privateloader | hxxps://gofile[.]io/d/G8bbmP

Analysis

max time kernel
161s
max time network
162s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
07-01-2025 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/G8bbmP

Score

10^/10

privateloader risepro discovery evasion loader persistence privilege_escalation stealer

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Risepro family
risepro

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5564	netsh.exe
5572	netsh.exe
2408	netsh.exe
3896	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
4980	RisePro_Server.exe
900	GoogleRestore.exe
2992	GoogleRestore.exe
5964	node.exe

Loads dropped DLL 50 IoCs

pid	Process
4980	RisePro_Server.exe
4980	RisePro_Server.exe
4980	RisePro_Server.exe
4980	RisePro_Server.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe
2992	GoogleRestore.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4980	RisePro_Server.exe
4980	RisePro_Server.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RisePro_Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
5776	chrome.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133807332967425385"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c0031000000000057593179110050524f4752417e310000740009000400efbec5525961575931792e0000003f0000000000010000000000000000004a0000000000aba64e00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\Registry\User\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\NotificationData	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Applications\7zFM.exe\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000575997731000372d5a6970003c0009000400efbe57599773575997732e000000f09e02000000040000000000000000000000000000009a43c10037002d005a0069007000000014000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Applications\7zFM.exe\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Applications\7zFM.exe	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Applications\7zFM.exe\shell\open	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Applications	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Win32.RisePro.b.7z:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
5568	NOTEPAD.EXE
4436	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4712	WINWORD.EXE
4712	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2100	msedge.exe
2100	msedge.exe
4848	msedge.exe
4848	msedge.exe
2228	msedge.exe
2228	msedge.exe
1912	identity_helper.exe
1912	identity_helper.exe
2660	msedge.exe
2660	msedge.exe
4980	RisePro_Server.exe
4980	RisePro_Server.exe
872	chrome.exe
872	chrome.exe
5128	msedge.exe
5128	msedge.exe
5128	msedge.exe
5128	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2008	OpenWith.exe
804	OpenWith.exe
2980	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2784	7zFM.exe
Token: 35	2784	7zFM.exe
Token: SeRestorePrivilege	2980	7zFM.exe
Token: 35	2980	7zFM.exe
Token: SeSecurityPrivilege	2980	7zFM.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
2784	7zFM.exe
2980	7zFM.exe
2980	7zFM.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2008	OpenWith.exe
2008	OpenWith.exe
2008	OpenWith.exe
2008	OpenWith.exe
2008	OpenWith.exe
2008	OpenWith.exe
2008	OpenWith.exe
2008	OpenWith.exe
2008	OpenWith.exe
2008	OpenWith.exe
2008	OpenWith.exe
2008	OpenWith.exe
2008	OpenWith.exe
2008	OpenWith.exe
2008	OpenWith.exe
2008	OpenWith.exe
804	OpenWith.exe
804	OpenWith.exe
804	OpenWith.exe
804	OpenWith.exe
804	OpenWith.exe
804	OpenWith.exe
804	OpenWith.exe
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4376	4848	msedge.exe	77
PID 4848 wrote to memory of 4376	4848	msedge.exe	77
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 4584	4848	msedge.exe	78
PID 4848 wrote to memory of 2100	4848	msedge.exe	79
PID 4848 wrote to memory of 2100	4848	msedge.exe	79
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80
PID 4848 wrote to memory of 4284	4848	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/G8bbmP
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff79e03cb8,0x7fff79e03cc8,0x7fff79e03cd8
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:2
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,18249890762128409122,13410920324116881069,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1196 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2008
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Win32.RisePro.b.7z"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2784

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2316

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:804
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Win32.RisePro.b.7z"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2980

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\Win32.RisePro.b\[ENG] FAQ.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4712

C:\Users\Admin\Desktop\Win32.RisePro.b\Panel\RisePro_Server.exe
"C:\Users\Admin\Desktop\Win32.RisePro.b\Panel\RisePro_Server.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1788
- C:\Users\Admin\Desktop\Win32.RisePro.b\Panel\tmp\GoogleRestore.exe
  .\tmp\GoogleRestore.exe
  2⤵
  - Executes dropped EXE
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\GoogleRestore.exe
    .\tmp\GoogleRestore.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\playwright\driver\playwright.cmd run-driver
      4⤵
      PID:5716
    - - C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\playwright\driver\node.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\playwright\driver\node.exe" "C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\playwright\driver\package\lib\cli\cli.js" run-driver
        5⤵
        Executes dropped EXE
        
        PID:5964
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-field-trial-config --disable-background-networking --enable-features=NetworkService,NetworkServiceInProcess --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=ImprovedCookieControls,LazyFrameLoading,GlobalMediaControls,DestroyProfileOnBrowserClose,MediaRouter,DialMediaRouteProvider,AcceptCHFrame,AutoExpandDetailsElement,CertificateTransparencyComponentUpdater,AvoidUnnecessaryBeforeUnloadCheckSync,Translate,HttpsUpgrades --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium --remote-debugging-pipe about:blank
        6⤵
        Drops file in Windows directory
        System Time Discovery
        
        PID:5776
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff5cc5cc40,0x7fff5cc5cc4c,0x7fff5cc5cc58
        7⤵
        
        PID:5948
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --disable-breakpad --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1448,i,3852285652493565953,14709546190092821044,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AcceptCHFrame,AutoExpandDetailsElement,AvoidUnnecessaryBeforeUnloadCheckSync,CertificateTransparencyComponentUpdater,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,ImprovedCookieControls,LazyFrameLoading,MediaRouter,PaintHolding,Translate --variations-seed-version --mojo-platform-channel-handle=1432 /prefetch:2
        7⤵
        
        PID:6136
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --field-trial-handle=1704,i,3852285652493565953,14709546190092821044,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AcceptCHFrame,AutoExpandDetailsElement,AvoidUnnecessaryBeforeUnloadCheckSync,CertificateTransparencyComponentUpdater,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,ImprovedCookieControls,LazyFrameLoading,MediaRouter,PaintHolding,Translate --variations-seed-version --mojo-platform-channel-handle=1700 /prefetch:3
        7⤵
        
        PID:6016
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --no-sandbox --disable-back-forward-cache --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-pipe --allow-pre-commit-input --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=1716,i,3852285652493565953,14709546190092821044,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AcceptCHFrame,AutoExpandDetailsElement,AvoidUnnecessaryBeforeUnloadCheckSync,CertificateTransparencyComponentUpdater,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,ImprovedCookieControls,LazyFrameLoading,MediaRouter,PaintHolding,Translate --variations-seed-version --mojo-platform-channel-handle=1640 /prefetch:1
        7⤵
        Drops file in Program Files directory
        
        PID:6004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="RisePro External - 50500" > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall show rule name="RisePro External - 50500"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="RisePro External - 1080" > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3972
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall show rule name="RisePro External - 1080"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="RisePro External - 50500" dir=in action=allow protocol=TCP localport=50500
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5500
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="RisePro External - 50500" dir=in action=allow protocol=TCP localport=50500
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="RisePro External - 1080" dir=in action=allow protocol=TCP localport=1080
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5532
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="RisePro External - 1080" dir=in action=allow protocol=TCP localport=1080
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5572

