5416	wmic.exe
Token: SeRestorePrivilege	5416	wmic.exe
Token: SeShutdownPrivilege	5416	wmic.exe
Token: SeDebugPrivilege	5416	wmic.exe
Token: SeSystemEnvironmentPrivilege	5416	wmic.exe
Token: SeRemoteShutdownPrivilege	5416	wmic.exe
Token: SeUndockPrivilege	5416	wmic.exe
Token: SeManageVolumePrivilege	5416	wmic.exe
Token: 33	5416	wmic.exe
Token: 34	5416	wmic.exe
Token: 35	5416	wmic.exe
Token: 36	5416	wmic.exe
Token: SeIncreaseQuotaPrivilege	1196	wmic.exe
Token: SeSecurityPrivilege	1196	wmic.exe
Token: SeTakeOwnershipPrivilege	1196	wmic.exe
Token: SeLoadDriverPrivilege	1196	wmic.exe
Token: SeSystemProfilePrivilege	1196	wmic.exe
Token: SeSystemtimePrivilege	1196	wmic.exe
Token: SeProfSingleProcessPrivilege	1196	wmic.exe
Token: SeIncBasePriorityPrivilege	1196	wmic.exe
Token: SeCreatePagefilePrivilege	1196	wmic.exe
Token: SeBackupPrivilege	1196	wmic.exe
Token: SeRestorePrivilege	1196	wmic.exe
Token: SeShutdownPrivilege	1196	wmic.exe
Token: SeDebugPrivilege	1196	wmic.exe
Token: SeSystemEnvironmentPrivilege	1196	wmic.exe
Token: SeRemoteShutdownPrivilege	1196	wmic.exe
Token: SeUndockPrivilege	1196	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2268	Dropper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1652	2268	Dropper.exe	88
PID 2268 wrote to memory of 1652	2268	Dropper.exe	88
PID 2268 wrote to memory of 1652	2268	Dropper.exe	88
PID 2268 wrote to memory of 2400	2268	Dropper.exe	187
PID 2268 wrote to memory of 2400	2268	Dropper.exe	187
PID 2268 wrote to memory of 3120	2268	Dropper.exe	90
PID 2268 wrote to memory of 3120	2268	Dropper.exe	90
PID 2268 wrote to memory of 5080	2268	Dropper.exe	91
PID 2268 wrote to memory of 5080	2268	Dropper.exe	91
PID 2400 wrote to memory of 3548	2400	pile.exe	93
PID 2400 wrote to memory of 3548	2400	pile.exe	93
PID 2400 wrote to memory of 3548	2400	pile.exe	93
PID 2400 wrote to memory of 216	2400	pile.exe	94
PID 2400 wrote to memory of 216	2400	pile.exe	94
PID 5080 wrote to memory of 1804	5080	trap1.exe	96
PID 5080 wrote to memory of 1804	5080	trap1.exe	96
PID 1804 wrote to memory of 1684	1804	trap1.exe	97
PID 1804 wrote to memory of 1684	1804	trap1.exe	97
PID 1804 wrote to memory of 4104	1804	trap1.exe	98
PID 1804 wrote to memory of 4104	1804	trap1.exe	98
PID 1804 wrote to memory of 2832	1804	trap1.exe	100
PID 1804 wrote to memory of 2832	1804	trap1.exe	100
PID 1804 wrote to memory of 3552	1804	trap1.exe	101
PID 1804 wrote to memory of 3552	1804	trap1.exe	101
PID 1804 wrote to memory of 5072	1804	trap1.exe	102
PID 1804 wrote to memory of 5072	1804	trap1.exe	102
PID 1804 wrote to memory of 3200	1804	trap1.exe	103
PID 1804 wrote to memory of 3200	1804	trap1.exe	103
PID 1804 wrote to memory of 2116	1804	trap1.exe	104
PID 1804 wrote to memory of 2116	1804	trap1.exe	104
PID 1804 wrote to memory of 4084	1804	trap1.exe	256
PID 1804 wrote to memory of 4084	1804	trap1.exe	256
PID 1804 wrote to memory of 1100	1804	trap1.exe	252
PID 1804 wrote to memory of 1100	1804	trap1.exe	252
PID 1804 wrote to memory of 4808	1804	trap1.exe	166
PID 1804 wrote to memory of 4808	1804	trap1.exe	166
PID 1804 wrote to memory of 4684	1804	trap1.exe	109
PID 1804 wrote to memory of 4684	1804	trap1.exe	109
PID 1804 wrote to memory of 3228	1804	trap1.exe	110
PID 1804 wrote to memory of 3228	1804	trap1.exe	110
PID 1804 wrote to memory of 1604	1804	trap1.exe	112
PID 1804 wrote to memory of 1604	1804	trap1.exe	112
PID 4684 wrote to memory of 3824	4684	cmd.exe	111
PID 4684 wrote to memory of 3824	4684	cmd.exe	111
PID 1804 wrote to memory of 116	1804	trap1.exe	113
PID 1804 wrote to memory of 116	1804	trap1.exe	113
PID 4104 wrote to memory of 3772	4104	cmd.exe	114
PID 4104 wrote to memory of 3772	4104	cmd.exe	114
PID 1804 wrote to memory of 3908	1804	trap1.exe	176
PID 1804 wrote to memory of 3908	1804	trap1.exe	176
PID 1804 wrote to memory of 4644	1804	trap1.exe	177
PID 1804 wrote to memory of 4644	1804	trap1.exe	177
PID 1804 wrote to memory of 1404	1804	trap1.exe	179
PID 1804 wrote to memory of 1404	1804	trap1.exe	179
PID 1804 wrote to memory of 1464	1804	trap1.exe	118
PID 1804 wrote to memory of 1464	1804	trap1.exe	118
PID 1804 wrote to memory of 4696	1804	trap1.exe	119
PID 1804 wrote to memory of 4696	1804	trap1.exe	119
PID 1804 wrote to memory of 4248	1804	trap1.exe	120
PID 1804 wrote to memory of 4248	1804	trap1.exe	120
PID 1804 wrote to memory of 1276	1804	trap1.exe	121
PID 1804 wrote to memory of 1276	1804	trap1.exe	121
PID 1804 wrote to memory of 836	1804	trap1.exe	122
PID 1804 wrote to memory of 836	1804	trap1.exe	122

