asyncrat | hxxps://cdn[.]discordapp[.]com/attachments/1266251505078636646/1270898176705953873/Tools_Archive[.]rar?ex=66b60869&is=66b4b6e9&hm=91f0c35186cccbb2697ad7fd3d8e93ff0f9a749dc6d48cfb622a04117600b2c0&

Analysis

max time kernel
80s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1266251505078636646/1270898176705953873/Tools_Archive.rar?ex=66b60869&is=66b4b6e9&hm=91f0c35186cccbb2697ad7fd3d8e93ff0f9a749dc6d48cfb622a04117600b2c0&

Score

10^/10

asyncrat redline default diamotrix discovery infostealer persistence pyinstaller rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808

Mutex

QaF6X2cpj8fc

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

diamotrix

176.111.174.140:1912

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000235c7-473.dat	family_redline
behavioral1/memory/2468-480-0x0000000000D30000-0x0000000000D82000-memory.dmp	family_redline

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00070000000235c3-450.dat	family_asyncrat

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	relog.exe

Executes dropped EXE 12 IoCs

pid	Process
5056	Bitcoin Miner Pro.exe
1988	BruteCrack -Cracked.exe
1592	svuiohst.exe
4488	BruteCrack.exe
664	svostwp.exe
4336	E6D1.tmp.schuste.exe
4272	E6D1.tmp.schuste.exe
4084	E878.tmp.nmi.exe
3812	EB19.tmp.Ice.exe
1648	Miner Pro.exe
3808	CourvixVPN.exe
2468	ED1D.tmp.uIZtAux.exe

Loads dropped DLL 3 IoCs

pid	Process
4272	E6D1.tmp.schuste.exe
4272	E6D1.tmp.schuste.exe
4272	E6D1.tmp.schuste.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{EE21D7AC35801019693163}\\{EE21D7AC35801019693163}.exe"	svuiohst.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Sun = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Service_Sun.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_{EE21D7AC35801019693163} = "C:\\Users\\Admin\\AppData\\Roaming\\{EE21D7AC35801019693163}\\Service_{EE21D7AC35801019693163}.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{EE21D7AC35801019693163}\\{EE21D7AC35801019693163}.exe"	svostwp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1592 set thread context of 864	1592	svuiohst.exe	120
PID 664 set thread context of 2572	664	svostwp.exe	134

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000b000000023579-361.dat	pyinstaller