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Win32.RisePro.b\[RUS] Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5cc5cc40,0x7fff5cc5cc4c,0x7fff5cc5cc58
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,4805227435663432089,7012761111726719717,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,4805227435663432089,7012761111726719717,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:5636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,4805227435663432089,7012761111726719717,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2160 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,4805227435663432089,7012761111726719717,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,4805227435663432089,7012761111726719717,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,4805227435663432089,7012761111726719717,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3124,i,4805227435663432089,7012761111726719717,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3200,i,4805227435663432089,7012761111726719717,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3192 /prefetch:8
  2⤵
  PID:5752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3780,i,4805227435663432089,7012761111726719717,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,4805227435663432089,7012761111726719717,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3196 /prefetch:8
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3208,i,4805227435663432089,7012761111726719717,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,4805227435663432089,7012761111726719717,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3268,i,4805227435663432089,7012761111726719717,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3220 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4920,i,4805227435663432089,7012761111726719717,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4760 /prefetch:2
  2⤵
  PID:6128

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5472

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Win32.RisePro.b\[ENG] Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
55b0f47ae2cdb787f8ecde9a24540f06

SHA1
0689aec324771fc8aa333e06ba3ad343d4f92f15

SHA256
79d78265948dca52aa83a2ab2088c1d1f779863f64b9a6790924536463683693

SHA512
4fde219ce7096a38855f08ba5e65e5407f20ad795629294d3f433561e13c66bb6834c93ebc3ee941d17afe56a54df7b61e8bb9f9730f3563aaaf4c95b98a69f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
be9a449da6d1995860210f3e334ab12c

SHA1
876a46628f6c9d944c3de9d18ff007b6e4bcc705

SHA256
47b91d605ab1e8ee1587f6eb4de7b11c21b05251b8f92816e4ee9a10d5c2c56b

SHA512
7c838e961b2832d030a9ad25e19a2db775e264d9269ea2fa29499ae24f2e43cbc95acf2a84fd0c8b27224921b3c1fdb041402935074a6a2f5604b380b3798666

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9a481d1bb6e91e24046e1e557ef69d88

SHA1
35279bb6525087f26d5935d4182d25a6f3450e40

SHA256
2b23853f3195acc01c3055a01612d15af4544d2963f4d1873fecf3acd5788bf5

SHA512
4f253b6d831f42339f2ee1faa9fca7c9f971daea1d0ede0a549e66b8db9b5d1e78bc35896cafe1d66d084fda6aebb365fef20fb177eae44a557119ebf3536392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
7c4797dca933bd1ff2ce43ce4a440329

SHA1
b56cff9835020a118dcd5b1ed439d89f05d1d3b3

SHA256
135aa016fcc08a5e1ad22597d6335260236653bb216b181c5d6685263f4bcbe3

SHA512
76f046ddd1f20995268985c1b97d971ed445d4d2a298fa00ef02e616450b6a56f99672b2bd308581c129dbd247986fbbbe0a5613800ed58ed98935a3da083405

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
c74aa7bc7646193fdafb1c58815c86ae

SHA1
86f348c1dfa26543131baedd5a5c9721bf81a560

SHA256
eb7966dd6c763b3a33136a79133d60fd8bf8367daa91edf48b37882ccfa68bc3

SHA512
48d7376959c547a41c80b1603650a9492cdd14f8eb6b330e0efc517f4003669f3e63565e524716f12c8c5e120879766df4192b58b568a6179e283be3282336d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8224ef1bda3753b0e735199e238f614a

SHA1
3b472c8d6d67e6c577498925dbd4d907110205d0

SHA256
671cbd12ca2e988cb80d7b47a204bce2c0ba5a1ba0d17a614e4947874abbb3fe

SHA512
cd4da2b97587ba6cda8c6050bffe64d1328b6092fc026237245153e3fff80200a53db41a05d572a432e9a06641fa531442da91e2708eb6edc4d3f10539a47a17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8fa97ce0bfd7d71265081648b5083f67

SHA1
b5b176de9c399df61550aadc9eaeb96224ff886e

SHA256
1f9885bbf587650fcc494a3b854cdb2f740e41f179cb850375f3d0c607778ba1

SHA512
ddd41c2cd05afdd8f16b6b1490d9f1beb855a56481cefd5b8bfa9c1bf7e7f7fb4f7d1f29f1f80762783a28cc3e293cc5bbf35c782acc367eee08aea0db500aad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
46f3f2c60cd979ac6319d534d38ee12c

SHA1
98dffd40f636fb334ff051c2df410f9566421952

SHA256
dd42e642cb2afb363e7bdec2f074ad80b275af44980d98ba4029ad6301e1b88d

SHA512
f86ca99ae70c6eef19e93819a3dff7b84c546e01c1fad70440087e990a1bc866221904cb682686a0238643b53c9a3fae22f7e8d370d9bdbaa49d09913130b6d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
32c658aec51ab31f043d081135e13ba4

SHA1
74176365221f46b864d83092d59e03849c7cc8d4

SHA256
4e4411eae7fafab9abf91c422a08232aba4a57109fe8433a7eb5e46996a0f9fd

SHA512
99d76b93a4e8934bcc4f90b5d7753d52e3a4214c5e061834b3615e2b0ecc1fa63f309335b64d2e60de91b5523cb66b495f4299ecd60cc1d616f668ae7cea0026

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
dfaebf16a55326e3b6c6b92f51124808

SHA1
8b986927b5449178c997e29e039bc9375ced12a8

SHA256
4af009ed0308fe2e121ee66f432f7265dfb85384fcd3bab2b7eccdfdd66c7929

SHA512
ccaeeba5f5d668a86314933de2cd0124f523376ae3ebdb4bcbab1f1e5f23bec007c84a1ac84075a37cdf47297835d4b0f378f4ea72aaf1e8f38de5ae5aa9f8b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
6acc86f763bce594e65f654fb0fe095e

SHA1
c2d319ff4a6c371606fa0729280eac7fe8ee2066

SHA256
6cc3e7545be1891773a973a1200ae675561b46d21e3ca862cac5c9b85293f83b

SHA512
075a77d28dfee7fa5535a8025a975b601334fa777deb2d421aa9b32eca801cfe184de1bf8d32c0bf924b3ad7160a45d04ffc70cb52b089fb3accd7bf1b20b53d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
459631d56168050c608ff0bf80a62d08

SHA1
f3719b1e6ea987a26ab49f31f7ac130640987a99

SHA256
58dc4aa186ea04b9e4441677cd6f7fed1977dfdd836a0c9bbb4898ff79a91d55

SHA512
b2b4d2e25d202e2f3a6d566c36c1aab9f95be509b120d1792aeb757f014351c24fac68e1f24df69b2842fd9eb98931c04b6c11411a9b494468f58c9bec212fd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
f228cb093f1dcfadd7c599e668ccac30