C:\Users\Admin\AppData\Local\Temp\Dropper.exe
"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\AsyncClient2.exe
  "C:\Users\Admin\AppData\Local\Temp\AsyncClient2.exe" 0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1652
- C:\Users\Admin\AppData\Local\Temp\pile.exe
  "C:\Users\Admin\AppData\Local\Temp\pile.exe" 0
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Roaming\0.exe
    "C:\Users\Admin\AppData\Roaming\0.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3548
- - C:\Users\Admin\AppData\Roaming\1.exe
    "C:\Users\Admin\AppData\Roaming\1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe" 0
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Users\Admin\AppData\Local\Temp\trap1.exe
  "C:\Users\Admin\AppData\Local\Temp\trap1.exe" 0
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\trap1.exe
    "C:\Users\Admin\AppData\Local\Temp\trap1.exe" 0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Maps connected drives based on registry
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\\Program Files\\Windows Defender\\MpCmdRun.exe -RemoveDefinitions -All"
      4⤵
      PID:1684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell "netsh advfirewall set allprofiles state off" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "netsh advfirewall set allprofiles state off"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
      - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im opera.exe /t /f >nul 2>&1"
      4⤵
      PID:2832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im opera.exe /t /f >nul 2>&1"
      4⤵
      PID:3552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im opera.exe /t /f >nul 2>&1"
      4⤵
      PID:5072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im Chrome.exe /t /f >nul 2>&1"
      4⤵
      PID:3200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im Chrome.exe /t /f >nul 2>&1"
      4⤵
      PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im brave.exe /t /f >nul 2>&1"
      4⤵
      PID:4084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im yandex.exe /t /f >nul 2>&1"
      4⤵
      PID:1100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im edge.exe /t /f >nul 2>&1"
      4⤵
      PID:4808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4684
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        5⤵
        