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E878.tmp.nmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CourvixVPN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ED1D.tmp.uIZtAux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bitcoin Miner Pro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BruteCrack -Cracked.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2080	timeout.exe
4696	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\TypedURLs	BruteCrack.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}\Instance\	Explorer.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 29 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2008	schtasks.exe
4936	schtasks.exe
5312	schtasks.exe
5844	schtasks.exe
4652	schtasks.exe
3480	schtasks.exe
5716	schtasks.exe
3116	schtasks.exe
4936	schtasks.exe
3536	schtasks.exe
3676	schtasks.exe
5364	schtasks.exe
2732	schtasks.exe
4084	schtasks.exe
4504	schtasks.exe
5900	schtasks.exe
3812	schtasks.exe
2768	schtasks.exe
4336	schtasks.exe
1988	schtasks.exe
1320	schtasks.exe
3700	schtasks.exe
3100	schtasks.exe
2924	schtasks.exe
2288	schtasks.exe
408	schtasks.exe
3128	schtasks.exe
6720	schtasks.exe
5808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5048	msedge.exe
5048	msedge.exe
628	msedge.exe
628	msedge.exe
2972	identity_helper.exe
2972	identity_helper.exe
2412	msedge.exe
2412	msedge.exe
1592	svuiohst.exe
1592	svuiohst.exe
1592	svuiohst.exe
1592	svuiohst.exe
1592	svuiohst.exe
1592	svuiohst.exe
1592	svuiohst.exe
1592	svuiohst.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
864	relog.exe
3432	Explorer.EXE
3432	Explorer.EXE
864	relog.exe
864	relog.exe
628	msedge.exe
628	msedge.exe
956	msedge.exe
5048	msedge.exe
5048	msedge.exe
864	relog.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4672	7zG.exe
Token: 35	4672	7zG.exe
Token: SeSecurityPrivilege	4672	7zG.exe
Token: SeSecurityPrivilege	4672	7zG.exe
Token: SeIncreaseQuotaPrivilege	1592	svuiohst.exe
Token: SeSecurityPrivilege	1592	svuiohst.exe
Token: SeTakeOwnershipPrivilege	1592	svuiohst.exe
Token: SeLoadDriverPrivilege	1592	svuiohst.exe
Token: SeSystemProfilePrivilege	1592	svuiohst.exe
Token: SeSystemtimePrivilege	1592	svuiohst.exe
Token: SeProfSingleProcessPrivilege	1592	svuiohst.exe
Token: SeIncBasePriorityPrivilege	1592	svuiohst.exe
Token: SeCreatePagefilePrivilege	1592	svuiohst.exe
Token: SeBackupPrivilege	1592	svuiohst.exe
Token: SeRestorePrivilege	1592	svuiohst.exe
Token: SeShutdownPrivilege	1592	svuiohst.exe
Token: SeDebugPrivilege	1592	svuiohst.exe
Token: SeSystemEnvironmentPrivilege	1592	svuiohst.exe
Token: SeRemoteShutdownPrivilege	1592	svuiohst.exe
Token: SeUndockPrivilege	1592	svuiohst.exe
Token: SeManageVolumePrivilege	1592	svuiohst.exe
Token: 33	1592	svuiohst.exe
Token: 34	1592	svuiohst.exe
Token: 35	1592	svuiohst.exe
Token: 36	1592	svuiohst.exe
Token: SeDebugPrivilege	864	relog.exe
Token: SeDebugPrivilege	864	relog.exe
Token: SeDebugPrivilege	864	relog.exe
Token: SeIncreaseQuotaPrivilege	664	svostwp.exe
Token: SeSecurityPrivilege	664	svostwp.exe
Token: SeTakeOwnershipPrivilege	664	svostwp.exe
Token: SeLoadDriverPrivilege	664	svostwp.exe
Token: SeSystemProfilePrivilege	664	svostwp.exe
Token: SeSystemtimePrivilege	664	svostwp.exe
Token: SeProfSingleProcessPrivilege	664	svostwp.exe
Token: SeIncBasePriorityPrivilege	664	svostwp.exe
Token: SeCreatePagefilePrivilege	664	svostwp.exe
Token: SeBackupPrivilege	664	svostwp.exe
Token: SeRestorePrivilege	664	svostwp.exe
Token: SeShutdownPrivilege	664	svostwp.exe
Token: SeDebugPrivilege	664	svostwp.exe
Token: SeSystemEnvironmentPrivilege	664	svostwp.exe
Token: SeRemoteShutdownPrivilege	664	svostwp.exe
Token: SeUndockPrivilege	664	svostwp.exe
Token: SeManageVolumePrivilege	664	svostwp.exe
Token: 33	664	svostwp.exe
Token: 34	664	svostwp.exe
Token: 35	664	svostwp.exe
Token: 36	664	svostwp.exe
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeDebugPrivilege	864	relog.exe
Token: SeDebugPrivilege	864	relog.exe
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeDebugPrivilege	864	relog.exe
Token: SeDebugPrivilege	864	relog.exe
Token: SeDebugPrivilege	864	relog.exe
Token: SeDebugPrivilege	864	relog.exe
Token: SeDebugPrivilege	864	relog.exe
Token: SeDebugPrivilege	864	relog.exe