SHA1
0897ece1f7c86dbfdd5b072e640219d5ca4d4853

SHA256
2b451f55152846c044ef6fa0f5889940692c56fb12dc950ca97a493d4a23f55c

SHA512
819e6a00273274f5b265869e64d51f4e7b0d5bdd3cd5bd39b2fdbb58108c9ef1e712d2bab17f9cac7d6101c49e9ec9d090ba64634887b43ba0f5cc5e14ab34b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb91d3c368ea1e8aa55a73b728fd2794

SHA1
c240b111b26553116cb00d95ea224296118ac3c9

SHA256
9f4afa28cc0140c9b7ad65d69f08dfdeb78135a2b177a6d76bb2ef71907ee1f1

SHA512
26ac4b92e5606ffaf98ed94334bf2eb0b516e69dad7050995308602738ac315b201873f59c00665a0517b6581f208819ba49411e24c839d1752419204dc42576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
39f6c8ac02d724be6cd244bc1ff15481

SHA1
3dcc187f73e4da5b24101676aebac50dee8c97a7

SHA256
2ef88c670c2781ca28dcd251491575bfa7c3fd120b52a79335f7320d658d6174

SHA512
8b8dc4caef0aaefa6428805b9b10dd4bb8a5cb3d39bbacba41d0e51fc19475fb1ae08f5e2745222d84ab7005f7fad04f5bdf39c51576276fc205c8746f30ebe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fd17dc3d570c6c19db54cce8f5e5a610

SHA1
9ea5fa89dcbc5b3b6e6fda796286aff7e729f4c9

SHA256
24f59bd49b129e96ef5b91a2b80518779fd51878e58237274c5a13ddcbc98b13

SHA512
05d7008a87a8c8aa7d58827d137aa3fa7f4dcd95c74701d080036c7d6ce3d9917e9bef1b72d21d981efe2a2a8d3ea74d68e5e31798bb291a62cfe0ef9cc0a890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2868ea78602496d3c3d9f444021a2539

SHA1
90b8324c58fd7bc121dd21d1ba25d8365c7b5589

SHA256
4de0e8faf447d704d02c83c95278c34862267b9609bb90a4cf31eb83da46cc03

SHA512
5e9339a66c4e213249e5b58a19367198a5b276ef423ef6830d42e243e56c9f9a3773cf7b5013f8bec9377f4402f521963571a7af1a2d26364bb1db1884320a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b0967f78ddbb83d0d1334c93b22da5de

SHA1
61c990513bb45405e103061213a289c5934c03cc

SHA256
6490e000d9f94edd1eedd04bab2e18e8cbd13c69a333e9dd54ebe34f09c6b098

SHA512
026d2e8bdc59aab84e98fb106e5ed47417084fb6dcb0cd813aa07819c4c1035ee9a15f5f889cfd5a254c13b73813c481a600878c82585cb8781025823feaa356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5431bfb1728d9f051c63f09a4658bcfe

SHA1
2e2d554c3e0d02134cc28687968c57098f8bf1f0

SHA256
4924df10bcc64661ede0366a44fa7df78e5cb773c1de1ee53646a37afcb48509

SHA512
3eca9948731e20b1f21b67943309dc5ab9638f8f3799c1b93805ad7e7ef183fa3c69cb56c50a9f7e73cffe5cdbf45a7f8261943207efa4f43292ef11c4696e58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
bbc122fa000785a01803f27f57d81503

SHA1
004dde37f6b3b8685aab6118a02e182485e8ab71

SHA256
302ba8f47be6f867e09a9073979c8467ba9f853efc6a779841e5e2966d6f8ed1

SHA512
2049fa2725e4b9c2720f8c6eda1fdb17eb870e5a9baf90959e6e871ce7dbb2b8c0932bce8273513b9894b0abd28a492af4e36e1e5a0e32a08970a70a6d9aa56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\97ab73f0-7c9f-4a13-bff1-5a68ae59455a.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium\Default\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium\Default\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium\Default\DawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

Filesize
31KB

MD5
e0cc8c12f0b289ea87c436403bc357c1

SHA1
e342a4a600ef9358b3072041e66f66096fae4da4

SHA256
9517689d7d97816dee9e6c01ffd35844a3af6cde3ff98f3a709d52157b1abe03

SHA512
4d93f23db10e8640cd33e860241e7ea6a533daf64c36c4184844e6cca7b9f4bd41db007164a549e30f5aa9f983345318ff02d72815d51271f38c2e8750df4d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd

Filesize
117KB

MD5
562fecc2467778f1179d36af8554849f

SHA1
097c28814722c651f5af59967427f4beb64bf2d1

SHA256
88b541d570afa0542135cc33e891650346997d5c99ae170ef724fa46c87d545a

SHA512
e106ccdd100d0ce42e909d9a21b1ad3b12aee8350033f249ed4c69b195b00adaf441aa199d9885c9d16488db963c751746ce98786246d96568bade4c707d362a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\orjson\orjson.pyd

Filesize
222KB

MD5
99c8f7860edb42728f208c87e22188e5

SHA1
be90fa5b7e0987403cce4492b51b4dd4cffe5221

SHA256
c7aa4f83c1ef47326c3353dcdce3eb5bcc320f1e519b9aa4f0d36d36fcaad07c

SHA512
986e94c8b2ab0467b60f2695fdea5af310e71aadfcf421a326e5e9a9f7669942cabd37ca23a220502833cd791a59ccc8c06c9c56916e4253da6b25f79183955c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD8F0A.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\GoogleRestore.exe

Filesize
42.0MB

MD5
e87468059f0dbf9db59dc5e4383a00f5

SHA1
4ef6b9ee98070a0893f68d824f5b125bd0c97b53

SHA256
f66a3a553aad6ae0f90179837a98f55a5a9fb0f21c102d0a054deb1de747b392

SHA512
d5f0a359e975e1a7dbea1b742a5e6f599bf83ba7d97775be97f55629ca48b67e091f1f79a9e3dcce4f1dbfa2ff7ea37e81ce8939cceb72b0160b67957f9d7de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\_asyncio.pyd

Filesize
63KB

MD5
42b1b82a77f4179b66262475ba5a8332

SHA1
9f6c979e2c59e27cc1e7494fc1cc1b0536aa3c22

SHA256
8ec1af6be27a49e3dc70075d0b5ef9255fad52cbbdab6a5072080085b4e45e89

SHA512
2ee9fc9079714cb2ae2226c87c9c790b6f52b110667dbe0f1677eedb27335949b41df200daf7f67aa5c90db63e369b4904aac986c040706f8a3f542c44daf1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\_bz2.pyd

Filesize
82KB

MD5
a8a37ba5e81d967433809bf14d34e81d

SHA1
e4d9265449950b5c5a665e8163f7dda2badd5c41

SHA256
50e21ce62f8d9bab92f6a7e9b39a86406c32d2df18408bb52ffb3d245c644c7b

SHA512
b50f4334acb54a6fba776fc77ca07de4940810da4378468b3ca6f35d69c45121ff17e1f9c236752686d2e269bd0b7bce31d16506d3896b9328671049857ed979