        PID:3824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im opera.exe /t /f >nul 2>&1"
      4⤵
      PID:3228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im opera.exe /t /f >nul 2>&1"
      4⤵
      PID:1604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im opera.exe /t /f >nul 2>&1"
      4⤵
      PID:116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im Chrome.exe /t /f >nul 2>&1"
      4⤵
      PID:3908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im Chrome.exe /t /f >nul 2>&1"
      4⤵
      PID:4644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im brave.exe /t /f >nul 2>&1"
      4⤵
      PID:1404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im yandex.exe /t /f >nul 2>&1"
      4⤵
      PID:1464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im edge.exe /t /f >nul 2>&1"
      4⤵
      PID:4696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
      4⤵
      PID:4664
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im firefox.exe /t /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul
      4⤵
      PID:2452
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
        5⤵
        
        PID:2108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:8
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
      4⤵
      PID:5036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:2780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:1612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:3876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:4792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Get-Clipboard -TextFormatType Text"
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5408
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get csname, description, installdate, organization, registereduser, numberofprocesses
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ta"sk"ki"ll /im d /t /f >nul 2>&1"
      4⤵
      PID:5752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefaul"
      4⤵
      PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefaul
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:8
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get lastbootuptime, localdatetime, oslanguage, version
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1416

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AsyncClient2.exe

Filesize
47KB

MD5
552ffc8c5f01477794e54ca98130f2d3

SHA1
3232ea63d8a89ecf9d188b84c2090ed0aa5740ed

SHA256
a161c7118b90a154291649f3c135d3d4e5f100e8017b01ea912a46e90ad28b87

SHA512
55da0b761f87f1d0328bc606c9ae49277d7e455d40e394b839a7e4d1a5ade6b3069db5209b29caa4dce02c5b2f5f33840ac788d8bee075a6fff0dbb6530fa2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
72KB

MD5
b98d6315ae637e71ff52fc89ee293606

SHA1
005064d052b5404c63323684482beb3be33799c8

SHA256
23c49a66fad823d47a1cb2e742ac4c12f51d6597f35f31635ab26337e59b410b

SHA512
2c7a22ac894ee34d00f8f334bb26fb0a9da32162e5d0d000a9bdeb6d2b63dee9768aaaf6fb68d2d229b29576b71af7cda5758f503252187a3d6030da9088ec74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\VCRUNTIME140_1.dll

Filesize
48KB

MD5
68156f41ae9a04d89bb6625a5cd222d4

SHA1
3be29d5c53808186eba3a024be377ee6f267c983

SHA256
82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

SHA512
f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_asyncio.pyd

Filesize
70KB

MD5
70dec3ce00e5caf45246736b53ea3ad0

SHA1
3cd7037d211ebf9bd023c248ec6420f193ad7ed2

SHA256
8cef0cd8333f88a9f9e52fa0d151b5f661d452efbcfc507dc28a46259b82596c

SHA512
eddbeb527c01167fb69d9c743495c868073b5cacae3652d777b6a635c4feb0344f085bdc2aeb6a775ffef8056394ddb4df5cd47e622ccbf974d11c30857fd536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_bz2.pyd

Filesize
84KB

MD5
057325e89b4db46e6b18a52d1a691caa

SHA1
8eab0897d679e223aa0d753f6d3d2119f4d72230

SHA256
5ba872caa7fcee0f4fb81c6e0201ceed9bd92a3624f16828dd316144d292a869

SHA512
6bc7606869ca871b7ee5f2d43ec52ed295fa5c3a7df31dbd7e955ddb98c0748aff58d67f09d82edcde9d727e662d1550c6a9cf82f9cb7be021159d4b410e7cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_cffi_backend.cp313-win_amd64.pyd

Filesize
175KB

MD5
5cba92e7c00d09a55f5cbadc8d16cd26

SHA1
0300c6b62cd9db98562fdd3de32096ab194da4c8

SHA256
0e3d149b91fc7dc3367ab94620a5e13af6e419f423b31d4800c381468cb8ad85

SHA512
7ab432c8774a10f04ddd061b57d07eba96481b5bb8c663c6ade500d224c6061bc15d17c74da20a7c3cec8bbf6453404d553ebab22d37d67f9b163d7a15cf1ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_ctypes.pyd