Token: SeDebugPrivilege	864	relog.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3432	Explorer.EXE
3432	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 3464	628	msedge.exe	83
PID 628 wrote to memory of 3464	628	msedge.exe	83
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 956	628	msedge.exe	84
PID 628 wrote to memory of 5048	628	msedge.exe	85
PID 628 wrote to memory of 5048	628	msedge.exe	85
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86
PID 628 wrote to memory of 4784	628	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1266251505078636646/1270898176705953873/Tools_Archive.rar?ex=66b60869&is=66b4b6e9&hm=91f0c35186cccbb2697ad7fd3d8e93ff0f9a749dc6d48cfb622a04117600b2c0&
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b8ed46f8,0x7ff9b8ed4708,0x7ff9b8ed4718
    3⤵
    PID:3464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2316 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
    3⤵
    PID:4784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
    3⤵
    PID:1464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:2680
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
    3⤵
    PID:388
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4764 /prefetch:8
    3⤵
    PID:4716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
    3⤵
    PID:4564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
    3⤵
    PID:864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
    3⤵
    PID:4500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
    3⤵
    PID:388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
    3⤵
    PID:3132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3320 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3412 /prefetch:8
    3⤵
    PID:372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
    3⤵
    PID:1784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
    3⤵
    PID:2560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
    3⤵
    PID:5072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,14384222487870819788,6088620539491468986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
    3⤵
    PID:1820
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Tools Archive\" -spe -an -ai#7zMap24480:88:7zEvent20673
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4672
- C:\Users\Admin\Downloads\Tools Archive\Bitcoin Miner Pro.exe
  "C:\Users\Admin\Downloads\Tools Archive\Bitcoin Miner Pro.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5056
- - C:\Users\Admin\AppData\Roaming\svostwp.exe
    "C:\Users\Admin\AppData\Roaming\svostwp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:664
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3128
  - - C:\Windows\system32\relog.exe
      C:\Windows\system32\relog.exe
      4⤵
      PID:2572
- - C:\Users\Admin\AppData\Roaming\Miner Pro.exe
    "C:\Users\Admin\AppData\Roaming\Miner Pro.exe"
    3⤵
    - Executes dropped EXE
    PID:1648
- C:\Users\Admin\Downloads\Tools Archive\BruteCrack -Cracked.exe
  "C:\Users\Admin\Downloads\Tools Archive\BruteCrack -Cracked.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1988
- - C:\Users\Admin\AppData\Roaming\svuiohst.exe
    "C:\Users\Admin\AppData\Roaming\svuiohst.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2924
  - - C:\Windows\system32\relog.exe
      C:\Windows\system32\relog.exe
      4⤵
      Drops file in Drivers directory
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:864
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "OKEGZb3lGe" /tr "C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe" /sc onstart /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3812
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "OKEGZb3lGe" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Service_Microsoft.exe" /sc onstart /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4652
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "OKEGZb3lGe" /tr "C:\Users\Admin\AppData\Roaming\Mozilla\Service_Mozilla.exe" /sc onstart /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1320
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "OKEGZb3lGe" /tr "C:\Users\Admin\AppData\Roaming\Sun\Service_Sun.exe" /sc onstart /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3700