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\_lzma.pyd

Filesize
155KB

MD5
bc07d7ac5fdc92db1e23395fde3420f2

SHA1
e89479381beeba40992d8eb306850977d3b95806

SHA256
ab822f7e846d4388b6f435d788a028942096ba1344297e0b7005c9d50814981b

SHA512
b6105333bb15e65afea3cf976b3c2a8a4c0ebb09ce9a7898a94c41669e666ccfa7dc14106992502abf62f1deb057e926e1fd3368f2a2817bbf6845eada80803d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\_overlapped.pyd

Filesize
49KB

MD5
8b3d764024c447853b2f362a4e06cfc6

SHA1
a8fd99268cea18647bfa6592180186731bff6051

SHA256
ca131fc4a8c77daff8cff1b7e743b564745f6d2b4f9bb371b1286eb383c0692e

SHA512
720d58c3db8febd66e3bc372b7b0a409185e9722402ee49e038ade2141a70ec209b79cde7c4d67a90e5b3b35ed545b3400c8dbe73124299a266be2b036934e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\_socket.pyd

Filesize
77KB

MD5
290dbf92268aebde8b9507b157bef602

SHA1
bea7221d7abbbc48840b46a19049217b27d3d13a

SHA256
e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe

SHA512
9ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\_ssl.pyd

Filesize
157KB

MD5
0a7eb5d67b14b983a38f82909472f380

SHA1
596f94c4659a055d8c629bc21a719ce441d8b924

SHA256
3bac94d8713a143095ef8e2f5d2b4a3765ebc530c8ca051080d415198cecf380

SHA512
3b78fd4c03ee1b670e46822a7646e668fbaf1ef0f2d4cd53ccfcc4abc2399fcc74822f94e60af13b3cdcb522783c008096b0b265dc9588000b7a46c0ed5973e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\_uuid.pyd

Filesize
24KB

MD5
a16b1acfdaadc7bb4f6ddf17659a8d12

SHA1
482982d623d88627c447f96703e4d166f9e51db4

SHA256
8af17a746533844b0f1b8f15f612e1cf0df76ac8f073388e80cfc60759e94de0

SHA512
03d65f37efc6aba325109b5a982be71380210d41dbf8c068d6a994228888d805adac1264851cc6f378e61c3aff1485cc6c059e83218b239397eda0cec87bd533

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\_zoneinfo.pyd

Filesize
43KB

MD5
f7679dc17a0b3d87c531003d5c87b8af

SHA1
b9a54caa6250bd75bbac0e677c573bebf53703bc

SHA256
91859a46309e7abf3ea21270e299a46d3dcc50ccd49989258abb2bcaf20c3d51

SHA512
2b1749b7c8537317291bf069de1ae309d4dd5023c0d21b4f6c799d89befebcea792ff271c7020b05de0d2666c23ff9e0350805c96b0dcb53f257b4ce2c426e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\libssl-1_1.dll

Filesize
686KB

MD5
86f2d9cc8cc54bbb005b15cabf715e5d

SHA1
396833cba6802cb83367f6313c6e3c67521c51ad

SHA256
d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771

SHA512
0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\python311.dll

Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\select.pyd

Filesize
29KB

MD5
4ac28414a1d101e94198ae0ac3bd1eb8

SHA1
718fbf58ab92a2be2efdb84d26e4d37eb50ef825

SHA256
b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5

SHA512
2ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\sqlite3.dll

Filesize
1.4MB

MD5
a98bb13828f662c599f2721ca4116480

SHA1
ea993a7ae76688d6d384a0d21605ef7fb70625ee

SHA256
6217e0d1334439f1ee9e1093777e9aa2e2b0925a3f8596d22a16f3f155262bf7

SHA512
5f1d8c2f52cc976287ab9d952a46f1772c6cf1f2df734e10bbe30ce312f5076ef558df84dce662a108a146a63f7c6b0b5dc7230f96fa7241947645207a6420f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Africa\Banjul

Filesize
130B

MD5
796a57137d718e4fa3db8ef611f18e61

SHA1
23f0868c618aee82234605f5a0002356042e9349

SHA256
f3e7fcaa0e9840ff4169d3567d8fb5926644848f4963d7acf92320843c5d486e

SHA512
64a8de7d9e2e612a6e9438f2de598b11fecc5252052d92278c96dd6019abe7465e11c995e009dfbc76362080217e9df9091114bdbd1431828842348390cb997b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Africa\Djibouti

Filesize
191B

MD5
fe54394a3dcf951bad3c293980109dd2

SHA1
4650b524081009959e8487ed97c07a331c13fd2d

SHA256
0783854f52c33ada6b6d2a5d867662f0ae8e15238d2fce7b9ada4f4d319eb466

SHA512
fe4cf1dd66ae0739f1051be91d729efebde5459967bbe41adbdd3330d84d167a7f8db6d4974225cb75e3b2d207480dfb3862f2b1dda717f33b9c11d33dcac418

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Africa\Kigali

Filesize
131B

MD5
a87061b72790e27d9f155644521d8cce

SHA1
78de9718a513568db02a07447958b30ed9bae879

SHA256
fd4a97368230a89676c987779510a9920fe8d911fa065481536d1048cd0f529e

SHA512
3f071fd343d4e0f5678859c4f7f48c292f8b9a3d62d1075938c160142defd4f0423d8f031c95c48119ac71f160c9b6a02975841d49422b61b542418b8a63e441

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Africa\Lagos

Filesize
180B

MD5
89de77d185e9a76612bd5f9fb043a9c2

SHA1
0c58600cb28c94c8642dedb01ac1c3ce84ee9acf

SHA256
e5ef1288571cc56c5276ca966e1c8a675c6747726d758ecafe7effce6eca7be4

SHA512
e2fb974fa770639d56edc5f267306be7ee9b00b9b214a06739c0dad0403903d8432e1c7b9d4322a8c9c31bd1faa8083e262f9d851c29562883ca3933e01d018c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Africa\Maseru

Filesize
190B

MD5
a46a56e63a69fd5c5373a33203250d39

SHA1
da4256239fbc544037f0d198cd407e6a202d1925

SHA256
d19aebe2435c4e84bf7ae65533d23a9d440f98162e5b4d69c73f783e02299ec8

SHA512
fc9c48be574219047f00bf2ba91e085076aec96db89f5e44741596b10b8766d4f80da3676d421a6a929b48a7eb85e4eafa4cc4673fc40d8f45aa96569c48e12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\America\Argentina\Catamarca

Filesize
708B

MD5
e3467a68822f3d1365e3494970219b03

SHA1
3b37cd19a0ecda386ce185f888f4830d4767ac35

SHA256
502d1fc71ed93e68cfc370f404afb9bdaa7e735701cdb811dbddcc76611f3b1d

SHA512
4ae79f4a57134ebae1776c259af4236fb75827e4feadf952eafcd33a15f1cae49a68855eb67b1a129dfb2cfe44ade4bba274051c972434517e179fd36e4b6534

