hxxps://drive[.]google[.]com/file/d/18YC3N9BLx9Dr7gS2E-nYbWih6B9a8kGc/view?pli=1

Analysis

max time kernel
174s
max time network
175s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/11/2024, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/18YC3N9BLx9Dr7gS2E-nYbWih6B9a8kGc/view?pli=1

Score

7^/10

discovery pyinstaller

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5452	Loader.exe
5984	Loader.exe

Loads dropped DLL 19 IoCs

pid	Process
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe
5984	Loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
128	raw.githubusercontent.com
6	drive.google.com
8	drive.google.com
118	raw.githubusercontent.com
119	raw.githubusercontent.com
121	raw.githubusercontent.com
126	raw.githubusercontent.com
127	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d0aadf05-7827-45ef-8e1e-eb6116936f37.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241110072350.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x002b0000000451e5-415.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2448	msedge.exe
2448	msedge.exe
4600	msedge.exe
4600	msedge.exe
4016	identity_helper.exe
4016	identity_helper.exe
5300	msedge.exe
5300	msedge.exe
1104	msedge.exe
1104	msedge.exe
1772	msedge.exe
1772	msedge.exe
4080	identity_helper.exe
4080	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5344	7zG.exe
Token: 35	5344	7zG.exe
Token: SeSecurityPrivilege	5344	7zG.exe
Token: SeSecurityPrivilege	5344	7zG.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
5344	7zG.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 3608	4600	msedge.exe	81
PID 4600 wrote to memory of 3608	4600	msedge.exe	81
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 4128	4600	msedge.exe	82
PID 4600 wrote to memory of 2448	4600	msedge.exe	83
PID 4600 wrote to memory of 2448	4600	msedge.exe	83
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84
PID 4600 wrote to memory of 2284	4600	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
520	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/18YC3N9BLx9Dr7gS2E-nYbWih6B9a8kGc/view?pli=1
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x40,0x130,0x7ff827ea46f8,0x7ff827ea4708,0x7ff827ea4718
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,14386082923481401405,5785379508546476913,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,14386082923481401405,5785379508546476913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,14386082923481401405,5785379508546476913,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14386082923481401405,5785379508546476913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14386082923481401405,5785379508546476913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14386082923481401405,5785379508546476913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14386082923481401405,5785379508546476913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,14386082923481401405,5785379508546476913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4896
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6cafe5460,0x7ff6cafe5470,0x7ff6cafe5480
    3⤵
    PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,14386082923481401405,5785379508546476913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,14386082923481401405,5785379508546476913,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14386082923481401405,5785379508546476913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,14386082923481401405,5785379508546476913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14386082923481401405,5785379508546476913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:5480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4072

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Loader\" -spe -an -ai#7zMap24000:74:7zEvent5476
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5344

C:\Users\Admin\Downloads\Loader\Loader.exe
"C:\Users\Admin\Downloads\Loader\Loader.exe"
1⤵
- Executes dropped EXE
PID:5452
- C:\Users\Admin\Downloads\Loader\Loader.exe
  "C:\Users\Admin\Downloads\Loader\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:2800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title MCC Loader 1.0.8
    3⤵
    PID:1872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:32
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title MCC Loader 1.0.8
    3⤵
    PID:3192
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H TOSVDOIAHWOIHSAKLFHWA.txt
    3⤵
    - Views/modifies file attributes
    PID:520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/v22nyjjsg38355w/vape_v4.10_source_%2B_compiled.zip/file
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ff827ea46f8,0x7ff827ea4708,0x7ff827ea4718
      4⤵
      PID:1432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,7510771249120425469,587498850184284427,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:4376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,7510771249120425469,587498850184284427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,7510771249120425469,587498850184284427,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
      4⤵
      PID:3292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7510771249120425469,587498850184284427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
      4⤵
      PID:5136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7510771249120425469,587498850184284427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
      4⤵
      PID:1040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7510771249120425469,587498850184284427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
      4⤵
      PID:6088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7510771249120425469,587498850184284427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:1
      4⤵
      PID:780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7510771249120425469,587498850184284427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
      4⤵
      PID:1900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7510771249120425469,587498850184284427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
      4⤵
      PID:2016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7510771249120425469,587498850184284427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
      4⤵
      PID:3644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7510771249120425469,587498850184284427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
      4⤵
      PID:5116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7510771249120425469,587498850184284427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6880 /prefetch:8
      4⤵
      PID:1136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7510771249120425469,587498850184284427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6880 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3a64c98dc7daad5ad686b126bc41fc2b

