risepro | hxxps://tirrex[.]cl/server/arch0408_0224[.]7z

Analysis

max time kernel
387s
max time network
380s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tirrex.cl/server/arch0408_0224.7z

Score

10^/10

risepro defense_evasion discovery stealer

Malware Config

Extracted

Family

risepro

185.225.200.214

Signatures

Modifies firewall policy service 3 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Foot.pif
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Foot.pif

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Risepro family
risepro

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 956 created 3480	956	Foot.pif	56
PID 5676 created 3480	5676	Foot.pif	56
PID 2744 created 3480	2744	Foot.pif	56

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 8 IoCs

pid	Process
5172	setup.exe
956	Foot.pif
3136	Foot.pif
3836	setup.exe
5676	Foot.pif
2064	Foot.pif
3892	setup.exe
2744	Foot.pif

Loads dropped DLL 1 IoCs

pid	Process
2304	msedge.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Foot.pif
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Foot.pif
File opened for modification	C:\Windows\System32\GroupPolicy	Foot.pif
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Foot.pif
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Foot.pif
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Foot.pif
File opened for modification	C:\Windows\System32\GroupPolicy	Foot.pif
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Foot.pif

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
3160	tasklist.exe
2960	tasklist.exe
4892	tasklist.exe
6068	tasklist.exe
2556	tasklist.exe
1036	tasklist.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 3136	956	Foot.pif	155
PID 5676 set thread context of 2064	5676	Foot.pif	175
PID 2744 set thread context of 4476	2744	Foot.pif	190

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-sq.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_505917425\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_34193043\deny_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1590204367\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-be.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-ml.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-nl.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1909946296\Filtering Rules	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1909946296\Part-RU	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_34193043\deny_etld1_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-it.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-la.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-nn.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-te.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1909946296\adblock_snippet.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1909946296\Part-IT	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-mn-cyrl.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-ru.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1909946296\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1909946296\Part-DE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1909946296\Part-FR	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1909946296\Part-ZH	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_505917425\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1281265098\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1590204367\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1909946296\Filtering Rules-AA	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_221492029\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1587623998\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-as.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-cs.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-de-ch-1901.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-hr.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-tk.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1909946296\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_505917425\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_34193043\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-de-1996.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-en-gb.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-gl.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-lv.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1909946296\Part-ES	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_2056059601\data.txt	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1281265098\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1587623998\Microsoft.CognitiveServices.Speech.core.dll	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-af.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_2056059601\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1590204367\crs.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-es.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-fr.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-hy.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-mr.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-ta.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-und-ethi.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_34193043\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-gu.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-sl.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1909946296\Filtering Rules-CA	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1909946296\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_2056059601\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_221492029\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-ga.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-lt.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-pa.hyb	msedge.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstitutesHabits	setup.exe
File opened for modification	C:\Windows\IowaArmenia	setup.exe
File opened for modification	C:\Windows\GraduateMpegs	setup.exe
File opened for modification	C:\Windows\IowaArmenia	setup.exe
File opened for modification	C:\Windows\BranchExtra	setup.exe
File opened for modification	C:\Windows\InstitutesHabits	setup.exe
File opened for modification	C:\Windows\GraduateMpegs	setup.exe
File opened for modification	C:\Windows\BranchExtra	setup.exe
File opened for modification	C:\Windows\InstitutesHabits	setup.exe
File opened for modification	C:\Windows\GraduateMpegs	setup.exe
File opened for modification	C:\Windows\IowaArmenia	setup.exe
File opened for modification	C:\Windows\BranchExtra	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133891245118677725"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2362875047-775336530-2205312478-1000\{91C14C3C-1A0D-4292-94E5-D3D8DEA97DC7}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2362875047-775336530-2205312478-1000\{8F7C0D6A-E31D-4DA3-8AC6-3230E984825A}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2304	msedge.exe
2304	msedge.exe
3552	msedge.exe
3552	msedge.exe
956	Foot.pif
956	Foot.pif
956	Foot.pif
956	Foot.pif
956	Foot.pif
956	Foot.pif
5268	7zFM.exe
5268	7zFM.exe
5268	7zFM.exe
5268	7zFM.exe
5268	7zFM.exe
5268	7zFM.exe
5268	7zFM.exe
5268	7zFM.exe
956	Foot.pif
956	Foot.pif
956	Foot.pif
956	Foot.pif
5268	7zFM.exe
5268	7zFM.exe
5676	Foot.pif
5676	Foot.pif
5676	Foot.pif
5676	Foot.pif
5676	Foot.pif
5676	Foot.pif
5676	Foot.pif
5676	Foot.pif
5676	Foot.pif
5676	Foot.pif
2744	Foot.pif
2744	Foot.pif
2744	Foot.pif
2744	Foot.pif
2744	Foot.pif
2744	Foot.pif
2744	Foot.pif
2744	Foot.pif
2744	Foot.pif
2744	Foot.pif

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2976	OpenWith.exe
5268	7zFM.exe
5868	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeRestorePrivilege	4948	7zG.exe
Token: 35	4948	7zG.exe
Token: SeSecurityPrivilege	4948	7zG.exe
Token: SeSecurityPrivilege	4948	7zG.exe
Token: SeRestorePrivilege	5268	7zFM.exe
Token: 35	5268	7zFM.exe
Token: SeSecurityPrivilege	5268	7zFM.exe
Token: SeSecurityPrivilege	5268	7zFM.exe
Token: SeSecurityPrivilege	5268	7zFM.exe
Token: SeSecurityPrivilege	5268	7zFM.exe
Token: SeDebugPrivilege	4892	tasklist.exe
Token: SeDebugPrivilege	6068	tasklist.exe
Token: SeSecurityPrivilege	5268	7zFM.exe
Token: SeDebugPrivilege	2556	tasklist.exe
Token: SeDebugPrivilege	1036	tasklist.exe
Token: SeDebugPrivilege	3160	tasklist.exe
Token: SeDebugPrivilege	2960	tasklist.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
4948	7zG.exe
5268	7zFM.exe
5268	7zFM.exe
5268	7zFM.exe
5268	7zFM.exe
5268	7zFM.exe
5268	7zFM.exe
5268	7zFM.exe
5268	7zFM.exe
956	Foot.pif
956	Foot.pif
956	Foot.pif
5268	7zFM.exe
5676	Foot.pif
5676	Foot.pif
5676	Foot.pif
2744	Foot.pif
2744	Foot.pif
2744	Foot.pif