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\America\Atikokan

Filesize
149B

MD5
595e67b4c97fda031a90e5ef80813e7d

SHA1
7194eb1a70c1acc1749c19617601595d910b9744

SHA256
a78d73067ba3cbd94f8a23dfdd6aa8b68cb33b18484bc17b4e20ea1aec2f0a81

SHA512
27925a87379552403a0960c2ec191994610bc05b2d67fb1fbbeeb6086a16091bdc69449bce3426b31a2775f3845ed8cc07d1882f8b3b4e63f437775a2eea5d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\America\Atka

Filesize
969B

MD5
1df7e605c33529940c76c1c145c52fc5

SHA1
09c48d350827083bd4579e0cabf5be2ff7bf718b

SHA256
abfb1980e20d5f84ec5fd881c7580d77a5c6c019f30a383aaa97404212b489e0

SHA512
27af4d1bb570244667132cf8981f62f245b2228518324ecc67867eb15c8440446ddd6f2a221cbb2aeb15adfd955dab01bd708ac2c2723a113aa30839ff6632c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\America\Curacao

Filesize
177B

MD5
92d3b867243120ea811c24c038e5b053

SHA1
ade39dfb24b20a67d3ac8cc7f59d364904934174

SHA256
abbe8628dd5487c889db816ce3a5077bbb47f6bafafeb9411d92d6ef2f70ce8d

SHA512
1eee8298dffa70049439884f269f90c0babcc8e94c5ccb595f12c8cfe3ad12d52b2d82a5853d0ff4a0e4d6069458cc1517b7535278b2fdef145e024e3531daad

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\America\Ensenada

Filesize
1KB

MD5
661db30d5b9bb274f574dfc456f95137

SHA1
b516ee5e78315138d9a13c04e482c063a2a20422

SHA256
f1f9dbc6d26a4273fa9b259655d7afd9e2353b9c8173c3f984b53d7ec918305e

SHA512
523304ff0be8c841d817df59a09aa88d2e96761f81eea240bcc99e7569246864d498fca94542f881910e70df3abc9ce22ecf3561ac26ec6ad5e383e6c009b442

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\America\Fort_Wayne

Filesize
531B

MD5
9208172103191bf0d660e0023b358ea1

SHA1
6f19863d563ade21b63df66afd12e0c67903a341

SHA256
e678f42a13efbd7be0f26a9ce53e04b1c28a582eab05611cb01c16836432f07b

SHA512
013be7c175dba66510fbd2972e0d4b76b7073a079aaed9e0a454753dc5e18fb1133b2947c48bd7e1cfa70820b397af6ff49b41434a4909906f87a8c91b853178

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\America\Indiana\Knox

Filesize
1016B

MD5
964fb4bc6d047b2a8826a0734633ab0b

SHA1
e22e9a86e34a20fbeb4087fd94145b287c28e74f

SHA256
2890b35dcb7c093308b552d82d8781a8ce9a4fa6f9de058283a6836ec1f9f282

SHA512
869203f9854bf2cd0ffcc75f4524965757ecb03879a08e1275404b7eaeb5942eb25dff0f6ca6bfa236e659e2fb315c1b9dfcfc544a59ff7b3cdd6ab6904aa298

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\America\Phoenix

Filesize
240B

MD5
db536e94d95836d7c5725c3b3c086586

SHA1
f0c3fb96c02359a66ed4f7000a6ecda3d4a699ec

SHA256
ae11453c21d08984de75f2efec04dc93178a7b4e23c5e52f2098b8bd45ccb547

SHA512
87aa4f9f8b3b01c4bdc96fe971be12b38e16219f58b741c93a52c369146f6a3ae669e2bff2021403f5c1aee1f216c02d1faeb30012454e1de463c467c7f6b374

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\America\Rio_Branco

Filesize
418B

MD5
0b427173cd7de48179954c1706df9f0f

SHA1
6f3bb01406ad71ca9718e7bc536fca9251754938

SHA256
563b9052bebaf2986ae5b707e34afde013e7641287cc97ff31005f33a0dbf7a5

SHA512
2be3257bef4949ce42d143d3f0e095ea26347ac22fd436d98445af8590186f74a165777e9f423b8bdac416758e42a636fc6bdb86a097256100d61c2828b522d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\America\Rosario

Filesize
708B

MD5
5c57dc3d11f5a64fac22a08ea0c64d25

SHA1
53f6da348a256b7f84be5e9088a851331b82db9d

SHA256
f488f75a34fd99630a438dcb792508a90b836fdcd2dc54a51d83d535025315fd

SHA512
18f23ddb3dca6fa3efe9cbea294bdfc6ad9db3bea98fc1766e0f317754d8a452e12edd692b1505810ec7842d0f8dbdcf1f50a4027dbc2621cde865311ff5b259

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\America\Toronto

Filesize
1KB

MD5
628174eba2d7050564c54d1370a19ca8

SHA1
e350a7a426e09233cc0af406f5729d0ab888624f

SHA256
ad2d427ab03715175039471b61aa611d4fdf33cfb61f2b15993ec17c401ba1e5

SHA512
e12bf4b9a296b4b2e8288b3f1e8f0f3aeaee52781a21f249708e6b785a48100feab10ac8ba10ac8067e4b84312d3d94ed5878a9bda06c63efe96322f05ebbc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\America\Winnipeg

Filesize
1KB

MD5
1ee6e72e10673d4a16b6e24671f793ec

SHA1
439bd8f20d919a71ac25cec391caa8084f3b7cc3

SHA256
00dcf0606054d4f927416e0b47e1fdda2e5ce036fde4b53e51084f8566428c3a

SHA512
dbcc75cd333e3565c5bda2329f69ff83816b1383456a5f4f11b960fe90436798182565119a48dfe590a7eed5a82e436fe39a1d5d2d71a4c12bdced265d89d7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\America\Yellowknife

Filesize
970B

MD5
beb91df50b24718aed963a509c0c2958

SHA1
a45d9b4187fe62ae513557bd430b73826f27b8e6

SHA256
0eada6c5c48d59984c591ab1c30b4c71aab000818cc243b3cfe996f1f26c715f

SHA512
6cf096f7cd01fe83e8a49539667f21137fe36b473e2f92ffb78316026eaadf2723cdf66780fb24b661cb5acf0d388ed0526db794cdb8c7af8da1f5b8660ca5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Antarctica\Syowa

Filesize
133B

MD5
165baa2c51758e236a98a6a1c4cf09a0

SHA1
dbf6914834465a72dc63d15272d309a4331cd1c3

SHA256
46853e94276af2eea8e86c2f152a871c092df195dc51273b8fc7091faa4b461c

SHA512
82f71fe26f83940b802676221f6efc6cfd66aa0cf0c3befdab9b60d7a8e951e504c547f90876890e7ecb18c7f89a41152d276f32f7e5ac6abead24b6fd47f3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Asia\Bangkok