SHA1
63ac1632e77c36bec84bdb0155f299040a409119

SHA256
d485dae02e838f24b027b13ea300898a64b8773c27cc95f9e3bfb49beebe694b

SHA512
3f2d5146750452c323e87296384e8492e2d43fcfc89d570f5a091973a05bb9593390014480258115ce784e586c17fa3a30ef19668006d75b4675b9f469d9dea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b023edf136bda542c14a1d1adddb7ff

SHA1
f1d2a566f720e492c03ca494169c73e664c09cc8

SHA256
2a3d0668c938fbe916c2a8084659876992769257a43b882708562f8afb4a2f20

SHA512
97adc49a1ba8c621f787cbcb41d0ddc79a933cc18ec7c42d61cec1d1ebdceeee8ff1f9d6cea17681d4904a0e05ce08dee00aa0905bf57a1b813ea2516f6c1f85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5d9c9a841c4d3c390d06a3cc8d508ae6

SHA1
052145bf6c75ab8d907fc83b33ef0af2173a313f

SHA256
915ea0e3e872d2b2e7d0e0ca30f282675139c787fec8043a6e92b9ef68b4f67d

SHA512
8243684857e1c359872b8e795a0e5f2ee56b0c0c1e1c7e5d264c2c28476e9830981bb95244f44c3b2ed334c3e1228f3d6245cce2f3d1f34cdbce8e2af55b4c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e87625b4a77de67df5a963bf1f1b9f24

SHA1
727c79941debbd77b12d0a016164bae1dd3f127c

SHA256
07ecc7bd328990f44b189112a1a738861b0f4528097d4371e1ab0c46d8819f4e

SHA512
000d74220ba78628b727441c1b3f8813eec7fc97ff9aa6963eb2ab08d09525fa03935b32e86458c42e573b828a22b0b229af02b47eee511dc83de4ed3b5e726b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
71ebceec54720bc79c2cd70cad76014e

SHA1
c8c31f58f4f9859623794437ee968b0c1cd97f94

SHA256
3bd865779d5b960b46b9a342837f01e245c5206e958153349b8502e8070a07fb

SHA512
09f0de1913298959feba73a6b25c3599716ae66d0aa610ea59a3b93d7d103fccc63cea6097d8c5abd737c1f628d428d348b96225f57d5f1759761c126b7628d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57c44a.TMP

Filesize
48B

MD5
9ad29618fc92230731713b90bfa8335b

SHA1
e67cfda62b2f73a382f425ecea3dccdd6d0c2011

SHA256
9056634fb6eeb4e43747a71cd7a4e9e38c3a965b8a363494a47116ab5e1c8ee8

SHA512
c88a3e1bd08255d47ecb3010e3bd8288adc055f1a6c7662fb1263e255f7beb459f2ef0e90923251282542652ededa89ad8e4611fe42ecfaac00d86c897b70a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
4d45b74f010e1defc13d87d62b30918e

SHA1
7a385228cdff24c7090f7b9a7f364439b28ddcd6

SHA256
d59cf61b5a499152c91fba9835903f8b0749d7a247fcef3a7778d937d1179319

SHA512
988d232a3c9701ee095f98b9607b3730f3f609bf4c2fcf8c70cc4322d1702cd88c35860daaa79b83f338482fa86609630880d8ab152f03b75ef20d28c8b9eb74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f8c4fff4b44acfef9c1feefefa0513ab

SHA1
12ac6dc5c3f98fe9355fe926f1c2c48c415c09cd

SHA256
ed2087909b07de43b12240d8ee8eaa81f8b6722ceb1df2017389e7e1d9ad91b4

SHA512
c94c80eaa95fe826674288e73bc030598a05d7bba79f050caf1167dbcb2d4ae9694a6a013f32de6a0aa52a4e7e05c34d52bb0dd94b14178e4e0ff637037effb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5c8cb590e616a48e1889f6fe055a1b39

SHA1
a1a95f305db43cdbb9035c9b1de2886352c86c5f

SHA256
e5f8707c3c54a2c283505ce10624ee670176f31e8827236fd541eba365ed9679

SHA512
e2ef5fd9e954dc413aee26fe2ec5562254ee6521833ec7fccb553e3e7e9c619172d4a9ca5385d47e39cd0aab927cd88f8728ae74a8992f46d5cf2820d880177d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea2951cc8ff23fcca0faa2ffbb895b40

SHA1
9ab54b2a2bd377a25cf0c0e8525060fa08c7b7dd

SHA256
5ce5c44e076a3e411fca7ef5cca9f46e96310f091175a0c5aa019bacfba71818

SHA512
cda41db2caa9ea889e6a2b1eceef07f5175cefc400755fe309f2aac428e8ab0d1c95b41f563b5ec398abd331a28457d4287554a2deb2d1957b541b117a30b6ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a6c03d52884651e821ec36bb0a45a748