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
956	Foot.pif
956	Foot.pif
956	Foot.pif
5676	Foot.pif
5676	Foot.pif
5676	Foot.pif
2744	Foot.pif
2744	Foot.pif
2744	Foot.pif

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2976	OpenWith.exe
5380	OpenWith.exe
5868	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5744 wrote to memory of 5924	5744	msedge.exe	83
PID 5744 wrote to memory of 5924	5744	msedge.exe	83
PID 5744 wrote to memory of 112	5744	msedge.exe	84
PID 5744 wrote to memory of 112	5744	msedge.exe	84
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 216	5744	msedge.exe	85
PID 5744 wrote to memory of 3276	5744	msedge.exe	86
PID 5744 wrote to memory of 3276	5744	msedge.exe	86
PID 5744 wrote to memory of 3276	5744	msedge.exe	86
PID 5744 wrote to memory of 3276	5744	msedge.exe	86
PID 5744 wrote to memory of 3276	5744	msedge.exe	86
PID 5744 wrote to memory of 3276	5744	msedge.exe	86
PID 5744 wrote to memory of 3276	5744	msedge.exe	86
PID 5744 wrote to memory of 3276	5744	msedge.exe	86
PID 5744 wrote to memory of 3276	5744	msedge.exe	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tirrex.cl/server/arch0408_0224.7z
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2f0,0x7fff04caf208,0x7fff04caf214,0x7fff04caf220
    3⤵
    PID:5924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1952,i,7723496107232313452,3604040442338596913,262144 --variations-seed-version --mojo-platform-channel-handle=2344 /prefetch:3
    3⤵
    PID:112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,7723496107232313452,3604040442338596913,262144 --variations-seed-version --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2372,i,7723496107232313452,3604040442338596913,262144 --variations-seed-version --mojo-platform-channel-handle=2500 /prefetch:8
    3⤵
    PID:3276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3500,i,7723496107232313452,3604040442338596913,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
    3⤵
    PID:2104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3544,i,7723496107232313452,3604040442338596913,262144 --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:1
    3⤵
    PID:5912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4968,i,7723496107232313452,3604040442338596913,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:8
    3⤵
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4340,i,7723496107232313452,3604040442338596913,262144 --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:8
    3⤵
    PID:668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5556,i,7723496107232313452,3604040442338596913,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8
    3⤵
    PID:6000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5616,i,7723496107232313452,3604040442338596913,262144 --variations-seed-version --mojo-platform-channel-handle=5716 /prefetch:1
    3⤵
    PID:3140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5956,i,7723496107232313452,3604040442338596913,262144 --variations-seed-version --mojo-platform-channel-handle=5904 /prefetch:8
    3⤵
    PID:5488
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5936,i,7723496107232313452,3604040442338596913,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:8
    3⤵
    PID:836
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5936,i,7723496107232313452,3604040442338596913,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:8
    3⤵
    PID:6068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=3532,i,7723496107232313452,3604040442338596913,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:1
    3⤵
    PID:2432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6804,i,7723496107232313452,3604040442338596913,262144 --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:8
    3⤵
    PID:1360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x268,0x7fff04caf208,0x7fff04caf214,0x7fff04caf220
      4⤵
      PID:2768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1760,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=2456 /prefetch:3
      4⤵
      PID:5568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2144,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=2536 /prefetch:8
      4⤵
      PID:2284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2412,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=2404 /prefetch:2
      4⤵
      PID:2512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4252,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=2848 /prefetch:8
      4⤵
      PID:1492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4252,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=2848 /prefetch:8
      4⤵
      PID:3700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4612,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=4340 /prefetch:8
      4⤵
      PID:1392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8
      4⤵
      PID:4804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4732,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=4696 /prefetch:8
      4⤵
      PID:4784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4720,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=4700 /prefetch:8
      4⤵
      PID:4768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4688,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:8
      4⤵
      PID:3888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4640,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:8
      4⤵
      PID:5620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=788,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:8
      4⤵
      PID:4564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4860,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3608,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
      4⤵
      PID:4852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3916,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=4428 /prefetch:8
      4⤵
      PID:4064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4456,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=1332 /prefetch:8
      4⤵
      PID:2028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5100,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
      4⤵
      PID:3548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5072,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8
      4⤵
      PID:3440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5104,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:8
      4⤵
      PID:3508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3260,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:8
      4⤵
      PID:716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4648,i,9456940029907209535,13214914242558841266,262144 --variations-seed-version --mojo-platform-channel-handle=3960 /prefetch:8
      4⤵
      PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
    3⤵
    PID:1084
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap17706:86:7zEvent2087
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4948
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\arch0408_0224.7z"
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5268
- - C:\Users\Admin\AppData\Local\Temp\7zO4947F95C\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO4947F95C\setup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5172
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Tape Tape.cmd & Tape.cmd & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:5768
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:112
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6068
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 324267
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "OCTLOADEDLNAV" Scout
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b American + Ears + Probe + Banks + Korea + Furnishings + Pursuit + Jpeg + Exclusion + Identifier + School + Quotes + Bulgarian + Patents + Political + Networks + Bio + Prevent + Finance + Sm + Retired 324267\s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3216
    - - C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
        