Filesize
152B

MD5
ff94f36118acae9ef3e19438688e266b

SHA1
b68e4823cff72b73c1c6d9111be41e688487ec8a

SHA256
cdc8e2c282d8bc9a5e9c3caf2fc45ff4e9e5cd18f5dec8cb873340ad7c584d64

SHA512
e2ded089e3f51c57e2c32333dbca528551440ca76cdbcbaab9d627f8ee0824f1b3cae20f26352dc7edd6887e74fc78357ab52044fbfadf2192129052f82cbee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Asia\Dubai

Filesize
133B

MD5
667e494c45d181f0706bd07b211c850b

SHA1
bb2072fbc0357111a7570af852bc873b0f0070e1

SHA256
0d9ea5053e83188032a6fb4d301d5db688f43011e5b6b1f917a11b71a0da7b16

SHA512
57a367ee2efb608cb11fa83d2ce4be99c55f223b717ee9da3d78a5f273a6dc0e8face0d255304d3ab99f1dc7c6155376afb53eda8bc0b8ac481fcd54b3a3313e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Asia\Istanbul

Filesize
1KB

MD5
48252c9a797f0f4bea97557a5094cf98

SHA1
6e6893d64fa2e3249efdb170face5085e5f5945d

SHA256
2a7163b16b94806f69991348e7d0a60c46eb61b1f0305f5f4b83f613db10806f

SHA512
f091784b4dd4a9683c5a70194dd957e6bbf3a43a0bc469fa12c9788f1f478256dae78dd7f5eb1b49753f3661893f8dfaf1f988b07a00a0209106d4d231a27bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Asia\Jerusalem

Filesize
1KB

MD5
9360bb34802002d91d9bba174c25a8dc

SHA1
fb7e5e8341272ebd89210ece724b9a6c685b8a69

SHA256
9fcde8d584dea0585f5c8727aaf35f48a149e0dbd3a83bf6cef8bca9c14021e3

SHA512
6e0d68f6c58a2f7aba3e1b0d85ccaea46b63695edf7a4476f0b65f7853d3c28b086d5c8a2f0f6e1dc2f7ef6a71b2165e3f07a885e3307c8488ef739ffe429f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Asia\Kashgar

Filesize
133B

MD5
67c981ccf51584922a1f72dd2d529730

SHA1
60ef0baeb39358fee28d01525962e05a7f71e217

SHA256
849cafd377611cc2fc2b41891ab63c6fb3343949045db961fd16267593315ad4

SHA512
0e563b55141e0f63d762dff0b8fe428897e9a98233dc2af04df09c79c702623b6567178de0b65a2ba35381971bbc14e4721dd0aada6ab52190efa8a436e7b480

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Asia\Kuala_Lumpur

Filesize
256B

MD5
8a2bb95893137bb40748ef4ecd8d7435

SHA1
6d65ec8958626477d7cb6ddfc036e70e7949c533

SHA256
0954b2d9a301d94f4348024606a71bbcb2fa24d3cd3709f5bc8bca605039785d

SHA512
360d4e0ff1f06c63be5abf3d2fc336d5f11e5e0db055999fa856f03344c16d30b7b8b4145e7fb5f8a6bc0b912c4db46b8f66af586fddcb74225228dd1805e6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Asia\Shanghai

Filesize
393B

MD5
dff9cd919f10d25842d1381cdff9f7f7

SHA1
2aa2d896e8dde7bc74cb502cd8bff5a2a19b511f

SHA256
bf8b7ed82fe6e63e6d98f8cea934eeac901cd16aba85eb5755ce3f8b4289ea8a

SHA512
c6f4ef7e4961d9f5ae353a5a54d5263fea784255884f7c18728e05806d7c80247a2af5d9999d805f40b0cc86a580a3e2e81135fdd49d62876a15e1ab50e148b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Asia\Yangon

Filesize
187B

MD5
37f26cf8b8fe9179833e366ca13b8916

SHA1
da0b9ee83039fcd70fb0d439fac9f453768abc28

SHA256
e89d835c811d4da44aa8b386782ce8828df085aa0ee8f25661a9881d2f00e90c

SHA512
60817dde97cea65dd16de8b91d0fd6475a8a2151881a1e3a9a496d143c71509ca6d6f802505cdfd6b8b91f6478717d5509abee8e301a926207a8fac7630bf1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Australia\ACT

Filesize
904B

MD5
a1085ba102822f56191705c405f2a8ad

SHA1
ccb304b084e1121dd8370c3c49e4d9bea8382eb6

SHA256
820d45a868a88f81c731d5b2c758b4ed000039b6260a80433f8e0f094a604b59

SHA512
3d2fa63913f22aedbffad9f94697a19aefe0920c1b9e4be47144022706fb309e46b38d85322f9ff4d8fc2472ca43fe3c5aec6486f94a89fb728a05753c075239

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Australia\Hobart

Filesize
1003B

MD5
8371d9f10ef8a679be6eadedc6641d73

SHA1
541dd89e23dc4e37e77fe3991b452915e465c00f

SHA256
d4801581fd00037b013d71616b119fbbd510fdca5de06369b10f718a8da5e32d

SHA512
0c08054c08a4aa20efd8ef18af57fbd914fa99b5ce1aa837e8c491274b09ef934a831e4a36c4b64332d2d47f5e3083f30d4e505560c5a3188c02a4cebbf820e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Etc\UCT

Filesize
111B

MD5
51d8a0e68892ebf0854a1b4250ffb26b

SHA1
b3ea2db080cd92273d70a8795d1f6378ac1d2b74

SHA256
fddce1e648a1732ac29afd9a16151b2973cdf082e7ec0c690f7e42be6b598b93

SHA512
4d0def0cd33012754835b27078d64141503c8762e7fb0f74ac669b8e2768deeba14900feef6174f65b1c3dd2ea0ce9a73bba499275c1c75bcae91cd266262b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Europe\Brussels

Filesize
1KB

MD5
7a350885dea1ebe1bf630eb4254e9abc

SHA1
5036277ce20a4d75d228cf82a07ed8e56c22e197

SHA256
b10f9542a8509f0a63ebca78e3d80432dd86b8ea296400280febd9cfa76e8288

SHA512
524ed4fb0c158a1d526dd9071df7111fb78940d468e964bf63ba5418f9b551ec28c38fa1dc2711415aa31f926d8729eac63d6b1e2946b7942ce822f09d00c5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Europe\Isle_of_Man

Filesize
1KB

MD5
b14ab0a98fb1964def4eaf00d2a6bb73

SHA1
842e6ede8817936de650a0c1266569f26994790a

SHA256
bb29fb3bc9e07af2a8004ccdd996c4a92b6b64694f84d558e20fc29473445c57

SHA512
301ba2529dfe935c96665160bf3f873aaa393de3c85b32a0ba29610d35a52b199db6aff36a2aa4b1a0125617bd9bf746838312e87097a320dad9752c70302d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Europe\Kiev