SHA1
86026a4b2f7b38fbeffb75f1ca7b4dd0d3cc867c

SHA256
760f4561d59827e3aaa55aaf8bf779bffc7ceea0753728a12ebb1978775c1439

SHA512
19cc814ab2e7223cc5a8f961c922fcd07cfaffc6b99eb5b04a97468c546c9f38ed13b472499a45d69feadfb3155aac8f9c9e50074c8509421409e5723d97ce41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
888f8eaec89dc0bbdc1289ebdb8d65e8

SHA1
3ee305b92b3f78875b0fd1c80b1330fe9d30bbf6

SHA256
0cd829e23ec29e76db196e60aa361b63ce012de26ca3919e9135d404c15b1219

SHA512
b353309ab6c5e0e33a7a9fe3f0fe53eeca70b4c5468bb41f76920a0ba8961d67611032772aec19d065ffb6ea628425b5f443a5f60ba8cbc31b603ce3a17a2b1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
d6398eb7090dba5d8332b9d77ce4ca0b

SHA1
60bb90deb0587547056b5f5c11507a0d60ddab0e

SHA256
874a825166dca406e3fad60b9712ab6fe6859195dd2c647c12a689e060fc33eb

SHA512
549afe263b633de0ef70c7928aa5739b7eff85ab6e0ffc14152e1eb1effdd2ebca305e02cbed1b0350b0940a89ebb7d76d4c2763a5eee68ccce558ffc95d3612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
137094a3453899bc0bc86df52edd9186

SHA1
66bc2c2b45b63826bb233156bab8ce31c593ba99

SHA256
72d823cac2d49660cdd20ebf4d3ac222c4dd15aae6e5ac4a64f993ef5c4fdd44

SHA512
f8f149c9eab06e8d7e1aa62145f0fc588dc36fc521ef4dceceb80a191b72d79586d920feb5f3b1d19595109cc6d608c143e32f521a4da1068c708a2538899ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
364592d2cc18adf665987584bf528cba

SHA1
d1225b2b8ee4038b0c42229833acc543deeab0f6

SHA256
bd97dd6797bb763681cfb1fc3cc21a44a273aab1d9a4f4f9332675c662d2136c

SHA512
0e852db825e451464cbcfda95eae2dfe780874bd20e7b467604962428007d1735ece752aa5901d468708a68d66d029271d5567b39c530d2d44b875abbff9aa40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
638b9b21567af7d80ff934281984167c

SHA1
134b9baa768f2c0859ab28a30427cb3fb906f735

SHA256
8a899d58d0a899421af64da24a7da24227e60e0b8df666e308e7b1ae100a35fc

SHA512
b017f3b732245198bf2d52dfa4c799daa5da918090e45938714751ebae1bdd65842b8af3c1f37e3644f82b7079934a99e60b97f3cd6c9214e4c0b73f04cdf805

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ea5c3875d6bc4deb42a381f79d877021

SHA1
fc794d3eddfbff23895ce42a3b6b59479e4ee546

SHA256
3be40f0e29dce09c64f01de6ee33f08f2df1c39059aa4e006740af4d62bfd9d9

SHA512
2345571d151d4cfd5473d30f6a8c1138c26598805f7dc831324bf100b0242a52df583fa647bd48c606de81dead46540c3d7d8a7f7ac9ed86bd65b0da49b704a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0f3eeb12c78f9dff20300da722f20c95

SHA1
d0aa46b59750fb3f4856bb2669784d920e84aad4

SHA256
f5d46ed31769dbd961fbccce7486cde20abc8400ce9cd24d30d80bde394b863f

SHA512
aeafbb25ee64b3e87ca1ea32467efdea99d38ae4852bd127e4304852367295cbc12bf1205d2ebda783d8f01cd8f2dda095fe4a394b870be040022a90032cceb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
93911d76f4eedbac3739f890a0f10b1b

SHA1
69fa868dbe3acf184d5a52c56ecf3e85055f4514

SHA256
36275a0a48eccaa977c87918e3ee1dfafbd6e94d67b5a4b03fe70aee50d74bc7

SHA512
cfc5d753706e8bedf222dac8bb8f928dba758b536a407f4cc5d36487a0948ad90abb114409c69f04d0de292062f6e098ba9aaaffaa3cf21e5722545da709c838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\_ctypes.pyd

Filesize
120KB

MD5
bd36f7d64660d120c6fb98c8f536d369

SHA1
6829c9ce6091cb2b085eb3d5469337ac4782f927

SHA256
ee543453ac1a2b9b52e80dc66207d3767012ca24ce2b44206804767f37443902

SHA512
bd15f6d4492ddbc89fcbadba07fc10aa6698b13030dd301340b5f1b02b74191faf9b3dcf66b72ecf96084656084b531034ea5cadc1dd333ef64afb69a1d1fd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-console-l1-1-0.dll