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "OKEGZb3lGe" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\Service_{EE21D7AC35801019693163}.exe" /sc onstart /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2008
- - C:\Users\Admin\Downloads\Tools Archive\BruteCrack.exe
    "BruteCrack.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    PID:4488
- C:\Users\Admin\AppData\Local\Temp\E6D1.tmp.schuste.exe
  "C:\Users\Admin\AppData\Local\Temp\E6D1.tmp.schuste.exe"
  2⤵
  - Executes dropped EXE
  PID:4336
- - C:\Users\Admin\AppData\Local\Temp\E6D1.tmp.schuste.exe
    "C:\Users\Admin\AppData\Local\Temp\E6D1.tmp.schuste.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4272
- C:\Users\Admin\AppData\Local\Temp\E878.tmp.nmi.exe
  "C:\Users\Admin\AppData\Local\Temp\E878.tmp.nmi.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    PID:4344
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFB24.tmp.bat""
    3⤵
    PID:1008
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4696
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      PID:4588
- C:\Users\Admin\AppData\Local\Temp\EB19.tmp.Ice.exe
  "C:\Users\Admin\AppData\Local\Temp\EB19.tmp.Ice.exe"
  2⤵
  - Executes dropped EXE
  PID:3812
- - C:\Windows\system32\schtasks.exe
    "schtasks.exe" /create /tn System_Tools /tr "C:\ProgramData\Appxetry\svchost.exe" /st 13:01 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2288
- - C:\ProgramData\Appxetry\svchost.exe
    "C:\ProgramData\Appxetry\svchost.exe"
    3⤵
    PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFAA7.tmp.bat""
    3⤵
    PID:2008
  - - C:\Windows\system32\timeout.exe
      timeout 7
      4⤵
      Delays execution with timeout.exe
      PID:2080
- C:\Users\Admin\Downloads\Tools Archive\CourvixVPN.exe
  "C:\Users\Admin\Downloads\Tools Archive\CourvixVPN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3808
- - C:\Users\Admin\AppData\Roaming\svostwp.exe
    "C:\Users\Admin\AppData\Roaming\svostwp.exe"
    3⤵
    PID:4756
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2732
  - - C:\Windows\system32\relog.exe
      C:\Windows\system32\relog.exe
      4⤵
      PID:620
- - C:\Users\Admin\AppData\Roaming\VPN.exe
    "C:\Users\Admin\AppData\Roaming\VPN.exe"
    3⤵
    PID:1708
- C:\Users\Admin\AppData\Local\Temp\ED1D.tmp.uIZtAux.exe
  "C:\Users\Admin\AppData\Local\Temp\ED1D.tmp.uIZtAux.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\Users\Admin\Downloads\Tools Archive\EXTRACTOR V3.exe
  "C:\Users\Admin\Downloads\Tools Archive\EXTRACTOR V3.exe"
  2⤵
  PID:3020
- - C:\Users\Admin\AppData\Roaming\svostwp.exe
    "C:\Users\Admin\AppData\Roaming\svostwp.exe"
    3⤵
    PID:4548
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4084
  - - C:\Windows\system32\relog.exe
      C:\Windows\system32\relog.exe
      4⤵
      PID:4500
- - C:\Users\Admin\AppData\Roaming\extractor.exe
    "C:\Users\Admin\AppData\Roaming\extractor.exe"
    3⤵
    PID:6052
- C:\Users\Admin\Downloads\Tools Archive\DISCORD DESTROYER.exe
  "C:\Users\Admin\Downloads\Tools Archive\DISCORD DESTROYER.exe"
  2⤵
  PID:3416
- - C:\Users\Admin\AppData\Roaming\svostwp.exe
    "C:\Users\Admin\AppData\Roaming\svostwp.exe"
    3⤵
    PID:6112
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5716
- - C:\Users\Admin\AppData\Roaming\Discord.exe
    "C:\Users\Admin\AppData\Roaming\Discord.exe"
    3⤵
    PID:5388
- C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
  "C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe"
  2⤵
  PID:2612
- - C:\Users\Admin\AppData\Roaming\svchostwit.exe
    "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
    3⤵
    PID:1480
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2768
  - - C:\Windows\system32\relog.exe
      C:\Windows\system32\relog.exe
      4⤵
      PID:6344
- - C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
    "LOGEXT.exe"
    3⤵
    PID:4228
  - - C:\Users\Admin\AppData\Roaming\svchostwit.exe
      "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
      4⤵
      PID:1968
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3480
    - - C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        5⤵
        