Filesize
558B

MD5
2a6d051e23c2e3ace6355f98f024796a

SHA1
1a3890e9e13690f20f4cf2cff51c6b24e0efbb49

SHA256
d0eaac7c9875dc638583a6893f520031a1dc7dac1545370b669b76ca72b7ac90

SHA512
084eeae9ac4f1563e6eab94199cc09d81e37b9c54d1aac47dfe38a6e1243d7b5d850ebdb31b9b520beda17f2c322360a15e5f7635dbddbd3f7ce76cc0a5f6990

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Europe\Oslo

Filesize
705B

MD5
2577d6d2ba90616ca47c8ee8d9fbca20

SHA1
e8f7079796d21c70589f90d7682f730ed236afd4

SHA256
a7fd9932d785d4d690900b834c3563c1810c1cf2e01711bcc0926af6c0767cb7

SHA512
f228ca1ef2756f955566513d7480d779b10b74a8780f2c3f1768730a1a9ae54c5ac44890d0690b59df70c4194a414f276f59bb29389f6fa29719cb06cb946ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Europe\San_Marino

Filesize
947B

MD5
c57843caa48aa4715344a26830df1f13

SHA1
c2f1530fce47b5a7d976f0bd4af28e273a02d706

SHA256
86bd26a06fe3057b36cf29dd7a338f2524aff8116ef08d005aa2114ea6122869

SHA512
5e93be3d2a9f4fe6ce98c938cc08ea6c08c36c05ef797c639f97cda82c1bd272e7826df413991929a94a33b8b0c96656f3f96f61d338737ccc26be72388c6408

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Europe\Skopje

Filesize
478B

MD5
a4ac1780d547f4e4c41cab4c6cf1d76d

SHA1
9033138c20102912b7078149abc940ea83268587

SHA256
a8c964f3eaa7a209d9a650fb16c68c003e9a5fc62ffbbb10fa849d54fb3662d6

SHA512
7fd5c4598f9d61a3888b4831b0c256ac8c07a5ae28123f969549ae3085a77fece562a09805c44eab7973765d850f6c58f9fcf42582bdd7fd0cdba6cd3d432469

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Europe\Vaduz

Filesize
497B

MD5
07b0081174b26fd15187b9d6a019e322

SHA1
f5b9e42b94198a4d6e8a7ae1d4bdd6b7255ce1f6

SHA256
199062b1c30cfeb2375ec84c56df52be51891986a6293b7a124d3a62509f45e9

SHA512
18916dc499f8b0a600cbe03dca3509465c7693b64c9c27cda3c97d0de7269279b4c9c918c3a9aafc4a3c9f3eab79a521f791dba257aaf436d906aaf4526bd369

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Greenwich

Filesize
111B

MD5
e7577ad74319a942781e7153a97d7690

SHA1
91d9c2bf1cbb44214a808e923469d2153b3f9a3f

SHA256
dc4a07571b10884e4f4f3450c9d1a1cbf4c03ef53d06ed2e4ea152d9eba5d5d7

SHA512
b4bc0ddba238fcab00c99987ea7bd5d5fa15967eceba6a2455ecd1d81679b4c76182b5a9e10c004b55dc98abc68ce0912d4f42547b24a22b0f5f0f90117e2b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\NZ

Filesize
1KB

MD5
655680c9ae07d4896919210710185038

SHA1
fa67d7b3440bbcef845611a51380d34524d5df4a

SHA256
0e06e7e55aedbc92ef5b3d106e7c392ab1628cfd8a428b20e92e99028a0bfbb9

SHA512
28ca8023b1091b2630bf46314fa1737ac66a3b464cdd48c2d8300edcb2eb5847710e98e4f63be358e443bfa8ca6dc73a8b3f38fc6df4f7c0ff324520c91bc498

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Navajo

Filesize
1KB

MD5
c1b9655d5b1ce7fbc9ac213e921acc88

SHA1
064be7292142a188c73bf9438d382002c373c342

SHA256
9bb703920eca4b6119e81a105583a4f6ca220651f13b418479ab7cd56c413f3e

SHA512
2a188d7bcc48acc17b229e50e136b55dbc59058ae9be6ef217238cd1b6c0a59817954ab98817d2e2ff836a6f7d7461be5850ad73a9096d7a14ce9fd8c2a3c29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Pacific\Johnston

Filesize
221B

MD5
5ed332a521639d91536739cfb9e4dde6

SHA1
0c24de3971dc5c1a3e9ec3bc01556af018c4c9ea

SHA256
1daa5729aa1e0f32cd44be112d01ad4cc567a9fe76d87dcbb9182be8d2c88ff0

SHA512
0014e8f2499fe415644e21456f5ca73297c36603de24d60459355a55174e1db81e6929278ccd0df79c750c519d2d6e5ee49019feb63b42f9240c8b8402f3db98

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Pacific\Midway

Filesize
146B

MD5
f789c65f289caa627ea1f690836c48f6

SHA1
dd4dadc39a757b9a02efd931a5e9a877e065441f

SHA256
650d918751366590553063cd681592fdca8a09957e0ce2c18d6697ec385ef796

SHA512
f7461e9b6c0af87b45dccc1a8884c47bca59462c9cb5ceac74aebc314cc924c2aebefa993a7466d4d3d4ab3fcdc76c6bc43c7522395f8f053273f55f3eb8305e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Pacific\Pohnpei

Filesize
134B

MD5
44355d47052f97ac7388446bce23e3ab

SHA1
2035f1c7a9ff65687b1e765ce240f701cdc7bc82

SHA256
522f0f374b61e2c6f5fa7d19f1c7acccd09e4a213462ee3b42c90d32bf2bf18c

SHA512
3dde34960b8aa19fe30f43588b3ba8a25b256f918a19cd03594e15ca482252eed1e987611fdc6b09997205efe1ceb93cf77e487a2dfea54a21214c66a394a086

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Pacific\Wallis

Filesize
134B

MD5
ba8d62a6ed66f462087e00ad76f7354d

SHA1
584a5063b3f9c2c1159cebea8ea2813e105f3173

SHA256
09035620bd831697a3e9072f82de34cfca5e912d50c8da547739aa2f28fb6d8e

SHA512
9c5dba4f7c71d5c753895cbfdb01e18b9195f7aad971948eb8e8817b7aca9b7531ca250cdce0e01a5b97ba42c1c9049fd93a2f1ed886ef9779a54babd969f761

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\tzdata\zoneinfo\Pacific\Yap

Filesize
154B

MD5
bcf8aa818432d7ae244087c7306bcb23

SHA1
5a91d56826d9fc9bc84c408c581a12127690ed11

SHA256
683001055b6ef9dc9d88734e0eddd1782f1c3643b7c13a75e9cf8e9052006e19

SHA512
d5721c5bf8e1df68fbe2c83bb5cd1edea331f8be7f2a7ef7a6c45f1c656857f2f981adb2c82d8b380c88b1ddea6abb20d692c45403f9562448908637d70fa221