Filesize
22KB

MD5
09b2a90adc73421c3b7a70bfeff0baac

SHA1
4c9874195e917efb5077887be2f1677e58410861

SHA256
b2093752af55d7708dd9e0540c66a621c128870dee43efdb2a36d5128db463c0

SHA512
fc4b852127a34678d7dc735bef85494847a16a4a6505b8a12722672faf0169f234652ee24278c51ad681187760e41a27fe46348252cf29fbfd2c9a9e561aaecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-datetime-l1-1-0.dll

Filesize
22KB

MD5
8dc8a35c4e043348eceda2657c263e5e

SHA1
d7572375b2ade6a4cdd0910f601340a39da6aba4

SHA256
f1ded4bbe9ac8fe71a3e0b1e72aa15d6fa699f986a6183681b36b38990df9037

SHA512
6275043f611001debad6efbe8b402f9d4a7ee405e6e1306b253ab26616a399400d845cf89355756e3d81dac245c367a5df42dc2880a728560f97ae43d1df4926

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-debug-l1-1-0.dll

Filesize
22KB

MD5
d646d8ea7d6c3271337a827551618e14

SHA1
63deaa4158f99509d88e39406cce3b9c57947de7

SHA256
41ff412526664f93fc6997dace8ccf56c709b34bf745e97091eb5e1a7c7e491f

SHA512
af9151905265a89164ed20301961c250271f8804ee087b05a575a15d2cc27084a258bb41eab1bc6376d858fe3f1871ddd32f9f79155624fdd89080037f6ac865

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
22KB

MD5
2b408cfb2c072c30f6c9007623932d25

SHA1
2835982048a9bf3528a532ee766651653f36de8f

SHA256
48435a9a3b4206b595741c34be6198a759569917cecd3c526f0d63ec0a55b0de

SHA512
3a9d593652a5e9a92881120448772d847901b4eeba1a2ce0161a66cf82e94c1dc2ce3acc17a95e595942b3e0854ffc466efb15023b37aad0925ebd0e0bd44771

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-fibers-l1-1-0.dll

Filesize
22KB

MD5
f5fca0b8661f1d2a8e72d3dbc95abe77

SHA1
9c45d68e7c64c39bd6296157fc812d765999be36

SHA256
55fb31da2909865d9b3b980afa37bff007fdb624524dcc337594118641953784

SHA512
6599eceaecda56ed2dada54aa01a8dae8a1c4dce09ab3c54d0b77885b9b5cc24f67bda6f5285a52a08b69d9e759a52781a829cf130d9224955397c41acaae468

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-file-l1-1-0.dll

Filesize
26KB

MD5
a5335665d8992582f89958087b60d3a9

SHA1
97fb0a21234fd243d46d21992e6016bf0af2f3d8

SHA256
9f8d03558282ec8afa80282d0736625db4c28ba2e1d358734fd9c4a29fe4ed1e

SHA512
b286004cc38d2873b1579b097785cbce24fc9d69989a0dedf05ca338981c6a13678bd71903a6a99f38013e1cf43729e48a3e50827f2dddce3695b9192264c477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-file-l1-2-0.dll

Filesize
22KB

MD5
8d1531275b769c1bd485440214bfaf82

SHA1
c8bb901b148522595cd78f1e12f61730bfa3d9df

SHA256
0b7a730b6b10c9d2e2fe1b9b4419b1fc60db9074a0c6f830e1b2da4d0f65fe88

SHA512
55914f424c400208b0d2c4d6cafa355aecf4697d3a6bf4032fe298214ed3565013c969b1e23d91cdf995dad46760c80e3a0a3abc062b3084b2bb4bc83a90995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-file-l2-1-0.dll

Filesize
22KB

MD5
50d07886dd9136e8da57bfde8fa1f69c

SHA1
17526cd01e870d4087c5aa423e4971c72882e173

SHA256
67fd0522cacfc3f5fb90373dd5fb388b6f63035d9a380cac4a3dd3d7801724ed

SHA512
7d1b12529f35e1bcd7a858fef4001a4a5e0ff15506789fb3ce56b58427d16c32a9c1768b87b2f66a1b37456a05f8e05ae0b0eddfb4335ae0cb8eda00550175c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-handle-l1-1-0.dll

Filesize
22KB

MD5
32dda59c16c53eda2027347b5e741e9d

SHA1
e9ad7505f468b62144a8a8551c2d6dc9f2f82a5e

SHA256
595ebe2feac7f57035b0ce803412bb4470d0366637a191cf4e48d5f5fd8bbffb

SHA512
d7c06ce6ebf509b90592d6262ad9950cd8916f715add79a384f688869de596c8e0546d1597380eadc954a9e5dd2a9dbb818899372ab51104e865644269cdec95