Filesize
131KB

MD5
2185849bc0423f6641ee30804f475478

SHA1
d37ca3e68f4b2111fc0c0cead9695d598795c780

SHA256
199cd8d7db743c316771ef7bbf414ba9a9cdae1f974e90da6103563b2023538d

SHA512
ba89db9f265a546b331482d779ab30131814e42ad3711a837a3450f375d2910bd41b3b3258db90b29cd5afccdc695318fc8ad8cd921a57ce25f69aea539b26ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_decimal.pyd

Filesize
273KB

MD5
f465c15e7baceac920dc58a5fb922c1c

SHA1
3a5a0156f5288f14938494609d377ede0b67d993

SHA256
f4a486a0ca6a53659159a404614c7e7edccb6bfbcdeb844f6cee544436a826cb

SHA512
22902c1bcca7f80ed064e1e822c253bc8242b4e15e34a878a623e0a562a11203b45d5ff43904268322a7ef5cebb8e80e5fe1f1f1bcaa972e219348f84a1daf5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_hashlib.pyd

Filesize
63KB

MD5
cf4120bad9a7f77993dd7a95568d83d7

SHA1
ac477c046d14c5306aa09bb65015330701ef0f89

SHA256
14765e83996fe6d50aedc11bb41d7c427a3e846a6a6293a4a46f7ea7e3f14148

SHA512
f905f9d203f86a7b1fc81be3aba51a82174411878c53fd7a62d17f8e26f5010d195f9371fa7400e2e2dc35fda0db0cbe68367fcaf834dd157542e9ee7a9742b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_lzma.pyd

Filesize
155KB

MD5
3e73bc69efb418e76d38be5857a77027

SHA1
7bee01096669caa7bec81cdc77d6bb2f2346608c

SHA256
6f48e7eba363cb67f3465a6c91b5872454b44fc30b82710dfa4a4489270ce95c

SHA512
b6850e764c8849058488f7051dcabff096709b002d2f427a49e83455838d62a9d3fc7b65285702de2b995858ed433e35a0c4da93c2d5ae34684bf624eb59fa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_multiprocessing.pyd

Filesize
36KB

MD5
24aee7d83525cb43ad02fd3116b28274

SHA1
68a2870bd5496c959ee7e499f4472d0614fdfd87

SHA256
3262ec7496d397c0b6bfb2f745516e9e225bd9246f78518852c61d559aa89485

SHA512
6ef5082e83f9400e8ffdbb2f945b080085fd48c0e89e2283bcedd193a4e6a9f533f8da78c643dad95db138ec265099110a3a6dc8bc68563dbef5ca08d5e0d029

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_overlapped.pyd

Filesize
56KB

MD5
51e4c701e4efa92a56adaf5bdc9cf49b

SHA1
1adbc8b57e5ec0a90b9ec629323833daead8c3b4

SHA256
9ef177db14cfa3aa66193078c431a96b6ae70858e9dd774b3d3e3cb6e39d10a3

SHA512
35b2d4114aa12843cb767b7d7a2c82b00144fe8fea04b41601b790d8b4026e271148b5186308f461f2ed70d75df7c0ac56c4e023ed069f4f0f6f23f5ea11a2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_queue.pyd

Filesize
33KB

MD5
59c05030e47bde800ad937ccb98802d8

SHA1
f7b830029a9371b4e500c1548597beb8fbc1864f

SHA256
e4956834df819c1758d17c1c42a152306f7c0ea7b457ca24ce2f6466a6cb1caa

SHA512
4f5e7ef0948155db6712e1bd7f4f31cb81602b325ba4e6e199f67693913b4bb70bb2c983393646c0ac0d86ef81071907d04bceb8ab0d506b7c5ac7c389fe692d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_socket.pyd

Filesize
82KB

MD5
69c4a9a654cf6d1684b73a431949b333

SHA1
3c8886dac45bb21a6b11d25893c83a273ff19e0b

SHA256
8daefaff53e6956f5aea5279a7c71f17d8c63e2b0d54031c3b9e82fcb0fb84db

SHA512
cadcec9a6688b54b36dbd125210d1a742047167dad308907a3c4e976b68483a8c6144e02d5cf26f887744dc41af63b7731551287bb3ef8bd947c38c277783c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_sqlite3.pyd

