hxxps://filecr[.]com/windows/withdata-data-file-converter/?id=104814207000

Analysis

max time kernel
338s
max time network
343s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
08-05-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://filecr.com/windows/withdata-data-file-converter/?id=104814207000

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DataFileConverter.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DataFileConverter.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DataFileConverter.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DataFileConverter.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DataFileConverter.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DataFileConverter.exe

Executes dropped EXE 9 IoCs

pid	Process
4900	DataFileConverter_Win64_5.3.4.exe
3536	DataFileConverter_Win64_5.3.4.tmp
4108	DataFileConverter.exe
1752	DataFileConverter_Win64_5.3.4.exe
3820	DataFileConverter_Win64_5.3.4.tmp
3124	DataFileConverter_Win64_5.3.4.exe
2068	DataFileConverter_Win64_5.3.4.tmp
2156	DataFileConverter.exe
4752	DataFileConverter.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x004e00000002abfc-603.dat	themida
behavioral1/memory/2156-961-0x0000000100000000-0x0000000101C61000-memory.dmp	themida
behavioral1/memory/2156-965-0x0000000100000000-0x0000000101C61000-memory.dmp	themida
behavioral1/memory/2156-966-0x0000000100000000-0x0000000101C61000-memory.dmp	themida
behavioral1/memory/2156-967-0x0000000100000000-0x0000000101C61000-memory.dmp	themida
behavioral1/memory/2156-972-0x0000000100000000-0x0000000101C61000-memory.dmp	themida
behavioral1/memory/4752-974-0x0000000100000000-0x0000000101C61000-memory.dmp	themida
behavioral1/memory/4752-975-0x0000000100000000-0x0000000101C61000-memory.dmp	themida
behavioral1/memory/4752-976-0x0000000100000000-0x0000000101C61000-memory.dmp	themida
behavioral1/memory/4752-977-0x0000000100000000-0x0000000101C61000-memory.dmp	themida
behavioral1/memory/4752-982-0x0000000100000000-0x0000000101C61000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DataFileConverter.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DataFileConverter.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2156	DataFileConverter.exe
4752	DataFileConverter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1474490143-3221292397-4168103503-1000\{7FB31D4A-7C7C-4E74-84A6-F5BE3EC3A186}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR].zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3368	msedge.exe
3368	msedge.exe
2956	msedge.exe
2956	msedge.exe
1856	msedge.exe
1856	msedge.exe
2952	identity_helper.exe
2952	identity_helper.exe
4036	msedge.exe
4036	msedge.exe
3536	DataFileConverter_Win64_5.3.4.tmp
3536	DataFileConverter_Win64_5.3.4.tmp
5052	msedge.exe
5052	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2068	7zG.exe
Token: 35	2068	7zG.exe
Token: SeSecurityPrivilege	2068	7zG.exe
Token: SeSecurityPrivilege	2068	7zG.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2068	7zG.exe
3536	DataFileConverter_Win64_5.3.4.tmp
2956	msedge.exe
2956	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe
2956	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
480	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 3776	2956	msedge.exe	79
PID 2956 wrote to memory of 3776	2956	msedge.exe	79
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3596	2956	msedge.exe	80
PID 2956 wrote to memory of 3368	2956	msedge.exe	81
PID 2956 wrote to memory of 3368	2956	msedge.exe	81
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82
PID 2956 wrote to memory of 1844	2956	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filecr.com/windows/withdata-data-file-converter/?id=104814207000
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff25083cb8,0x7fff25083cc8,0x7fff25083cd8
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1820 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1744 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7532 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7184 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7332 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7992 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7368 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8276 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7856 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8288 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,18241612300474832894,16055051388323129597,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7612 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2880

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:480

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\" -spe -an -ai#7zMap31542:160:7zEvent6172
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2068

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\Withdata Data File Converter 5.3.4 (x64)\Readme.txt
1⤵
PID:4188