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-heap-l1-1-0.dll

Filesize
22KB

MD5
5ce4e2adef8fc502db7155483584338f

SHA1
9d7aabb46f1cb7cffbc04b324bb4a10c17c45e97

SHA256
23e4d57c2a94c8412308218a091cde0f4aaf3af360449e31fe524b153a08082f

SHA512
0b160aa88aad8e06d157cb4468cc1479ed31e01064cb8cd0900d34e3a708dd0d77dd239e357fa7618eb75325502f5f8fcb90fd9fc6ed2a9c1d7557cdf1876353

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
22KB

MD5
6455ba4882ce135f21239aedf014acf5

SHA1
2db779414b30759d8394184e1f7254818df62ed9

SHA256
57dcbe7343ac4427af6a82ef24dd7afac04bce59b82fe05aa506fde656f513bc

SHA512
81764d46251bcd76f8c127af3f00ecf13f673b46624beb3a5eab5cdc6d69a0dabba91327e30e976a3fbb0dc6280b0fb4e8e7f237615b27c484b8ac5fc084d056

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
22KB

MD5
7dc3a99fa667f8a00e9689133e4e38c8

SHA1
c37c13d833d6a11212dfae32fa19277baf5000f1

SHA256
d8ac0559b5cfbb8414b39d509bf96999567166ff63f4994c5af07cafa3ec4b08

SHA512
e772c4ba5181c2f543029aa3929f0b3ffecc2e25e350a900f798ae58543938c61e45a233593caf6c45ecc21877ed79e0ff2bd5cd2f61e7a3cd16d2e4e9520212

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
ab169047e1a0fcf3c98be20b451cb13e

SHA1
a286836c85ae43ed5c79b9875f97abdadf57b560

SHA256
3cbc6f8cc2a014c9c6e87ca05dd0e9e0884da58afdc53b589b3d7172c4403ed7

SHA512
c8e27ebd9335f7f34919e841f9834fa687f822d4289b47c20283e37f4a499008668bafd12e1f742597a6c8623312fc41881c18a56b9062a2a609dbb55f0cd17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-memory-l1-1-0.dll

Filesize
22KB

MD5
87b17a424c4e5eed9d5794ba33317dd8

SHA1
7862d1b492dea9e6fe9c6e1e1706137825853947

SHA256
706bb10d0517bae082df6c955c3915d1104ec128bb62059f70cf9564541cfc01

SHA512
75f6dff05a6e06cd103b3b65a40149dde45abdefca67e352ee1ad4202da28efe9dfc530ed2a51995fd1ce019512339fd908f1762244ad7449a5d571ebee41e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
22KB

MD5
360557f082d00dfa55bed5bdcb7d9593

SHA1
f00534612643f0093a689d64cfc61e084e942e12

SHA256
6e2b713382e574f24b17e8a1c911e8256d50b82dc044ace459b6e0c679a3dc32

SHA512
41bc1078e1fda3527ae0cd48051a0ec91d8efe4de1b6ff0903779d7c7ec47b5327aaefbd8b5e9c7543aa786521406b15dfe1bcc65fde6fb3d4eae51cc06ec889

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
22KB

MD5
4887dd9dbaa261a8b8ba0c5bf5da03b8

SHA1
19b72460ba53f5d8d95edb83f28d8df2e714d344

SHA256
a41e6074348ca71f102eb9207ab8844c6c470f1260003dd453907f77d14a668f

SHA512
aec187be29253306cbb0d4b0d535b1f9a967ba5f9e868e38fc23de931bdc363119094999d143cb19b2231ad7e97907d1de92f8300ec80afd038079ce7dac5a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
22KB

MD5
6442313028b28d89f68b8e637a7c6510

SHA1
9d010e45f4faaa65a155d13211750517391a21a7

SHA256
bf1fb2e33c4fa6dfa0a50e2ccf1a1976a02d636e4e45406d2587c271b333da14

SHA512
7397599d60b7b1999e739454fbc1f23c511a20370a22aeb272f007778b2e67b9bcf05638a72985be7c9d133af1ea8744c14c0c8a55ad1451251ee35947f9da24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
22KB

MD5
5132f7fe729791081561426904d45e76

SHA1
56fba2baed4123bf4be7be1c5344f95e6bd9db9c

SHA256
a5aa6755860602c58c0edb1353c965e6f0ba58e7276ba6fb5a0b961fb274d125

SHA512
b12e981ddb608049456dbfc0bb77350819f42caf0da457ad778bb9ded3979503ce6713d366547ac3f949ebdc01d0775da1d726fd367b11b8680a472017f59cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-profile-l1-1-0.dll