        PID:5424
  - - C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
      "LOGEXT.exe"
      4⤵
      PID:212
    - - C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        5⤵
        
        PID:2836
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4336
      - C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        6⤵
        
        PID:6592
    - - C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
        
        "LOGEXT.exe"
        5⤵
        
        PID:400
      - C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        6⤵
        
        PID:2288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3116
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        7⤵
        
        PID:5860
      - C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
        
        "LOGEXT.exe"
        6⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        7⤵
        
        PID:4248
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4504
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        8⤵
        
        PID:408
        
        C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
        
        "LOGEXT.exe"
        7⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        8⤵
        
        PID:224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4936
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        9⤵
        
        PID:3852
        
        C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
        
        "LOGEXT.exe"
        8⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        9⤵
        
        PID:448
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3676
        
        C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
        
        "LOGEXT.exe"
        9⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        10⤵
        
        PID:2624
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3100
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        11⤵
        
        PID:5660
        
        C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
        
        "LOGEXT.exe"
        10⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        11⤵
        
        PID:4256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:408
        
        C:\Windows\system32\relog.exe
        
        C:\Windows\system32\relog.exe
        12⤵
        
        PID:4528
        
        C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
        
        "LOGEXT.exe"
        11⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        12⤵
        
        PID:5080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3536
        
        C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
        
        "LOGEXT.exe"
        12⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        13⤵
        
        PID:5300
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5364
        
        C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
        
        "LOGEXT.exe"
        13⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        14⤵
        
        PID:5468
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5808
        
        C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
        
        "LOGEXT.exe"
        14⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        15⤵
        
        PID:5608
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5844
        
        C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
        
        "LOGEXT.exe"
        15⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        16⤵
        
        PID:5824
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1988
        
        C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
        
        "LOGEXT.exe"
        16⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        17⤵
        
        PID:5684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5312
        
        C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
        
        "LOGEXT.exe"
        17⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Roaming\svchostwit.exe
        
        "C:\Users\Admin\AppData\Roaming\svchostwit.exe"
        18⤵
        
        PID:5152
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6720
        
        C:\Users\Admin\Downloads\Tools Archive\LOGEXT.exe
        
        "LOGEXT.exe"
        18⤵
        
        PID:6212
- C:\Users\Admin\Downloads\Tools Archive\Mailer.exe
  "C:\Users\Admin\Downloads\Tools Archive\Mailer.exe"
  2⤵
  PID:4500
- - C:\Users\Admin\AppData\Roaming\svostwp.exe
    "C:\Users\Admin\AppData\Roaming\svostwp.exe"
    3⤵
    PID:5680
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe" /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4280

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb6c7ea2f76fb71f31a71a9bc63153f6

SHA1
88e4edf5ffc4c93e37ef46d39355960522d071af

SHA256
bcd84bc55dc087c8cc668a68a00046112f3fd5072b3cd85ac096b9a8bd822bd4

SHA512
5a0173e9d0a487558693f6ab4bf5facca2d68582cd4dd4786a58652cee2ef880d3cba2b6dcdb9228d2f5160d0e9bc67c1c0619aebdee7c455cc6feb77a2dee48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
78d846f9374f2601dd952950d13f5e62

SHA1
daa6984e550f0adaf2b7d91eb4d9544607afda9e

SHA256
d6aff4d1cc75431731243f48be773cf41b5baf27b4dfbec6b5564ca1e0f5b996

SHA512
d2ff7bc81e0d7625c0f1cf553a5aa93afaa20cfe80c281205826855066b225a6e5ea15bf4947b8a79c69c00461f98f5cc4e46c84621b8e003ece3afa8dd26a39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
395ec349dc06abf6a601f8e84dababae

SHA1
2030881b648e476b164195a9ebae21d98845fc59

SHA256
e6428c6788d6dabe05e797f7411e7691fb0df24727e75edd7e726274a7cdeed8

SHA512
33b5b20dc5794383b814943d49ec2d06d07289162774ee9ff73a1dc399ffd4ef5a72a533f1cd7e9a785c5bee22eecec05968c08bc70b4191f2be87c127f44977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7dd1a66c9dd06ec46eb9415bcc2c13a