        Foot.pif s
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:956
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
- C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
  C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3136
- C:\Users\Admin\Downloads\setup.exe
  "C:\Users\Admin\Downloads\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3836
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Tape Tape.cmd & Tape.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3364
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2556
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2044
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1036
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 324267
      4⤵
      System Location Discovery: System Language Discovery
      PID:4700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b American + Ears + Probe + Banks + Korea + Furnishings + Pursuit + Jpeg + Exclusion + Identifier + School + Quotes + Bulgarian + Patents + Political + Networks + Bio + Prevent + Finance + Sm + Retired 324267\s
      4⤵
      System Location Discovery: System Language Discovery
      PID:5532
  - - C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
      Foot.pif s
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5676
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1052
- C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
  C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2064
- C:\Users\Admin\Downloads\setup.exe
  "C:\Users\Admin\Downloads\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Tape Tape.cmd & Tape.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5420
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3160
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6132
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2960
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 324267
      4⤵
      System Location Discovery: System Language Discovery
      PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b American + Ears + Probe + Banks + Korea + Furnishings + Pursuit + Jpeg + Exclusion + Identifier + School + Quotes + Bulgarian + Patents + Political + Networks + Bio + Prevent + Finance + Sm + Retired 324267\s
      4⤵
      System Location Discovery: System Language Discovery
      PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
      Foot.pif s
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2744
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:860
- C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
  C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
  2⤵
  PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:228

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5380

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1281265098\manifest.json

Filesize
118B

MD5
e17033475c5d0632b8142e61eb70b2db

SHA1
fcb918489b441cb2b3239bd1fd582dc0fb55d939

SHA256
0f4cbee2aac3714f6be3ada73202950f897f18c1cec7e23cf29931502d1c1e98

SHA512
7a458be534f73d273f8c2be6258f4829e9c6924e9c58a51ef60a27989223085bda87d52e36e2a5fa9bfe58e54dbec3c245ad456ae232548ad1e6dc23a8f2570d

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1587623998\manifest.json

Filesize
76B

MD5
ba25fcf816a017558d3434583e9746b8

SHA1
be05c87f7adf6b21273a4e94b3592618b6a4a624

SHA256
0d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11

SHA512
3763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1590204367\manifest.json

Filesize
102B

MD5
a64e2a4236e705215a3fd5cb2697a71f

SHA1
1c73e6aad8f44ade36df31a23eaaf8cd0cae826d

SHA256
014e9fc1219beefc428ec749633125c9bff7febc3be73a14a8f18a6691cd2846

SHA512
75b30c0c8cef490aaf923afbdb5385d4770de82e698f71f8f126a6af5ef16f3a90d0c27687f405274177b1a5250436efddd228a6d2949651f43bd926e8a1cc99

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2304_1909946296\manifest.json

Filesize
116B

MD5
d20acf8558cf23f01769cf4aa61237e0

SHA1
c4b21384309b0ff177d9cd3aa4198ab327eb2993

SHA256
3493b321a7fc5e183ed6f223ae55ce962541717d0b332d16bdc7cbcadf7e6f78

SHA512
73d082cbd71f6d0f06c7afc1bf63ee41c9a8e501df3e56f21a551b2d369a0afc8306894c8e0a38d0324e2ac403ec506ac1ecd8e9b61a9cb27134a229ccb13725

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2304_2056059601\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2304_221492029\manifest.json

Filesize
141B

MD5
811f0436837c701dc1cea3d6292b3922

SHA1
4e51a3e9f5cbf8c9c96985dabe8ffc2de28dae87

SHA256
dbfb38a16e33a39c35ac50bd81782e4608be14954f1df69ac8272c0b9ce87a5d

SHA512
21e7bf2f8333b2900bcbcb871ede14684073249597d105095dc7d3f101e7ccc326068732f11d4a167365f245a3f2205793f520c7666d7f948e70919b40b43d35

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2304_34193043\manifest.json

Filesize
176B

MD5
6607494855f7b5c0348eecd49ef7ce46

SHA1
2c844dd9ea648efec08776757bc376b5a6f9eb71

SHA256
37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd

SHA512
8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2304_505917425\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2304_505917425\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-as.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-hi.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\hyph-nb.hyb

Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2304_642210122\manifest.json

Filesize
82B

MD5
2617c38bed67a4190fc499142b6f2867

SHA1
a37f0251cd6be0a6983d9a04193b773f86d31da1

SHA256
d571ef33b0e707571f10bb37b99a607d6f43afe33f53d15b4395b16ef3fda665

SHA512
b08053050692765f172142bad7afbcd038235275c923f3cd089d556251482b1081e53c4ad7367a1fb11ca927f2ad183dc63d31ccfbf85b0160cf76a31343a6d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\802067e0-b4b4-472b-aaa4-a43b8631b57f.tmp

Filesize
49KB

MD5
8ba33d473a42fd110090ec957f3147e0

SHA1
01305df4af0d8895dfc6356b89b7df17ad73c11a

SHA256
14da3cf00e488c607e8b4110e0224c6549140f6ffb7bc505d484433a4259ebf8

SHA512
eb138346b40566dc2d1d9e70dd81f242ee99a4ff6dca8f430f8668400e9ca0c7113f90f5a9e79c0f0dfb06ee1953b408a81eab544176222fa1ff8dae6f049966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma

Filesize
16KB

MD5
cfab81b800edabacbf6cb61aa78d5258

SHA1
2730d4da1be7238d701dc84eb708a064b8d1cf27

SHA256
452a5479b9a2e03612576c30d30e6f51f51274cd30ef576ea1e71d20c657376f

SHA512
ec188b0ee4d3daabc26799b34ee471bee988bdd7ceb011ed7df3d4cf26f98932bbbb4b70dc2b7fd4df9a3981b3ce22f4b5be4a0db97514d526e521575efb2ec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
6ec80650bb87997281d6b2c490e5939e

SHA1
40faef4ca4833df8dd17c4a05cae8e4fdea72b89

SHA256
025280e5fdfd02d49c42c93e14cbc699b80eb10e21d31bd0aaa8a9b1067a80b5

SHA512
be947097b9fd14a716388b25cf4c253ee4d074a8b13370873b575ce5beb3843f1961df08e94eb07958657c64ae27bfb9f75ba9b2e19ac29985a5fc6813d500fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
1229ea2859f28369e27c70f3010446da

SHA1
977844a4cbc6a7f6f959d2c21b5cfb475ba4e48c

SHA256
1d5c3b268abc1fe3f3070f5d017061b6524b2d75a02ea636b7b26e103662a45d

SHA512
fcee4a76671a135d7cfca979c5bd7f0e6bf6c1260001a706334108a1ff79ed520665ea938bcee6313b25031b2e73d0d54f68b95ff17d36b5e23e39786acc7c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
374a9d645d55484a5d89b1c9872c8206

SHA1
1a47e0aa805d232131690297b6c2a94d941f9917

SHA256
1fed716aee50c091508cdddbc157a82cfb3908c14daf097bc06af076feed6dbb

SHA512
52e2921290426b79b8f6f681f9b76ebe52816e4e0ca82c83f2225bff1b33f8c7fbfdcdc6039d7eebd2b6c1a90093870ee0c0ddea01951aadae7007676f989310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3

Filesize
8.0MB

MD5
bb431f5576fa207b34df4ad8f96df4cd

SHA1
28f3bc1f63330f8d5ea844929006a9bee26257fe

SHA256
146b476823a220ad67b9e5934781b426e1e3e6e4aef05845b0d940f0b716eccb

SHA512
6d45b02700300faa90b6a12487a1ca14aebaa07b4e8892a2394d1fbe655278814996bf6672fff9bfa68c9197612fdf4c1ee255c3790f749f5ef76954989396dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e827b10b9300fbc4b82bb0348e32ece5

SHA1
4758244e811d072cb0d556587f42c3a148102aa6

SHA256
215413a37723dc56c51a0319e16894f8abc67b70ac5b32133f506a6f65cefe51

SHA512
ba7bf4d8e09c0ea5b25a8a5b211419499c2134b70b1799cb54d8c8d8e35c241b8cf8ddfb3a0aa88e0b29455fcce37598e69104e79ee0fd7a513d39d0e83aef96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Filesize
346B

MD5
9321dc746f157d20d6eac69c3483dbf0

SHA1
39254e281060c1fa6262b82cd75bf21a98800246

SHA256
df21385ac9886dd639271ab077f2c39406c0108818e834729681467a41e8b923

SHA512
609500c0759405db34b0323cbee69a1aae2882624d37f06d5f9c023d573589dea998b0960d8d8700b4c7f318c8f779ca98dca417830fbcf15ad615668cf4f277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Filesize
32KB

MD5
4290ff17af85c8172c411e2e7c5f5e31

SHA1
0f93a78aebb17a86b5c35cd135458f408d979a7f

SHA256
665177178415873f97e113a49251093390658dbd1d9ccbd4241fba95935e8151

SHA512
505b19e85841a514189a886161bedfc6ccef5a3ba945698b710484ecd7bd68deab2a7e7f1067d39134fd08d32e9e22bc22018526bb8ec62ad93f878a0e1f6480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
116cba68652fd3bbee1866dcf0c48b7b

SHA1
0b276d406ed4a9695c8e49558449357efeb96071

SHA256
0833ed23915b9a243e366b448ad3aedd88deeeef98cb4c7a399132ebaf741aa4

SHA512
3b27f7f89af7a8f997fc324cbbd5a0af08c5dba2529b3a8023672fd80a004d0a5f3f30367049234c81aad0da623cc64d00de4e4a86693d86c61551faff2e90de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
192KB

MD5
a252cb1358a8d62887cabb2018c1ac2e

SHA1
4808963680b356752bf61b0e53d6f536ad43efb7

SHA256
b7106c0e715b7ed081e0afc438200527c8a1990e9a4be4811326cf40a57c6c2a

SHA512
73fc668ed36f1943e74130873452f3b95cc2899647214524a03a67f5c9ca907498305763ce9c7043376987994da5ac4ac636abf6f28ea2ee05090dfdebbe9e1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
c13061f5cc603e2932ad9f8c30b3fe03

SHA1
12662ace9beb90e6dc732748d3b94c97800312a2

SHA256
6bd6f35042fd982dcaa0d3af1bd0eda604d71d03d3d409f76a1cf27418bfc561

SHA512
bf003d7505f86224f843f30424de87deeb2da1ff2c37fa7728efa2407f817181ac455c66a19973bd7e04615e46af098101e3561a9c1346d2c8ebdbb8b7eac765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1d40c8a4e2c85cb52a4614726ade4421

SHA1
55e8ff2dee181b43bb97702e9b679686a1074e69

SHA256
2d534d82f6b24d77a6c83e31a8636b18e0ee0e6a8154580392674ad25f087efc

SHA512
46a0948016442e75901fc9430611858162cd4dc90dc38d95dad4874a55c666d96f7894dc7fb442f0d8c0b8681fa4a9bb2821e90e84457576e295d59eeeb4c379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
42ff336c2943d9cd63fecc31679e340a