Filesize
22KB

MD5
2cf91da8fcbbb1f9edbd457196cd2b6e

SHA1
3b2ad932dc29a4fbbea664bcfd64050d2f2be037

SHA256
8a1e68d655fb05b18cfaf8f4bdcfbfc53cfaa7cd941e5aadbc1769c461dd1fb9

SHA512
63a12b7f220be481dd5240f44b6cf3a8c2d734dd460c2db551ac1a985e95702ca0c0caf99a0f4d767afb730b5105f9f41be03e491090893d5a16fd871364622f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
22KB

MD5
fe4c5f591405fb55676180a29c079f43

SHA1
4ca10f86a7a27b86c74205af7dfb8a4d05789e33

SHA256
78dffd464d72e82674647840c3361d860244d010f0402d87a7998d8afbf8cce0

SHA512
b3bb7911c33dfde7e04335eae357a8c9481eebbf7a74b341e37bfa54be400905ce1ad951cff21896f9460922290201242b071014925a4de0343a940f9c6a71da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-string-l1-1-0.dll

Filesize
22KB

MD5
0519e2e84483ce47c37a160eb4d4232b

SHA1
dc986257568e666f2b84a3d1fc137f55c95426ae

SHA256
3a76a88faa313726977c44656c3004664c6dd171ff58cd935e9a5ca282a04cab

SHA512
931a7c98e72e56217b3ca10bb1c8da59f1a2d797bf1623345386023f42772ebb58e87e61eb142aae272641ee4f0976ed7e9e0b6ee4d8ce18fd6c745e848cf988

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-synch-l1-1-0.dll

Filesize
22KB

MD5
f77da542def06fbb430198b37506a09d

SHA1
d5a86f3e051d8f5647861fc6d0b66f9be2a41980

SHA256
0ecddd0a18b9759f79bc014b121f4fb97cc2299b15fb00bb54117d1f5decde74

SHA512
aa88dab30faebfb2de590c2ca5d4e64507bac1e09693aac38249eaba24d8a41e0d510e7a24cf1709e6bfe32cacb9a9ca8b210fed28868e2efc02e37abe570c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-synch-l1-2-0.dll

Filesize
22KB

MD5
a9e2fc6fadadca47a3d67174d054cf1f

SHA1
2bfd066deb3cc84fd0cc0b6b13c1266c68bb33dc

SHA256
abd80237d43ce594f6ca781571085b25db7325cf7549c8d95302e302408a9954

SHA512
fa7e9d43c0e7f924f219c1b478a280cb53f3625d4479c92dd6ea1e9ca403d30d854068bfb7310b3fd44f1effae91d88087ef61b4649160516e9264b1e92dde76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
22KB

MD5
d8ad62c97e8fd8c00959a8812a763f1d

SHA1
a32c26b69d2a7d900a0de544203aa0f0e225a51a

SHA256
52049f5431f10856708fd7c6ed42beadaae65ae3092c0aa56f79704f6d5ef963

SHA512
87ea1a72a271faae38444969d7e9995c3cd926e5d85562eb33c7d8186274b2df663dd5e31af8c6731d678ae463843f8797b8e586830bb45c1b6b7ef7a1de4b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-timezone-l1-1-0.dll

Filesize
22KB

MD5
1ee744ceca8da8dba0dc27f25125242c

SHA1
4c168b8673cfabbbbcf00195cf0db7b640a0289f

SHA256
c67dd8ed74c0a207c980caa6bb453e62180a71af175feeb42c2c926ecb911e0a

SHA512
d17b8f1419e3f77729c686d4fe79feb08368953e0997ef67217e829456e1c13dde5d9e7a0c35d117d1ae4d40f37e160cb6390b45242c0308d809dfdadb3155f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-core-util-l1-1-0.dll

Filesize
22KB

MD5
ab75ac7acd7344fb84904f78f7eaf8fb

SHA1
48fddb6e311e8041f15cef98538a8e5bf4ee1eef

SHA256
e5f86dc2e31f3d8133a9bb22ccc57ed93d2154aa28251c1c26a989e4624237d6

SHA512
2cdb373117ae71ee56ba51c45998926cc125311098fbafd467556c40ca4d594f953e01b4d6b4e006eabbf966dfc82bafee4d4c14cd84009fd5e4029a289464bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-crt-conio-l1-1-0.dll

Filesize
22KB

MD5
4e9dd52db3106bd2c7d79c9d29e78f86

SHA1
88b0295fdda5b307be33853572d65d123a8dd8ea

SHA256
312415ce3f3333f09fc207a69768133253c50b3e167ba303923fb357905591b5

SHA512
138dc82cbd5575d41c361a6a1fbf021386f4302ae1d936ac247a86be2bb1249099abc36c0945cdfd91010110c0f367d88d51bdce721e44229446a4e705340f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-crt-convert-l1-1-0.dll