SHA1
8b45976eb683a7994dc2c8927467884f2abcaa68

SHA256
3f4c191ec330743cef4855a6311ab246ec642d02cadb23108f9e9ddb3494610d

SHA512
8aa66563b51b4421b835f0b42513ba6d4f18185eab51f127e502d60a124cfb0b6881ef00f5757fc184f9cfc0c1bfd53a348baddb3be6db461b086fb96c1ffa35

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6D1.tmp.schuste.exe

Filesize
5.5MB

MD5
115988cec15bcf0adc3b6a4f100b1b24

SHA1
fad2f118c730f012592ff6e81c9474e90c8eaccc

SHA256
14ace92094ef406bb2b9b8b49d63453896789a2eeb355d4eda0fd747577b60f2

SHA512
3474742c32a2d9e53cf179a229f2c67189049b49fcccb8778e26b9dccf8ff4e96567a28907ab171b5e7bacf51412ea07bca6850c5e3ebda87ad7bcef94025138

Download Submit
C:\Users\Admin\AppData\Local\Temp\E878.tmp.nmi.exe

Filesize
47KB

MD5
67e32a73f545f56e1292d6b318f8e3c4

SHA1
96ca16f9a5b6e359f0dccfa0d6c7532ff047da09

SHA256
07d35c2c242d2c2a7bbf3d70315f7679c90b3f5a32b2ff542fdfca8a0b9cb4c8

SHA512
5ab019270b836231ba7f8b9a5c60bececc02a461f8978424708c7d8460c09347a5a8a1a3ee3b2b54f87a4faf0a4216c9d5e9ccf06dddd932fb93195a4c0df644

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB19.tmp.Ice.exe

Filesize
498KB

MD5
601c25496c92e86210fc4351e46b9f5c

SHA1
8ab9bf21aa3e8257a1fcf0341f5f9362f8ca0466

SHA256
ff8f55d4715752aec71f60d00612e36b172708d3fa61c5e131f96966f0dd5017

SHA512
09c1c466bb89e3873fd7e51e7cb1b36c18a916143f1ebd93a22070d9115eb6d6fa137987205adb09928260f097d57dfba405e70d9422bc0bbb925905f827102e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED1D.tmp.uIZtAux.exe

Filesize
300KB

MD5
8d14c4ba7260c61ecde30d97fd3c124a

SHA1
f60a7243a5160ff0dd60c37e1de43b81cead3549

SHA256
6985ec7f67fabd26633c991be04ce5f899224a56bb078ba186b4be21f9e4714d

SHA512
b068decea7ec68d2b4347493d9e4b8cc4fb0c3c5f5ecc2a52be6eb35d28e75d3de1636efe0b67cce825e8d08d3fb82d137b1d6eb1225662fb8c3dff9616dcc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f3ff2d544f5cd9e66bfb8d170b661673

SHA1
9e18107cfcd89f1bbb7fdaf65234c1dc8e614add

SHA256
e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f

SHA512
184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
a0c2dbe0f5e18d1add0d1ba22580893b

SHA1
29624df37151905467a223486500ed75617a1dfd

SHA256
3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f

SHA512
3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2666581584ba60d48716420a6080abda

SHA1
c103f0ea32ebbc50f4c494bce7595f2b721cb5ad

SHA256
27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328

SHA512
befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
225d9f80f669ce452ca35e47af94893f

SHA1
37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50

SHA256
61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232

SHA512
2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
fd46c3f6361e79b8616f56b22d935a53

SHA1
107f488ad966633579d8ec5eb1919541f07532ce

SHA256
0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df

SHA512
3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\base_library.zip

Filesize
821KB

MD5
f4981249047e4b7709801a388e2965af

SHA1
42847b581e714a407a0b73e5dab019b104ec9af2

SHA256
b191e669b1c715026d0732cbf8415f1ff5cfba5ed9d818444719d03e72d14233

SHA512
e8ef3fb3c9d5ef8ae9065838b124ba4920a3a1ba2d4174269cad05c1f318bc9ff80b1c6a6c0f3493e998f0587ef59be0305bc92e009e67b82836755470bc1b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43362\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbdfcf49-303a-4429-87e2-b8e85b04d334\GunaUIDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Roaming\svostwp.exe