SHA1
6db0a1c34b78f928e7f10b81f5c0e64f270e4333

SHA256
5e1c59302dde46eac9bf54472bf2616272a2ec14972c3f50397e7600fb629bc3

SHA512
68af7e4396196399bc547ca72340cab86c3d3bf4e5a5f339e3994a330258a2d423d44d2f421ced1f6a8fee88594d0f211a1c04f8e28aa2dc145c5b7ac8d847c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
8551d23a5ddd408fdcabd2852c59f661

SHA1
6b99ed990495de33cee460e3ad1b564a4d5b32e3

SHA256
d50f4b35b05dd9cb0f9dc22a122a677206213a69c1c9a122f1451378d057413e

SHA512
f12d65eb66f2c18ad95bd32225a6530c494dfdd0ae0e8e163d032d664e2ef565f9bda7d986011f84115a70029590da86fa275e418502c27afb0bffeb56ca606f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
0e1fee8c54559a85a959339b0232ec18

SHA1
52f0fc4f30b5e25f6fd72783632cdaa502db470a

SHA256
8336eb4684c7aa5e898069a85755a6df7d4a4faec5d251a759bdc76e0b45ab0d

SHA512
1fa5d1bd8df105ae225be1d90398d9bc58f044b762be25ae1fc1587b6fd1a0381974f1b29fac09675571eebfbebf2f04d026482eab0c48d170f9107f903427dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

Filesize
335B

MD5
97a7aa9821a7bf45e7a5018897e3bd97

SHA1
b4304e44390949fb4ccb8ec43f93b7b05784b98e

SHA256
582649546279cced44f2c7b33b55bd0527f1f36fb3911180ede5cfca6ba34288

SHA512
12aac277de91240993586fa965df1beb91fb2601ffb88e7de2e3d9c923b20db4405d1785a6686d8753f6d6e2cccb28c6340630fb3132854a406870ae31ec8aeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
528dd941716b22a0ac0b0cf823bb1c1f

SHA1
50da2ef73727a4489856741e0b9bb334f3bd5125

SHA256
54b3b7c3debf4ca9a5eaa52e64dc2aaa800632576b0ca0f1f490b6f2542063fc

SHA512
f1ccc15b37910a07bfcd1af61cc3dadb3aa9d0cc6f422d027792648241eb6bdf65aa0979c2ac0208589f3ade1a631ea263e75e76ce4d7ce71fdf28b34890411f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
a5dd16d438373b53e1e2647ec9f7e06c

SHA1
c4bbe9da7a0d6575b7aad9b65ef802ae74ab76e0

SHA256
a0063cc15a116a54fad32850b04a34b00ade5c8d1576d8e27ef061c283e25db5

SHA512
86dc8c852a5c747e38dcb971f333a849414506c11481f6597a909221870ec1db0a8422ce48c4582be0e3788231566c9a750861587c5e65802be62629206d39e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
25KB

MD5
aeb94b75890d0915dbc40509950f2ced

SHA1
b4cc73c0415d762c6473200bf6ee3107673ea18f

SHA256
408aa35ee456190fd25e4d7652d0893accb09f8961d12cb1554bd21990b12fa0

SHA512
504e9e9a783ce756ae6cf1a95a6730be274cd39f2e2b0ebce5b4675409cc66b665f3289b0c6bc035fa23c5d0410f89127ff7218c56edc05b31fd3c548f259e3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
20e84458384eb32c2c35b39c58100860

SHA1
d7f254990006476daff99d81111536c6aebf4c5f

SHA256
d14eae322faad6797a8a4f2330e14351ca14a6e1a27c8e76d4bedbb729e71ab2

SHA512
eda03749005b6b3977610377e323d9e446949b534159de79038f5243c625988962ab467828611ed4a57615992302e9d7360d483ba1a34d2d9133d07ae1d96e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
228KB

MD5
67d8978b5c75634e683668b031138c15

SHA1
531aa413831f71e36a2ae2e5ead2e3a4bcced0f5

SHA256
09cdfcdb44e904915002742b986a339f201418ea774db8268a7ee209f2701a31

SHA512
afb48b104d8911fa85bd3f4bf33f4c73b818f46306bcfa9b573c6fb62d0925b81604cd04f7dbff74f68b9014e37332674475d9ad5c0ee5f13ebefce22cbc48b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\default_cloud_config.json

Filesize
13KB

MD5
cf9a0cd1d5f9c8cdeb87ef3f7d30d15c

SHA1
c543e62aab24c205db6014414161c13375e9a71c

SHA256
b24f36278e4c85a8fcd66021d48c69d6b07be605673e02f0fe185bf3319f47f4

SHA512
39ad5c5753e5398906b94ab039d2eae7fe420fe35a53f190bda84d4f9262f3b14841cdf4ec76cdbff6a4578a26ab1e6c4b11ba326ec8cc38a2e2904a6f2c0d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\favorites_diagnostic.log

Filesize
2KB

MD5
159651755453de50abbc33df2f40db14

SHA1
94c4577554e641131da05d9e293a421a0bf1fe37

SHA256
dbb11d08e17c9d575a6897c020b8274dc877876a7e5aa229d4a10924d10831fd

SHA512
9a18428cbef0000d4192f086e21cd7d8d87a8d7a05c43cf809dc927fdc8cffd1af0a9d0c78605698b22414b6dd8293e3b3f95fb6a1f061793e46538e835beb21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
13KB