Filesize
26KB

MD5
c8ffbe7204e1fe53a396ad8c9c99e9bf

SHA1
8f08f205ca5003b79ce238d257a7a6ea2513b206

SHA256
32d3fbe9d4cd6c7f3adac383d5ca67b36d3c9b2e569b204d54ce0a27b317296d

SHA512
58bcfc777f39f54b141a8474a8e08692e53e41783aa9f168cc3858d5137cca601661bfdefb846618c7c8299c31078c8c7ef508b25bbac88d84898e36dd5d426c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-crt-environment-l1-1-0.dll

Filesize
22KB

MD5
97d2bdc7b5daf5568f4333513b536adc

SHA1
c16ef9c9a40c4b4d79c019869e8838cc6db897c4

SHA256
cfb7bc2a80acbcc697e3e5d1f7ae43e069554b33ca944b0dffb8f631232cb05c

SHA512
86aea6582762002e3f19fcb4074de18c1f7a0fc9045b647dcde9a996c80085fdb12a47901a6c1cb6571077b32870ddd615425ad3eb6e5424863757743211bd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
22KB

MD5
d9e64b48ec7135200f1396e017d1351d

SHA1
65d0e077bb80da2a71c1d2aa5986f4233ab2f04f

SHA256
f66c1e092b1a96333245b18dbd7267d3e712b5cb7bb6c9fbe9de44d304582631

SHA512
51adfecc9ec6c03af264f73645a2f83614ac8b5c453d1fb64e2f32ba8ddb492189762a302ee317eba844776ba49acc27afb760469734672730cd1670251b1fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-crt-heap-l1-1-0.dll

Filesize
22KB

MD5
1a70583c28fcae749bd262a34ee968c8

SHA1
5e4555f4f4250a7e8b336d25145795e597dd53e0

SHA256
be91f29c0def06c532d900c397ac7b79213f466e3c30cdb2231c7e08a9ee2baa

SHA512
7ddf949b913e2a4e079e303995aaa6b26d06ecb66499270fac3cc6578dc37e03671d8a069c8657f20ecea26e8dc106eaa8b13e045d2b5bceadf4f7bb899d0d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-crt-locale-l1-1-0.dll

Filesize
22KB

MD5
4cee8303c0994cc97c0b426c719032bd

SHA1
d60d2a4efd2d1db5d3c9f64761ad6bd1802874cd

SHA256
7478756d70840c9bdfc3c38fec5667f309a70970e6d5af058a25e6d9efb2aef1

SHA512
eb13ecd1517e66f0d787d2fd6a88abc6d89d2d3392839d6cd5b277a52fb45dbc2fa4b849a0ee6c6d884d074ad2cdebd9f63511b08f8a746b5eb10978b8fbd646

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-crt-math-l1-1-0.dll

Filesize
30KB

MD5
33d4c8d4f8598d32f25c4c78b681c3dc

SHA1
4f9b6b99640472531d1f6c11f030e043916cc6f7

SHA256
bef4d133abe009f50ce9d67f31acd963a1a77f41b0ba71b4707be8f45d974289

SHA512
b163e8d20e99288cc823a649396549671bd9be4dba323966f3567f10e357d90d9318f589c1f45995c332b8a491fd09655caad3a25676e0fda3bcd20e64a11a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-crt-process-l1-1-0.dll

Filesize
22KB

MD5
9fdb0d60d5bc511c84f47d84da43a3ca

SHA1
806137977ad4b16b86e333c1453f01f8c3e49690

SHA256
d18f92bcb20f14c8888491e8c38246d97b5f138951dc8e4056c80c6ba5e0c5f2

SHA512
af00d5cee6e3c3ae70d0c35837222f74ab030da72899997cea71c9c1ff9fb3d611e6e6b2a8ca75d59ab4b7ce12382e1e11ffc7cfb1c4cff2eaa2ad7c81fbf5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
26KB

MD5
b4076e1e955e3b9c33f03edb77b67b04

SHA1
fdc44cee07598ab865f8a7ba1e96ed32b87f6525

SHA256
009a2fbcd43b701177c02c779fa01ce7b7e8e9d8ed5db3e305880e086bbf2aa4

SHA512
85766b23f3e95f010734933eb45c61491b268efb0f13e86ddf9fc361a558588968c7884cda5865b717738044bca4f1f9c9295149f70b58b3809dfcd58ea43907

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
26KB

MD5
0c513371fb7e1345f2c7a8c737bdb938

SHA1
30a40972e250080b68614e4fe2a721a3cae177c1

SHA256
bf28630e9a216e6f29ef9df48689d8ed364684638c0aa54f09ab53e9367c4cc0

SHA512
43fc864273d0f29a4c0bf7439022dd776a52b721ad74d1f0ddd1f02e87556eb93821f04d72d353fc40a54ef51b19c8b42c41af17240809deb3c2e72121e6678c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\api-ms-win-crt-string-l1-1-0.dll