Filesize
322KB

MD5
61c5a8e414a47b8cc2c69e1ac4370a35

SHA1
d6d66b31e7ebe3bd032a33fbe35fed2720fae964

SHA256
4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b

SHA512
b1d732a280ea6f9e0eca5802016292e9c373a6e6d2c48404bbe00eb67a791427945ec3d1998ffdd8bda603adb9ee6c9312cf2976ed3567ab0a2c7f8494079c92

Download Submit
C:\Users\Admin\AppData\Roaming\svuiohst.exe

Filesize
322KB

MD5
328b3cd833cb83faee5922244a1e7db6

SHA1
d7ab82401a0a02563d80ca2a417043c2917095d5

SHA256
30423fad469c19c4fa41f1028dcb5f393931125f000e50e20cbaa8301fa3e973

SHA512
8e90f4473e54134b459341b177a2c0116424de816f2791899f2d7e7c03fb4db9c761040c0442dab00e4cd20e02c613172c6de8610a1e718fdab69181bfbd2382

Download Submit
C:\Users\Admin\AppData\Roaming\{EE21D7AC35801019693163}\{EE21D7AC35801019693163}.exe

Filesize
322KB

MD5
2a9ca96a774697399b7b112be1a2ec3c

SHA1
da98d372a0c138805d947a436a9b41781e61fd20

SHA256
773b7430b45b6c8d03ff3ca60ba642c62626cc570daf86cd5dcd40cd0678eaf1

SHA512
820164990929710ae93309f39309e9614fb198d3b7335b8fde4c52d84640abd9c73b8e69601c6714fec9471dff1653387204401e6841cb42965266d49d6aff38

Download Submit
C:\Users\Admin\Downloads\Tools Archive\Bitcoin Miner Pro.exe

Filesize
14.6MB

MD5
4dce1da5c3ba4325075cf1433911d76a

SHA1
8e68be5fdf37d2b87e0c4036c4131a22145a0ce2

SHA256
ab1f367c452b77fe01adba3048275a5597355a881410fd5101c030cfe4419c3f

SHA512
d3cde35e8cfdd8fad54a88e8519a68a03b669fbf5967d330e7a41140c965f7f814dc5529a8a58ed28b120c0d682e1279f503ec63117c6653ab9aff33f4600d2d

Download Submit
C:\Users\Admin\Downloads\Tools Archive\BruteCrack -Cracked.exe

Filesize
1.7MB

MD5
988472afd02ee8e165c3d4ed5aea3ffc

SHA1
1926d346d3f061fbe92c166a56ef2a94492bd67d

SHA256
3c3bc6b7bca65947ba821c3ab48ebc1f94dfd8941b96ed142936297b30dc9c1e

SHA512
5bcb4e79bd2794342999ced9afcb111e9584d18c8a86026b74bf70231d393eba7650b15330403daaea4fa7d6ad245bea1669cc457a257134d8ae9aebc864f308

Download Submit
C:\Users\Admin\Downloads\Tools Archive\BruteCrack.exe

Filesize
950KB

MD5
bedf36dbec30d968292c0eecd20dae82

SHA1
1c2a805344b23aef80a5fa63a5af9c61f03a4828

SHA256
07250389758ec5fe07f0e6281d1796258f954221292350780a83236318324d06

SHA512
ef2c872da797b38eb412def238f105503511c8576ea4f0acad1eb680f6ec60ee5daac81a475eb5c14e0ff278082dbebb5d4e9d9dcb1fa88c8928a634ea8e42e2

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
1530b50aac226cd50815c69326517e51

SHA1
e97855298b61d8a5b6cf2450a990d5cbc40c6aa4

SHA256
1c1eab02470f70f1067cc91ae1506955f2cd92eac3afac8eb3592cc718c2cab3

SHA512
c66ee426b16c2ab3439617774b914dd279351b4c3dc14e16d6e7cdb11cd0cf0d3346df87a315f5a0de885522e3bfdcc2513e73f2d01cf0e5f13f77f7facdb432