MD5
f3576eb3a5703dd2008b80d7a3135e36

SHA1
e5a090a196544da89b37f743158d3fec1e93012d

SHA256
01379fcde1119585f0a6aec0355f6e4d1ff25bf58487d78a46821099f97f52c7

SHA512
06439c3b0db57e70e092e1c4a8f074e6996bc318e8085881fb126e59598d4e5cc79c79b2a9ec40812a08850108a36d651a22f1126a0791a10e360af17c285d6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
876eb486b77b0854016ea5ad27e67d66

SHA1
42292aa33575cf1c187e9da2c4d052d2f5a0dd13

SHA256
1665967fa0d197f5a2cdcfb4c0884c8da61a0bbdd36cc43ad726966a14df46e5

SHA512
de2bf94b6104e12b6460845a606770f51a331a14e23025b820102e0c14634070a14ff3d72fe0c0ed6b11f81e9de60b0c7e527252765a49f8eb150ab07cdc33a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
3928cfea2a76c39f0be2afb643c3f018

SHA1
f8da14ab6718b0aae4600458038eb4bcb6fd53c9

SHA256
1452a2ac36084599e1af6fa98c37fc6fcfdaea8514a79440cc84df779707dde4

SHA512
c6e4a35340feade4828b575d51e7937eafe6b56c878105f3cc7cbfc0d2fe026e24584e1bf5322a8d9f6ae1e879c243835d6dcef138c31f939ba1b6b3fab904e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
a658f9b1aff8da60e845dacc047c16d9

SHA1
ad4b4c0147ce1e58afa6e8067c371bb96381abae

SHA256
c5f5595b17ee67a938c308cd1efa5600ae6008be0f324251e6165fa207a0e0a9

SHA512
69f44409cf9c770102098a34c68394cf7917708c7a4a30e8049b28c05955bc564fcc7c5b05e9505595364f34946cea759490781f013dadd5e6c69cb323fb61fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
3268a88ed024ac6157d488169ccabafb

SHA1
52a706256c327546b68fbea4678e0e8f7c2a66bc

SHA256
631bba310060f71729e8d7fbf770b4533e38bc42004c4554de4371f43bcef04b

SHA512
f1324c258e922514908e11890947c280cf28b3fe719b4ce993276ed6024fbfcf1ff9aff48bbbd9e175b9b6db155346da1224211ecbfa01fd2d30ff9a54dbddc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
1ee168aaf06df2b437576cd65f82adf6

SHA1
5efd34388df565ad94ed0d8adedcd51c339e7c21

SHA256
bba0bd5d1e15b9f9639465fe18622fe1c7e9e1bf20a76f128797d5fecd50a45a

SHA512
fe82f5d4fcb8736522157b6e00cc75dcd8d9b6c605fcab75c71d6295055dc8cd4ead38d767a9d1efdd4d318f85abf931bfc284f3599256d09c433b64a773f813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
20KB

MD5
2cdfece0788f6e154cd2ccd22dcdee47

SHA1
923eac554d377a5321290e1e0c4e6c36f3be286a

SHA256
131f32b9fcce311b1cc6da56250cb9c950d3a29a96211f78143bd80f4e8d5357

SHA512
1c768b1e138e9ff6de25fd91ac738b1cf4142b28b42052d31bd0b998e8a56ec35156bff1fce2bfb26ca59ffb3235821ddbb8313ba5f6ba29fd7c183cf1b570b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
22KB

MD5
3f8927c365639daa9b2c270898e3cf9d

SHA1
c8da31c97c56671c910d28010f754319f1d90fa6

SHA256
fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2

SHA512
d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
2ba2265228e7a1df4ac637905f880374

SHA1
8c2a88ab942babce70deba73510d0777a89b19fa

SHA256
c0fdfe49860fe7bf2477073e6c83a2f9025dbec90f8dc186cb006afa0391dde1

SHA512
db93d7c706f75d1cad4a03b05982afcc57c06bef1982188aed56e6b1da7916d5c05eda9ad33dd10dc05abad44c56dda578934ed3719dbeee5c37a36b53be12a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
ed260a48d9c6eee4d9dce8c7bdf8b718

SHA1
3f33a931a1a8c4613ed79efde623fa0d352915bf

SHA256
8dc728fd875c56c2e615d35e6a9c5b32ac5110478b94a60f62342f6cdba36b82

SHA512
08683ad67aa8e5cc9d810e677b9b4b2aac2ffbfe832fea0eb800ac1a88bbaf5135f91a8cc1dc9969a6b26720fea5bd97411e8a652c0e3c086476045d25573af8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
6b9a6cb563b0253171e7a3f29e492feb

SHA1
1621373ec3032629e1a434de716edb330a54e24f

SHA256
ceeaae8c3e00606121eccd939d6398c815da2347c561b8121af831ce10b92238

SHA512
2efa44a8dd540662b7a1f465a6d209b5e51f20836ca7531c6e7bae5f9c1637e24311a4413c2ed8bae0a0e222e48ea57af2e1d549471b4019512a5ca374b18099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
a24953b705e4ca47973319ba5af3845f

SHA1
4f4d71fbff46695f283afbfe49900923f630ddab

SHA256
89cd36e789df95adfdf1d82d5ec31932c2c6aad192b20c0242d7a48d3ffe57d5

SHA512
59be215676419be7f60715c1cdb76c91cb6e2f777c23d05c2fdfaacb496d33313642e90ec817bd68d1d4ef6d04303bf3656c92749c8959d1b3069c01a2825e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
13B

MD5
3e45022839c8def44fd96e24f29a9f4b

SHA1
c798352b5a0860f8edfd5c1589cf6e5842c5c226

SHA256
01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

SHA512
2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
cea17656d79ccefc9ec940ad3abe5da7