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_900_133807332512907984\vcruntime140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir872_387223592\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir872_387223592\faf7337f-70c5-407e-bef2-5d96f6f1a9cd.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
320B

MD5
3cd6d8457be4eef5f57a9db9c055d455

SHA1
c07bf70f9ea617757fdf38929e13de61e37489d4

SHA256
77e35435e38b443311431bccd1d2c84c6dcd2a677e7e4f8f867e4267f5da72c0

SHA512
8b225b9ae36fb9545e24c2ec989b968de50cadcc5d958e30ced8c62f16352b305d01bf5b27882085988f193e38c3a780bcd5ed43fb9ed3ca6a97a855bc930c24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
2e766e05d317a7250ab4ba0a7978e0b2

SHA1
69279a4d9e29c9a2d8eb224371970922adf99b6b

SHA256
278ac48c9e4ff40fb925c0802c3463ab37862ba991ee4ecc85d8b3fca0f133fa

SHA512
30ee5939b622b01596dc7ab91497e3c9e282f7c8fc7c5354d1205b47c592ff936cb0de6948dcd87d3f184a7b943c29a93a933c2c612f43324793142e8384ff6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
c83f8d8c2e45ef610c46ff5ffbf276ae

SHA1
d701b4ac99da13a365fb6e5ad4d913b80971a961

SHA256
2ea60d9f687ff8f0ddb4a58717888752234fe2ee97ece3f5afe77bf2ce3afcfc

SHA512
3e13b5ff5c7f33a63e7930c7435e252260f53a6c7ef2ef6db247078293776e4e49a7435416649deea378bca68ca268f78c44165a39f372ac1311f4c0562c78ce

Download Submit
C:\Users\Admin\Desktop\Win32.RisePro.b\Panel\logs\logs.db

Filesize
328KB

MD5
55cfc3b91f2163f92d8f316aa59b5d25

SHA1
73ceeb414f5cd452f99b4874221c383ce94ef67a

SHA256
15a5584248306b8cec549edd767a90cb5e1121e0315c3a2ffa9a3ea0d65177aa

SHA512
4ac5539b460a9557d6504ad89226c46b2db8a2ec133386eb0b14108bf0c7bf416e6a95e19902924e4f030de85c93a7169d4acd6199b9183e1ea80386ca0031ac

Download Submit
C:\Users\Admin\Desktop\Win32.RisePro.b\Panel\tmp\GoogleRestore.exe

Filesize
35.8MB

MD5
a97a8ac0ac6e7b59dff255d775413ea9

SHA1
0670919b459f1a6eeb23c3d2ca814ab95a21f557

SHA256
c57a717fb7b84ebf85611d9229379cd6e5a861dfbfe3356ec748a57ee3d87aa5

SHA512
7f2a77d67475e1f1bbdb02c6866a97d6b4b5f5dabfe6fb3af90ed950a9847b43fc17e7685761b428cb143c74e126e326cfd61a968cf86d084756f577342c99de

Download Submit
C:\Users\Admin\Desktop\Win32.RisePro.b\Panel\tmp\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\Users\Admin\Desktop\Win32.RisePro.b\Panel\tmp\msvcp140.dll

Filesize
451KB

MD5
f027303816d6d2afeab12183c67b1348

SHA1
735e1625b17e4122608eb3aff3702b97e08f1e51

SHA256
75ddc9778c23ee95b6c57db6b689f11c07d164d5a4c158d4c0acb87a520b8004

SHA512
f55f6df42f266cc5f5f23690a5942068248d50d1c302708bf34d1f9d8831c7bfa174489de029dada30707df4544275b14fbb3dda09a0a022eb343e2618401797

Download Submit
C:\Users\Admin\Desktop\Win32.RisePro.b\Panel\tmp\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\Desktop\Win32.RisePro.b\Panel\tmp\vcruntime140.dll

Filesize
85KB

MD5
ac139e08070885a2f021e30fab609eee

SHA1
3d3c2877cf3c4aa1a1f62708494375404d02cf22

SHA256
eea2df0c3d2bf84ee8bc811439a81578f6521c8b28b6cc815c93fb870ac7a0d7

SHA512
072dc8a2297eea0778f72f70ab5c8dc0400cecbe399115a4cee0cb7381d494565019d756f602d80077c22ab635b324ec10c644bf3c219a68d9c75840a8b5309f

Download Submit
C:\Users\Admin\Desktop\Win32.RisePro.b\[ENG] FAQ.docx

Filesize
478KB

MD5
908a1f0bf4bcae984246ab5a17fd467a

SHA1
ebf7cec2bab5cd8f73258848e189a3f92b234d4d

SHA256
fa3ee0c8bb106b40c9e87426acc70abe33783323f4cc4bec69694522ccbcc995

SHA512
f8fca2878df0091a247ce5746742afc0f6f6ddcc985f5643f8a1b3996245bdc7f3f5c1ca08c736159e96d0b4400c90adc10a3ce33a0a490d438e5f91eb23fd7d

Download Submit
C:\Users\Admin\Downloads\Win32.RisePro.b.7z:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/4712-169-0x00007FFF48CD0000-0x00007FFF48CE0000-memory.dmp

Filesize
64KB

Download
memory/4712-170-0x00007FFF48CD0000-0x00007FFF48CE0000-memory.dmp

Filesize
64KB

Download
memory/4712-172-0x00007FFF48CD0000-0x00007FFF48CE0000-memory.dmp

Filesize
64KB

Download
memory/4712-171-0x00007FFF48CD0000-0x00007FFF48CE0000-memory.dmp

Filesize
64KB

Download
memory/4712-168-0x00007FFF48CD0000-0x00007FFF48CE0000-memory.dmp

Filesize
64KB

Download
memory/4712-173-0x00007FFF46AB0000-0x00007FFF46AC0000-memory.dmp

Filesize
64KB

Download
memory/4712-174-0x00007FFF46AB0000-0x00007FFF46AC0000-memory.dmp

Filesize
64KB

Download
memory/4980-693-0x0000000009E30000-0x0000000009E31000-memory.dmp

Filesize
4KB

Download
memory/4980-698-0x000000000B750000-0x000000000B751000-memory.dmp

Filesize
4KB

Download
memory/4980-697-0x000000000B740000-0x000000000B741000-memory.dmp

Filesize
4KB

Download
memory/4980-700-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4980-696-0x000000000B730000-0x000000000B731000-memory.dmp

Filesize
4KB

Download
memory/4980-695-0x000000000B720000-0x000000000B721000-memory.dmp

Filesize
4KB

Download
memory/4980-691-0x0000000009E10000-0x0000000009E11000-memory.dmp

Filesize
4KB

Download
memory/4980-694-0x0000000009E60000-0x0000000009E61000-memory.dmp

Filesize
4KB

Download
memory/4980-692-0x0000000009E20000-0x0000000009E21000-memory.dmp

Filesize
4KB

Download