Filesize
26KB

MD5
e5341ed2725f0076968f08976d7cc32f

SHA1
88e2bf83e6f282b9d96cae288eb3a61d9a22694e

SHA256
5e8e44dc9d9166dd68ddc71af62714daa4106eac603638f83bfaeb316f8bc711

SHA512
d724add4cfa1189789d06f0cf036351d4d05763716dd6cdfa0a3f952cb1b1436c3cbdab1c8800ba06f98f5bbf0b90a3e0d93de6cac0052e15b86295320ff07e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\base_library.zip

Filesize
1.4MB

MD5
2f6d57bccf7f7735acb884a980410f6a

SHA1
93a6926887a08dc09cd92864cd82b2bec7b24ec5

SHA256
1b7d326bad406e96a4c83b5a49714819467e3174ed0a74f81c9ebd96d1dd40b3

SHA512
95bcfc66dbe7b6ad324bd2dc2258a3366a3594bfc50118ab37a2a204906109e42192fb10a91172b340cc28c12640513db268c854947fb9ed8426f214ff8889b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\faker\providers\job\es_MX\__init__.py

Filesize
83B

MD5
eeaa6ca5cb7f4bb1d7e75797f9b5af37

SHA1
0ac3743facacbc2090930b41cf38bcfe2951eb37

SHA256
ce99db30f577944104a7365372ea8363cd9d0087a6e9d88f7b835a1926da336c

SHA512
b492e6fa3eb607683a6c6f5696835aeae5e4c12fd2d44346bfd954d25c0bcf5bda808c175b0b17e26a0d5daf4f91d8588de119f5b747a80b3cfe53f68bbecd7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\python311.dll

Filesize
5.5MB

MD5
5a5dd7cad8028097842b0afef45bfbcf

SHA1
e247a2e460687c607253949c52ae2801ff35dc4a

SHA256
a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce

SHA512
e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54522\ucrtbase.dll

Filesize
1.1MB

MD5
28146c66076a266e93956111981cad4e

SHA1
44797bab4d3d3a8ccdb9df3a519cd3dbef838c31

SHA256
ed570898508c9d9186052157106b6dd9722bed47a27ecfeb424386c8970d81da

SHA512
078c8d6595b0afcee215a44ef9caa82f990ef2bf5dadb8fd84d83ac89839abeee1f9ce250e80b77cbbdde5d13688ed345da1f4bf22958490e645c074d2453f85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
19bee948cb23d01df51db6921aacfd78

SHA1
9380e528f45cf5ebba857d4c88834d52f89dcd42

SHA256
a053b98ecb0e50ea37b5216ebc06d9da140f65d72e5ba007b8d52a6ba96b8ea9

SHA512
28e76a9324afeb2cdda09ce9bad15406fae5c519a79c28ff01a9f908e0a3f54d4f62a4f0d68d00ede389efd11f88bb8ba3b46e28b2e2d63114050ec3601eb636

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
f4993d6d7f82c5bf9b0b1cd9da45bf24

SHA1
727eac0d9c4c61a02e239e3ff7d6d500c724a796

SHA256
d957cbe9d95577c6cca7999de28eefae2a41ea33ddb430822c4fa69b0c51d5f5

SHA512
164a3d274925da3331914cf0f2fba6c2dd9314a3bc16b3b58f53c088799ad67ef71d48b82edd361a4ad82a416d1609e0baf3f9fd48f0bea4a57c7239b44dede3

Download Submit
C:\Users\Admin\Downloads\Loader\Loader.exe

Filesize
12.1MB

MD5
be541590b256e77780bbad1e932accde

SHA1
e9bc9cab5fce4c5840c840b0296cff2bcbca41cf

SHA256
7a217c82459cd9a3d6e190410f511e1c534a6fd19d32f3c5f47baf6c02d807dc

SHA512
70c14058e21a9599892afe0054ae302d362e55d0b78ba2d7b68426dc22567d4c6288c4f446aa4fce18c811c7e12ee357c02f3a0f7581588f5bdde5efd8bbf852

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 276738.crdownload

Filesize
11.8MB

MD5
5c12c277f20d7052d238170c0379de04

SHA1
fed7a3721abbcc987506a2b8b0057ab263e69877

SHA256
a267f536dccc5a1c4bceccdf6e25d9c363539e37de1f4d4f897df85cb83b6366

SHA512
bb606621a2ace658b6e7d2dfea4dc08a1ab80ff942f26312ccc04829fb5c72c6d46a2be732ee3688a826e93d6a0a908538026023aa6ce121b606d1a06f9ac0c4

Download Submit