C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\Withdata Data File Converter 5.3.4 (x64)\DataFileConverter_Win64_5.3.4.exe
"C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\Withdata Data File Converter 5.3.4 (x64)\DataFileConverter_Win64_5.3.4.exe"
1⤵
- Executes dropped EXE
PID:4900
- C:\Users\Admin\AppData\Local\Temp\is-2T58C.tmp\DataFileConverter_Win64_5.3.4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2T58C.tmp\DataFileConverter_Win64_5.3.4.tmp" /SL5="$70308,6551497,936960,C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\Withdata Data File Converter 5.3.4 (x64)\DataFileConverter_Win64_5.3.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:3536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.withdata.com/install_new.php?product=DataFileConverter 5.3&os_version=22000.1.amd64fre.co_release.210604-1628&arch=Win64
    3⤵
    PID:2312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff25083cb8,0x7fff25083cc8,0x7fff25083cd8
      4⤵
      PID:8
- - C:\Users\Admin\AppData\Local\Programs\DataFileConverter\DataFileConverter.exe
    "C:\Users\Admin\AppData\Local\Programs\DataFileConverter\DataFileConverter.exe"
    3⤵
    - Executes dropped EXE
    PID:4108

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\Withdata Data File Converter 5.3.4 (x64)\Readme.txt
1⤵
PID:1244

C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\Withdata Data File Converter 5.3.4 (x64)\DataFileConverter_Win64_5.3.4.exe
"C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\Withdata Data File Converter 5.3.4 (x64)\DataFileConverter_Win64_5.3.4.exe"
1⤵
- Executes dropped EXE
PID:1752
- C:\Users\Admin\AppData\Local\Temp\is-HK6O2.tmp\DataFileConverter_Win64_5.3.4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HK6O2.tmp\DataFileConverter_Win64_5.3.4.tmp" /SL5="$A02F2,6551497,936960,C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\Withdata Data File Converter 5.3.4 (x64)\DataFileConverter_Win64_5.3.4.exe"
  2⤵
  - Executes dropped EXE
  PID:3820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:4456

C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\Withdata Data File Converter 5.3.4 (x64)\DataFileConverter_Win64_5.3.4.exe
"C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\Withdata Data File Converter 5.3.4 (x64)\DataFileConverter_Win64_5.3.4.exe"
1⤵
- Executes dropped EXE
PID:3124
- C:\Users\Admin\AppData\Local\Temp\is-4T6DH.tmp\DataFileConverter_Win64_5.3.4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4T6DH.tmp\DataFileConverter_Win64_5.3.4.tmp" /SL5="$30420,6551497,936960,C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\Withdata Data File Converter 5.3.4 (x64)\DataFileConverter_Win64_5.3.4.exe"
  2⤵
  - Executes dropped EXE
  PID:2068

C:\Users\Admin\AppData\Local\Programs\DataFileConverter\DataFileConverter.exe
"C:\Users\Admin\AppData\Local\Programs\DataFileConverter\DataFileConverter.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2156

C:\Users\Admin\AppData\Local\Programs\DataFileConverter\DataFileConverter.exe
"C:\Users\Admin\AppData\Local\Programs\DataFileConverter\DataFileConverter.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DataFileConverter\conf.ini

Filesize
78B

MD5
21ed0c9b9528be07f354df297ec8006f

SHA1
b866ce0d2aa991cdaa0f34e74dda60382577fc7c

SHA256
fbaa848d30da9a5aeed69a1cb232542fb87d08b0bc4c285e05dee01f4b8d85a8

SHA512
e87f16df04e3fb7754bf164e0e13901db777ab28b082a23dc6fe0095e3902f4321bb1c057a71246e8508a3330704bfa9b1e59b452af4766bb529ad359cbcafb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
200KB

MD5
a484f2f3418f65b8214cbcd3e4a31057

SHA1
5c002c51b67db40f88b6895a5d5caa67608a65ce

SHA256
79cbe928773386d07f0127f256f383debed5ccea5ff230465bf46ec7c87319d6

SHA512
0be1bb8db08f6e6041a85cfee90cd36a5b595afbca34d52a125465454fc806b4bb7ae569eaf4c882922fb1b962b6060534e597791cd0ad23483be5981d9be85c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a87807f5549ab8ff446a093d80b66c0a