Download Submit
memory/620-556-0x00007FF7BE0C0000-0x00007FF7BE116000-memory.dmp

Filesize
344KB

Download
memory/864-506-0x00007FF69F4A0000-0x00007FF69F4F7000-memory.dmp

Filesize
348KB

Download
memory/1648-478-0x000000001BDC0000-0x000000001BE66000-memory.dmp

Filesize
664KB

Download
memory/1648-486-0x000000001CC30000-0x000000001CC7C000-memory.dmp

Filesize
304KB

Download
memory/1648-481-0x000000001C980000-0x000000001CA1C000-memory.dmp

Filesize
624KB

Download
memory/1648-485-0x000000001BE70000-0x000000001BE78000-memory.dmp

Filesize
32KB

Download
memory/1648-479-0x000000001C350000-0x000000001C81E000-memory.dmp

Filesize
4.8MB

Download
memory/1708-627-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-644-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-650-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-599-0x00007FF9A6DE0000-0x00007FF9A6F2E000-memory.dmp

Filesize
1.3MB

Download
memory/1708-648-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-601-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-605-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-613-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-590-0x000001E438390000-0x000001E438568000-memory.dmp

Filesize
1.8MB

Download
memory/1708-600-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-603-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-607-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-609-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-611-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-620-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-636-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-622-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-624-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-628-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-588-0x000001E41DA70000-0x000001E41DBBE000-memory.dmp

Filesize
1.3MB

Download
memory/1708-615-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-617-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-638-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-652-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-630-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-632-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-634-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-640-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-646-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/1708-642-0x000001E438390000-0x000001E438563000-memory.dmp

Filesize
1.8MB

Download
memory/2468-487-0x0000000005610000-0x000000000561A000-memory.dmp

Filesize
40KB

Download
memory/2468-493-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/2468-482-0x0000000005B60000-0x0000000006104000-memory.dmp

Filesize
5.6MB

Download
memory/2468-483-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/2468-489-0x0000000006730000-0x0000000006D48000-memory.dmp

Filesize
6.1MB

Download
memory/2468-557-0x00000000062A0000-0x0000000006306000-memory.dmp

Filesize
408KB

Download
memory/2468-480-0x0000000000D30000-0x0000000000D82000-memory.dmp

Filesize
328KB

Download
memory/2468-559-0x00000000070A0000-0x00000000070F0000-memory.dmp

Filesize
320KB

Download
memory/2468-492-0x0000000005880000-0x0000000005892000-memory.dmp

Filesize
72KB

Download
memory/2468-491-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/2468-494-0x0000000005940000-0x000000000598C000-memory.dmp

Filesize
304KB

Download
memory/2572-316-0x00007FF6F5E30000-0x00007FF6F5E86000-memory.dmp

Filesize
344KB

Download
memory/3432-302-0x000000000DDA0000-0x000000000DDB6000-memory.dmp

Filesize
88KB

Download
memory/3432-304-0x000000000E7E0000-0x000000000E837000-memory.dmp

Filesize
348KB

Download
memory/3432-300-0x000000000E790000-0x000000000E7D3000-memory.dmp

Filesize
268KB

Download
memory/3812-468-0x0000000000580000-0x0000000000602000-memory.dmp

Filesize
520KB

Download
memory/4084-455-0x0000000000900000-0x0000000000912000-memory.dmp

Filesize
72KB

Download
memory/4084-507-0x00000000051C0000-0x000000000525C000-memory.dmp

Filesize
624KB

Download
memory/4488-233-0x0000000000100000-0x00000000001F4000-memory.dmp

Filesize
976KB

Download
memory/4500-564-0x00007FF76A660000-0x00007FF76A6B6000-memory.dmp

Filesize
344KB

Download