Filesize
126KB

MD5
42f32a4f1913823e034a948a7031ff03

SHA1
a675a6bdeced07cf668ffcc9c7bef2eb9cf3d7df

SHA256
1decb0ff369a1c314908e0933da663de8aa7732d8bd1472383906d18029cac67

SHA512
80b84a774369d1a5d0efbbd12bf41746de502b726ecc3d84baed054f1650eda12ede4c00e919abffb49538d43eb43b77cb8e4094950a4aa2ca507e43a165976f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_ssl.pyd

Filesize
178KB

MD5
ce19076f6b62292ed66fd06e5ba67bba

SHA1
231f6236bdbbe95c662e860d46e56e42c4e3fe28

SHA256
21ca71b2c1766fc68734cb3d1e7c2c0439b86bcfb95e00b367c5fd48c59e617c

SHA512
7357598bc63195c2fd2ddde0376b3ecf5bd0211a286f4a5c1e72e8c68b6e881e7e617f561e7a859c800fe67bec8f4c376e7a6943cab8dacfeda0056b8e864143

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\_wmi.pyd

Filesize
39KB

MD5
e3213cf44340d7b4cb65f7231a65e3a4

SHA1
815e5809a01905ecaa463f6827f657c11b95d243

SHA256
ab87fe4b0cf5b2b17901905ea86367b9756c44845eb463e77435648f0f719354

SHA512
d32b6cb1c5a286b2ce9837051d099fea98f9e5ad00c15b14ccce02b4556d74c4b703b1c94a59670599bf6a9bfbf84c7c22dac25653af9b455999a5e42cf38b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\base_library.zip

Filesize
1.3MB

MD5
056ccd0f3420786d9bbec40bbd0a83f8

SHA1
a80b08eadb997af429ad376a71f9484a487d86b1

SHA256
4f0ef677c9a08aa3936e57a5c5b462432082c4d72499a7f8714ea2204558fc65

SHA512
a52411b0e8059dafbca5b2236579f195e642aeadec776ab2726d1cd28d75bfd70d667e9371a88a96a8ce256a5f046a9c40d5ca903dc92b99d82bab619cc6c559

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\charset_normalizer\md.cp313-win_amd64.pyd

Filesize
10KB

MD5
480b5eb45af69a315bd2c3b1b34459d1

SHA1
e056c3e8b3c4d46163e105e6095703d092676b5b

SHA256
1f8a5173d8bfe6c569e81c738b830800307ed4586d2ae9ac5cc13a468c6e1892

SHA512
2aefd6356cf6f9ab773e0c19d828c065b41447b0da24c98d0fa2e14b9580e5e7e8f5d3b707e73f682cad85a199f134c42b103740caf3173e8f29e75dadda6623

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

Filesize
122KB

MD5
501b867c424a8e3a41a9be4ab22dbeed

SHA1
97bf5d2c9fa5bb833e739b183a01ce53d19f4a6c

SHA256
437ceb75e7bc7c72c9090558397ef3598b0bc7bc499434af5827028083d300ca

SHA512
38b2d7f2587d73d2edf9cb685ef920ea4c511b88ae9cc25f7fc65d04a87e07ac03024228b9119adfd6914441089cf13ad9d67ff144cf86576cb37d97946677ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\pyexpat.pyd

Filesize
197KB

MD5
0351dc34c06a7e74e977c142a8784da8

SHA1
1096bc9b3ae3a57dc7f684d53191df5365889164

SHA256
b93e6083eb06137cc9191dac0d9cf4483e47192113d3ac2228b4549f737bac85

SHA512
92caee00cc0588d30659d4b0bde38bf229beab0fc07d9aac362b84814b6ea541c39c03aba936124cbfd5d60c219d01cb09eba8005dd2236774503094cbdc609b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\python3.DLL