SHA1
13b62098518849ebf81889552950c4b3386bb131

SHA256
8eaebeb520dbb76480b2333da6037dfeb4f87d0e547263c4b25a4617e0b3f5d6

SHA512
44d1f5306d8a81d2138edc71754fd85e65b3e925f763ec559f25409a0305f06d90bb882fa9ae86000a928f379c3fe71e08e9e0d571d240a77ace75f104f6a48e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
f9c1331ce555ad792e29c41898f9ea87

SHA1
1ad59225cc8566bc8ed9e9b6ac37bf41c7099dd3

SHA256
b0c37ad045f33a471bc1047106f22e7c86f58a928e83665004a0f603a33109fc

SHA512
7c30105d3dee96b9eff73f106d040e41fec041b5912a863ef56961ca285d07e2bfcfeae34d057bf9d2a4eed10edc6f4d1deed9fc995783f1fc40921850a42541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
5a15ede7d20e22fa207881af44063e0d

SHA1
ca7a59cc410f957f9659a32cf38eaf0e2eb2fcf7

SHA256
22ac033bc22aecae2bb487b219e749c1168fff7c2fb744b1f776461d5d56efad

SHA512
fba99aba6c061877ba4491a031fa56c71a183e2f138c73f956db3af013b76fa0cb81d724fb1c49448c60eaff86a395f74eaff8043a98cf7a0eb7007a2d6878c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
cae2da06f1550a7d566c6a348b3eaba3

SHA1
8479b0d312506531993c173d53fc857b6fa79cd9

SHA256
32a60e1fa7c23d06b17b1f4100f989960fe76d3b1a14e96d5b281a8edaaf748d

SHA512
90aeba3cb63414093703cab3e9ac4a2f07544c541726c794dd4da4aebb0e36efeeb572be65ec41279c8e3cbd3e8b6c5b67dcb0ade3a3a106a42bfb9b519bf24b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
49b3a7b24123dff91b13966d03492edd

SHA1
a7fb4865ae52f8fb5a8f4b976c51fbcda22c5c16

SHA256
5647e1cf79adc2fe59b85470a16b1ca78560f82b12e86d0dea402eee94b5da83

SHA512
e39cf1b062ad467f8548046610657347b2a5e097f78993311831f05c1e3b3589e6c36e10d9fbb98fb8dd0791ef41f369413fa00a395ab63de667687a374dfe31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cff2e9a400064b7aadd22b6e7a4049b1

SHA1
287ddd7a7693ac41c0430243c5826bdda6423386

SHA256
f0607d5c15299bb7a478ecb4de8feeb4a00f115f18e758348b3df5d830312d16

SHA512
162410b4f92a6634f7a16711ae13b1a9cb0983e051c0c30a480b49b23720a3abdabbb59c66b292694ac24d67c48445abd0035f3191e64bba75e2b768ab08bd4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
aa26652d45fe4d885c4fc9d7fbe9f1e0

SHA1
c00db0f6f4a610275db14aa092103fb2d8e24a5a

SHA256
285c519102320fd83d6a5950c2787ae46e9e0ebb56a1caf20c6eaad698c69fe4

SHA512
17cf90fcdd0f7ce5a2ada2fbbb11e5c762261bf5393b952c275494677f6c51b40a41f08a84039a37903280affa5a7c269ffe485107e0d8819539881404699f9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
72fc8aac9de3c1ed7951f9345bea6b19

SHA1
d72bc50c93dee4733f1e3a6b5fca6514c9b45618

SHA256
4eda65b266e59d7e2f587de52344b405e6bf6cd414f1ca2869326d49f07b54bc

SHA512
f0b063c76b664317d74e12025c058af3fe0f4e580ca0151e8a7a908ea2d122ef0567f31bc4fdbedd9c7830f61c0ec0dce3dec0f5b020af3ca20514ebb1709b4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2b28b69e597a9e747bb108ca757ffacc