SHA1
2d4bb38f379f417342962b6c44d40c09c444e8fa

SHA256
080d766246925c4e5e0cc886895888119a6f36ed53fa3bca05e0f09f81a40664

SHA512
91b7e1490ae6e8095b93253acaae074eea6a6c7616057a88155fb31743c55798cc85342ac7b2c0ad0b30294f636e14ffd94f8c9be60182c4ff1cdd0bf50bfcbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
00779aab6c8ee4acdaf439e27cbcac5d

SHA1
06b3d5eba465854c51fc72a396076593b7a4b642

SHA256
540156ed00ee0963ebaca1fd7449199d204c8a9c3cd62749441be9e3d5ae89ef

SHA512
64f32370f3caec5f5bb50fdfbe342bb415559bcb09135129a7455d9cc787e8f1df86de643d2b701c193cab61c31303b577de4a06c00a11c6e0ae4a9be5d6608d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
6564eebfb8d62fd1a438bf3c73e3c1ee

SHA1
5cb05b313acc96a664606e5b44956ca58df050eb

SHA256
e3727be1077810fe3fcae07b05419e6657d95535ed2a466cc99b8a0aa32e8f07

SHA512
cb18e6473c7f62582cc221c5db189d2ef8ebf0f15184475f7ca7f0819fe424db68c774f362138174e682f15f7d6bced26ae973e749aadc6e9ba9d76b2420c058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
00782626e31923272d6ffcdd45288cce

SHA1
e2f3624368dfcbd82ccc1a324b29cef130876387

SHA256
522bdfd76e8738d211f7a3b1d58ddbd75a3f6779d5495faae3166e66b7310113

SHA512
d5baa379fd5b6f66cb9e060a794ed71696e6875c0bcd2963d346b0c1d83ba7d2ec8b98b5629ce0ed47b38ed56db0558cc5d2b39d1773a5a2ce40bf8388270ab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
24cc8471ae9843cbea75e968be757557

SHA1
cadcce6edbbd2ec3d76a66568205d3cdac96b348

SHA256
d112d6215e351d1ea669d65fdb91564e2ffc2297160400c7c18c961707453d3d

SHA512
b96eda3c0ff309ea7226e7ff2df2a3d35c6894594d89e674fca4cb2aaf52cd4cdee2c33a11c68ce57aa7200b855df8d3d5d51423985ff1635c98b0fdcb9ee1e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
b0c6d68a3052b13fe6210b961f3f4c47

SHA1
ff7cc39198e3cdfae9483540cfccb9e26f155b4a

SHA256
4e6004b6f5882d53343ca54b9a920ff647e8dcb57978b7266e2f1c8e3d39a8aa

SHA512
96d1ea2cad572c3d13eb07c10babbbac48a554998c2bdbc30c6f0d8325f76ba47247118c42030eb7f28a71c6e621783b9574badcc5944aee3b0feae7c603cdc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\crs.pb

Filesize
289KB

MD5
2b59269e7efdd95ba14eeb780dfb98c2

SHA1
b3f84cbc37a79eeecb8f1f39b615577d78600096

SHA256
ff2ced650772249abb57f6f19c5d0322d6df22c85c7cf2be193b6134e1b95172

SHA512
e4b454db2248021e0d198805ea54f1c0cfd84b9716a9348b1d0e0acb7c6fb5dd0839e532a5eb6d4410ab759d6688dd6cce8375ad55a150d738d280993142e9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\ct_config.pb

Filesize
8KB

MD5
811b65320a82ebd6686fabf4bb1cb81a

SHA1
c660d448114043babec5d1c9c2584df6fab7f69b

SHA256
52687dd0c06f86a2298a4442ab8afa9b608271ec01a67217d7b58dab7e507bdf

SHA512
33350cce447508269b7714d9e551560553e020d6acf37a6a6021dc497d4008ce9e532dd615ad68872d75da22ac2039ef0b4fa70c23ec4b58043c468d5d75fd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\kp_pinslist.pb

Filesize
11KB

MD5
0779206f78d8b0d540445a10cb51670c

SHA1
67f0f916be73bf5cffd3f4c4aa8d122c7d73ad54

SHA256
bf0945921058b9e67db61e6a559531af2f9b78d5fbedb0b411384225bdd366ec

SHA512
4140b2debe9c0b04e1e59be1387dca0e8e2f3cbc1f67830cbc723864acc2276cde9529295dcb4138fa0e2e116416658753fe46901dfa572bdfe6c7fb67bd8478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Filesize
264KB

MD5
348839a6c49d1908e7db14cfc4370eb8

SHA1
2d93865336bcbdf96be8a8c199004719f2991c37

SHA256
d46c403c1654ca8149b6c8ad93c173df536a24fbbf6ea9f74fe49cd12d3adda5

SHA512
e6b6cc5245bfaecfb86cd5f03bc4e5e5363bb097a1594135bf6ed586194f674b3e4901fc7f5e3efdf066d7d62c1d06cf892dd68b6d3f7ea110b99146ef132050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.76\Filtering Rules

Filesize
1.8MB

MD5
d7c9c6d2e1d9ae242d68a8316f41198c

SHA1
8d2ddccc88a10468e5bffad1bd377be82d053357

SHA256
f215127185b2ee6b01e12b6ca75d3e5c4e454598dd4aed36124ae13d59afd547

SHA512
7fd14824e9200dd99e1fd2cee402656dc0cfc3d0a60058c5eb05c68e9e65b7f0b47e550fb4d6c2b59eba204dbf3ef9e69dc9723b43a9b3ccd5412d6b77715fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.76\LICENSE

Filesize
24KB

MD5
aad9405766b20014ab3beb08b99536de

SHA1
486a379bdfeecdc99ed3f4617f35ae65babe9d47

SHA256
ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d

SHA512
bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.4.14.1\typosquatting_list.pb