Filesize
70KB

MD5
98b008be9834bfc362b4c2eef4e8cdb9

SHA1
a4a50ced1329c3986e3c1576f089b25aff5ffdf2

SHA256
4f93342b59addedbe45ebd973e6449ab85b11c0aab6ad7962124e293c5d03638

SHA512
d594ffd7d44d4d862475711973df87b08fb63a900ddfd87c7771ad27f0cc71e5fbdce92da4d4ad5856fe3cfb803257ce0b71cd8dc24ca5c421ddb1b9b44c7881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\python313.dll

Filesize
5.8MB

MD5
501080884bed38cb8801a307c9d7b7b4

SHA1
881b250cc8f4fa4f75111ac557a4fde8e1e217af

SHA256
bf68cf819a1e865170430c10e91c18b427aef88db1da1742020443864aa2b749

SHA512
63d74a4871d1c72c2a79ae8a5d380070f9d2128c16949c3ad36c9862fcc4dab738137ed3d51caf0bc46b36655f8bd8a2d425d68200123415ee8d4de0e1cbebc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\select.pyd

Filesize
31KB

MD5
2663e22900ab5791c6687a264473ae1e

SHA1
d8db587b6c632200ae13be880cc824cdc8390df9

SHA256
baee284995b22d495fd12fa8378077e470978db1522c61bfb9af37fb827f33d1

SHA512
5f29ff4288b9db33976f5f79b9fd07c4900a560bb41fe98c93a33da7a36c0981ffd71f460e81e13e4f6a2debafa6d9284bc1a728734752ba5ad5fbd766659e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\sqlite3.dll

Filesize
1.5MB

MD5
08db2deaee0e45043461325310e1cd0f

SHA1
e557691bca88edc4a1ec664b4a4b052eda76c7c5

SHA256
aba94c2a103e9ab331466823c28217c6fa00f4280ed7f3502c11f5aae71c5814

SHA512
794979ce457c8eaa946a2034d06eaeef22aed264bd3a684927b30065448b1e49d5cbaf06e9fd7ef2da31ec808bd310bff0e143fa41988fa45de6713cbb6bae7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50802\unicodedata.pyd

Filesize
694KB

MD5
c0b4c55ce3711af914b2015f707e4452

SHA1
f1c1e9f8a461cfee1199d2100f5c0796733518b6

SHA256
a67eec238162fde20ac24ca7df931792734aad0611be22d1b3a71bc15acf72f3

SHA512
fa6bd9223898ef0c54ca9a67b10207bfce152eadbaec4c91d4e951d0790f455066f5095ed739fa2452aea1420d154beb00bfa9e6e10b46bed687c5d0d7484900

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ssd03gly.1px.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pile.exe

Filesize
431KB

MD5
6fecf711df62b628669d1027d14a4bf5

SHA1
6062a129555a89ee968c84aabb45ae7a59b0b44b

SHA256
0a83e74cc52104c71010d4d66703ff34d5a9245a9d46f7926fc667ad4201550c

SHA512
e2fa8590ec04bbf1db51dc692684e00d6e6fe5ae77da398900348dda5859cffc3455138ec0ab9434e624b394b68a6d8750a41514f34108b40121231eb19f88b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\trap1.exe

Filesize
17.4MB

MD5
f99bcfad4d7e5b4034a208231ab52a68

SHA1
ca2cae0d8b7d656e355c3b9dcda0aed3b3de9534

SHA256
2971c12fa4af39c67f2f59e391f118e350f9824d198c54b0634de9f4cdc963b9

SHA512
78d327c84f6a69a09257057250a1db7ee21725d0fee4a75f5d07389f986fb5ceb6015a74a9d0b5d3ecd7ba77c0d473c4bd17a2dd62a5895221c019af1a173587

Download Submit
memory/1652-32-0x000000007367E000-0x000000007367F000-memory.dmp

Filesize
4KB

Download
memory/1652-36-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2400-33-0x00007FFCD1923000-0x00007FFCD1925000-memory.dmp

Filesize
8KB

Download
memory/2400-35-0x00000000003A0000-0x0000000000412000-memory.dmp

Filesize
456KB

Download
memory/3120-43-0x00000000006D0000-0x00000000006E8000-memory.dmp

Filesize
96KB

Download
memory/3772-282-0x00000168E2040000-0x00000168E2062000-memory.dmp

Filesize
136KB

Download