SHA1
7099a5da604c103d87cb671e7dce920e6a020761

SHA256
f3444c23d0d306c8791d387c715f2537f84b27b0b25641fa1eadfd85bca69f44

SHA512
46a3edffd5146d6762c5ce3beead94774295cace75569a0cb8730337e73d286d80342d7a53037987d69eb9feda4e887280e6815680dd6a50ca1aa29481b578cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
06e7fe4ca9bce3cd96e28a7817587139

SHA1
582b3b175c9a046c0335dec0dd20b356ec392b5a

SHA256
113a48bb9cd6086e5a33e447943c608946d27a47375fa3c712bb57c74d1193ea

SHA512
453d7ca5e7caa648e57696fdd848047b898b59c8114a009a8e0a9fe621c58a69dca46b7a8f03f219a447654f5174ad8bdc6c741b388a6863ac3e1671ba49ccf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9a2e8100253914f81ea0c08324e55de0

SHA1
18601e1e1b191c3cb7d873916f95b541fa9ded65

SHA256
d372044eb86c152b44a1c8708dbb32d4e908e0ad8ac7072a24f786a4888a32c2

SHA512
50121e3adef56c2ac286b8265c6ae702bf1f755e2d45f0000f3585527c0037978e298d14e6957eb6ddc7a2ec25618a62dbe224e723f3a4f43b78ddf87bd04aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bf863229bb2b4fcf0113e76dddbc2360

SHA1
61951b9417becaaf7addb4007d8ab0d1a0353aba

SHA256
1006be1af375f292bea53b9a1346a51334c5921a1bc09a18138b1aaf61b9ee03

SHA512
300c855695ea228d56f3ab79dcd9cd8820114b452e4508d8d45e5925238686f982c40669adba84ba63b0e8d88cceadf1314b195eca3415940285d2bd00c78790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5914c6.TMP

Filesize
48B

MD5
14cfb1394d8a0cf8446383051a4f9467

SHA1
b168a3422616f5629b315e72b3dcd28a1d0f4294

SHA256
d25ce3f9a293eafde35b8d8c13f9f773d9682074fee685d2eb92f4b7e8577347

SHA512
e0b0e11a6e7bc05abd50771685ab4467db7e5ee924dd18347493a87917a026b3dd584e5c07acb38a197c6b199a9d2f49cc9c70a228967e82adfdc0f1a833b41f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c73a2d46c36140b7aaf54c932e932dcc

SHA1
551bd837125f68bf59812dd672650cc72b4b61c3

SHA256
f61487333e266dfc8f33902a5316b3f762433b4faf2356f6d097f2ad533219da

SHA512
2b2acac819f2b95f5c1edd63a593e34bb12ed050b10680bce59cf70941363fbd9f5d00517f59aca2565fc5cae9af92a70e59342e54b2af758b04867970ba5b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58dd5b.TMP

Filesize
536B

MD5
9fc2cef3f6f46f72dd91a087e796f702

SHA1
35018a525dcd812691257c8f618306f485aa67aa

SHA256
bd2c19c8e17b79f268ca479a3a20f3d5c360ce7fd3081ae04996a8627e28d3ae

SHA512
16b2a98c790b5a61d18fb4bf9047e354d184966814cc1dc903ab44fb142d9afaefb8649c477436066eddc890f7b4ca39a54216da2c84d78e5101fb8755f8354a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003

Filesize
26KB

MD5
8235f98068f731038d8520df4727c625

SHA1
6ef1e3ca36d59de490e593ec195b632e8e09565d

SHA256
98280dcf81e7ed7a29b2d383c12027481bf771aa6358012ee5ffcc8b3af21e38

SHA512
d75d4b688898ee9c9ee07f7be6e9dafd0154518ac54042270666969dd15dbc3b7c8cf92997c510f42f20a5ad8270d5324dd8f2ef91666a9d6d0450d60bacfd83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cd9c1792ed8568826194fad71425161d

SHA1
8a53575a035f0bf06dbffa370f635dee9b10d00e

SHA256
c68b89556ec752624e45fa433969e13e8f637c47ba58dad256d25515440a38d1

SHA512
f05e2d65318cfe42064c47501f815d42af52b1d43be9cc5c3799d0a238eaabe3c1e318e8b9ccbe638b6fc7f6f0304e023c50c2b193fbc9909a926cc3d8caaa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9be30cd0bb913de9ee2a6ec460cda111