Filesize
626KB

MD5
cd8f0547b4d0459fc40caa32edd2ae48

SHA1
f2a2267b07c94eee76441654294d4bee793913fa

SHA256
b7ced53d106f852e82076b850fe7794ddeaeaf137818339b95a35ffc170277a7

SHA512
0f1790dd996e27dbbf75a6520279941dcdd002429595e02646ceddae317f87fe34ca01049735ed753904ceccc1ecc24080e22c34ba6343ebb155c8e7a89085d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.2.0.0\well_known_domains.dll

Filesize
572KB

MD5
f5f5b37fd514776f455864502c852773

SHA1
8d5ed434173fd77feb33cb6cb0fad5e2388d97c6

SHA256
2778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e

SHA512
b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\first_party_sets.db

Filesize
68KB

MD5
c485b2f56d3cd9104905a14de0e6f3ed

SHA1
011c8a86414ef18a36d5501534fd2cad5ae63011

SHA256
7f456393457a1aa02eddc37069d74a0a9e19062086a66333763c8127177c5c9c

SHA512
7347e4ccf623cc2f3bc05cfe15906e212bd2a1631dbef1cad20dcd8179b7d0184b1f6332116ee9b42f75ebfcdc36aa2dcfcb210c1a31bbcd5bd50a2c1db55498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\first_party_sets.db-journal

Filesize
512B

MD5
9cef8fa8fb2786b757f37459e41c3b2b

SHA1
a66036a0352bbeb8cf1a17a3de0574dff823ea58

SHA256
4cef217c5491b09fb702258871a0bd782cf00ccc1f64fc127e75908cdd8af59e

SHA512
90176cfee4a861a684e7f6461e795e8c63d2b6cb73bc38e9b6b70b9974d1bbfa94cbf1bca4ef5582bbf85386f15722499c891d46c3a60b4460c37becee4a57e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
e31ecf3d3cab62fd251bdafce588d517

SHA1
2f455f931d6e1e515baf863b911cabc9e29b8aa8

SHA256
37fe021ee3d62e315c40df00be7b36560090992c4785fbc4a4810d002bcc0ca1

SHA512
c08b53d4881b311e2ba24084daa4b3adeac172bd7f5fbf37361f8a7861e5d3cf665fa786385df2883e0aa0a65286e526a130ee68742f367b3ac30ea89321bbbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\8b0d4544beb97a69dbb9583fca5575a9aba6e37d.tbres

Filesize
2KB

MD5
869f7a3253742b4ff4327cabafaaad51

SHA1
8cddd5303f660b199ba2ce1f3e074cdc855151f1

SHA256
bd15804c51496fb06fcc37250c2de3ed200964a43d03dc7fd4ac7fef74dad1ec

SHA512
a90eef9847edd167f9e4675f215c69b89f40b00f46c023611bedbd8b3f1a7d5657e9b06245e19a836c3bebf11dfa60b6b2ec89c8c0d1bfc93a3421563dc9d4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO494B480A\archive.7z

Filesize
16.9MB

MD5
ebb56b8a9b8bc63b55ce8d18af8eab2a

SHA1
a9ab905180135f68d215f49b6d57471df6b5569f

SHA256
d7b5f30caa3f18578760d50ea5823254848c4f42561523b186ed89436f6bfa0b

SHA512
71fde81ba34976ce0524862583aba10c25f89d38846ebc125b615ba2b7fb09b88723f1a2545169b3726ff0ed8a4cf05e9d35619a376bd1f2cc2312bd48417ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\American

Filesize
76KB

MD5
b34eab583b3e9b0b78ec96a92bb9a1f7

SHA1
fc33afa7caa5da19058bf65b28cb0ed912a5fbb7

SHA256
c3e5384073f8f66b4dcc0d3303c7c138c181b9226e35121f760ffbe4068f4d23

SHA512
a16561d24e79f97d18928f99ffc29821909a34f0ca264a1940a9baaf17da3d9cc6bccf6beb19bde61e0aec9440ecd2fd825e28138d70d2f4936d1be167f5d01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cv_debug.log

Filesize
2KB

MD5
bcd066e117d2c7ed8de61593dca66c8d

SHA1
4315e2a8ac68ae03cfc3995d9405a96c45467ce7

SHA256
c3759c6741e12686b0a6657d9bdd5ad595b7853e1fe0e29708f484f40a3804dd

SHA512
f37a9cefdb0637e805c47a225cb2e1c0b90438ff66097f0e04b724a72888553b0498f3f1ba6d40e87d6e77a917ef8b58d1f8c618764e13988b00811a3c13f19e

Download Submit
C:\Users\Admin\Downloads\arch0408_0224.7z.crdownload

Filesize
16.9MB

MD5
820ef22a10dbfb06206b3edd168f27bb

SHA1
b2e88bb8847d00a95505044d2c1944da034786b7

SHA256
9c99a6e0e4adda488a810086986a1336f25283a85f9a1dc5f6d1358d8e639df2

SHA512
7820e7a4ca4de384430f0130446a851704230fa5b05c2d9cbf82fb55ab36d2d2646ef9bad38742a12a3b38f5a02ed27c02f51a3fe1723d3a4b6bfc63c0c8e970

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/2064-1299-0x000002179B370000-0x000002179B51E000-memory.dmp

Filesize
1.7MB

Download
memory/2064-1300-0x000002179B370000-0x000002179B51E000-memory.dmp

Filesize
1.7MB

Download
memory/3136-1105-0x00000186E2AA0000-0x00000186E2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/3136-1104-0x00000186E2AA0000-0x00000186E2C4E000-memory.dmp

Filesize
1.7MB

Download
memory/3136-1090-0x00000186E2AA0000-0x00000186E2C4E000-memory.dmp

Filesize
1.7MB

Download