SHA1
0cb0799371e63639d480cd107e503a1ecbb78cde

SHA256
f074cd101901e03097047b9d75df1015c648f86db3038951ffa822053ac1d4d0

SHA512
3e4d9eb55aafc26a1968f3ef49819191eb09db82faca402290b52072719fc8a5f347dfc12bf458ab5711d63b452f9a915260becf4689ef02876eefabe3036233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2d5ab647def0e98ccd695b84ca1c8e5c

SHA1
229bbcdec1a072f2c21f99a8d55541af17114cdf

SHA256
3864b9080aca058a7f5d8c0d8b76a9ce0526a766e4eae860c79a499c9061c93c

SHA512
76bec06b59f2a9002d329986adb28e7ebc3bbb458d9a6f3eae25fb9cbd6a73fcea038ab1d8f83f86c03c331bdf6097de5cabcfef3b025a7178fc54e557b30990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d2f7e74ac4b28c98b3062f0258c88a1b

SHA1
dd9e43a42473f82ed76571bc22aec93fdd98c598

SHA256
7ccdbdef6d011d8bc2187b3b9f6d8b6587afbba5659d406eece9f41e2499b18e

SHA512
dda7239a4f48951bf97e7fa023432aae2e1a6511f1797416b5a7bb799ef1fe4939a934e03e02ccb9c9cacd377265ec7394a7abaec441cef61abf10299aee0d8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0c15c74ae49817883a585bb7009f6fff

SHA1
21279f9e1e947a17df770750714fc384ce828945

SHA256
eb17ff380dc6bda6670a79ce3bc1dce5b86b32d3d78bd7596db40d0eed82587d

SHA512
c7a79ce02e9b3bd0f4915728f180a874b92c2cf3e16dc9c8a99b05d46c0f9fd69b9a598c313e2afe21c85000c6717432101eaa71ad9d91bde3364bee7f2d79eb

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
18951ad4190ed728ba23e932e0c6e0db

SHA1
fa2d16fcbc3defd07cb8f21d8ea4793a21f261f0

SHA256
66607b009c345a8e70fc1e58ab8a13bbea0e370c8d75f16d2cce5b876a748915

SHA512
a67237089efa8615747bdc6cfe0afc977dc54cfd624a8d2e5124a441c204f1ec58ee7cfbbc105ddc2c18d4f254b9e124d71630bcdba0253d41a96890104f2fff

Download Submit
C:\Users\Admin\AppData\Local\Programs\DataFileConverter\DataFileConverter.exe

Filesize
16.6MB

MD5
6b5ce59560911550ea40d17aad4f6466

SHA1
90feb55093cb3b48d24e95134160933ec629d8eb

SHA256
d8e10c13b895635b0a6ffb08e17f32b52679eedbb6476806fb1cad791b6eb31c

SHA512
804b8f272ddf8dd547bf07a4cfd1936331ca087fdf7415312825fdf0e9e28784b9fffe6a19d80c5569c6f2ae70cdd7f6040cd449fe373a89ff4bda9bd6bede04

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2T58C.tmp\DataFileConverter_Win64_5.3.4.tmp

Filesize
3.1MB

MD5
09cecc6c5ecbf25e9bcdc67a5198f7e2

SHA1
112d90fad4e24b1fb7081436e2064611b0de7cec

SHA256
c1ffbab9d965bdb92f29d9fb7ea8696c66a1315f45e22a66012eb39797956edd

SHA512
c58f33d76300ca148af1b8a2e086df03b53f82442d060de965575bb02595afae5dedac33555ac554cef7c6c27ca76b24c829f578d5a4f6bef742aaea5d52034c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 733981.crdownload

Filesize
15.7MB

MD5
6c16dcf8e448127982097644763b2df0

SHA1
95007036f0ecc2bd7b7ff201f6195e83fba310ac

SHA256
c8acf27b1b59dad2efd96d0fc3978c5dde61ba995a132b351004eedc65bab157

SHA512
2c5a02900717a19b3c6ea7ba320a8daae9ad05aff59f12ca6f51175d46c2b41dd366f0c69d229ed2ffe06b02392f38da9085d0c9f2e3175c28ac1e100cfd1031

Download Submit
C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR].zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\Withdata Data File Converter 5.3.4 (x64)\DataFileConverter_Win64_5.3.4.exe

Filesize
7.1MB

MD5
f8edae434edfe8f62efb4e58816e4202

SHA1
cf7e64ae0fa60b53816fadd2d1e0de4c0272fbfb

SHA256
b22fb7eef4279e7f758a6c7be363142f6ec5062044bfc4e6df511f94c7b14522

SHA512
0ea50253756b7e8c5666884aadf96422ca379dc274435cab9436d5df660d1d612f6bc3802ac3d808070f9d078c83ce30f4fd0fc6dc48ce6c59a20dbba168739b

Download Submit
C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\Withdata Data File Converter 5.3.4 (x64)\Readme.txt

Filesize
75B

MD5
f121d37ad9ab85bf7174771d61702362

SHA1
ca2e82f667e5d3bf7fea0c6a1d80371ad30df5a7

SHA256
410d442472de0b39328fd30be0b770947ecf2cc38e7bb01f231c8685079b0ed7

SHA512
aee37c1f6f5748da59cc8a6d5336c71ed81ed856be3c4cabb54e37eba7d757a753de2c9155c8f5a53d0462c9c3b2ffa955775902f87341e6e6cf3fd449d3ae04

Download Submit
C:\Users\Admin\Downloads\Withdata Data File Converter 5.3.4 (x64) [FileCR]\Withdata Data File Converter 5.3.4 (x64)\crack\DataFileConverter.exe

Filesize
9.4MB

MD5
d7e5a8d2810e5bf41747899499becb2e

SHA1
7d79e8ad2d85d2a9542d2f1229ac484879ed3bce

SHA256
9a31d1f28b02aab70e05c5dfe264ea0e9c282728a38a58143e57428070e36ff9

SHA512
3221b7e1bb0178a466f48d9295b6c0f7179f2da2850624276e97f62c0952df331f2ca51da9f40327917e2166a0809911de9f198186c7a01e43085294af4602cf

Download Submit
memory/1752-831-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1752-819-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2068-879-0x0000000000400000-0x000000000072D000-memory.dmp

Filesize
3.2MB

Download
memory/2156-967-0x0000000100000000-0x0000000101C61000-memory.dmp

Filesize
28.4MB

Download
memory/2156-972-0x0000000100000000-0x0000000101C61000-memory.dmp

Filesize
28.4MB

Download
memory/2156-961-0x0000000100000000-0x0000000101C61000-memory.dmp

Filesize
28.4MB

Download
memory/2156-965-0x0000000100000000-0x0000000101C61000-memory.dmp

Filesize
28.4MB

Download
memory/2156-966-0x0000000100000000-0x0000000101C61000-memory.dmp

Filesize
28.4MB

Download
memory/3124-866-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/3124-881-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/3536-375-0x0000000000400000-0x000000000072D000-memory.dmp

Filesize
3.2MB

Download
memory/3536-780-0x0000000000400000-0x000000000072D000-memory.dmp

Filesize
3.2MB

Download
memory/3820-829-0x0000000000400000-0x000000000072D000-memory.dmp

Filesize
3.2MB

Download
memory/4752-974-0x0000000100000000-0x0000000101C61000-memory.dmp

Filesize
28.4MB

Download
memory/4752-975-0x0000000100000000-0x0000000101C61000-memory.dmp

Filesize
28.4MB

Download
memory/4752-976-0x0000000100000000-0x0000000101C61000-memory.dmp

Filesize
28.4MB

Download
memory/4752-977-0x0000000100000000-0x0000000101C61000-memory.dmp

Filesize
28.4MB

Download
memory/4752-982-0x0000000100000000-0x0000000101C61000-memory.dmp

Filesize
28.4MB

Download
memory/4900-374-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4900-319-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4900-781-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download