umbral | 0b93fd8f66072d586f07f21dfb6ced11e56f699ba3d860d42e91ae1cfea4d3c9

Analysis

max time kernel
664s
max time network
680s
platform
windows10-2004_x64
resource
win10v2004-20231130-es
resource tags

arch:x64arch:x86image:win10v2004-20231130-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
07/12/2023, 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Captura.png
Size

5KB
MD5

34f29d29c7d0414604eb4828fdc599fc
SHA1

18560eb4061e00bfc21c2cc2561b1721a126bbe1
SHA256

0b93fd8f66072d586f07f21dfb6ced11e56f699ba3d860d42e91ae1cfea4d3c9
SHA512

14ae72fe6b69a2802e3fa60bf2bcf71179f6b20b649e265e70bc3a62fb6da42ce89ff9d20f5d604e71ab37ff29fe6ce9cb56556b01513c755a59ae9cb7255ebf
SSDEEP

96:pK0W4pDkqkJbt/nLHoO0rysgsUWk0d3AT958/H3RnyW24Lndw/2RNDsiYwE919Fn:XW4pYqct/LHoO0rysNUWkJ9585UJANDi

Score

10^/10

umbral xworm rat stealer trojan

Malware Config

Extracted

Family

xworm

owner-cc.gl.at.ply.gg:32281

Attributes

Install_directory
%AppData%
install_file
WindowsSoundSystem.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000002312e-1087.dat	family_umbral
behavioral1/memory/2336-1101-0x000001FBA45F0000-0x000001FBA4630000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023596-1096.dat	family_xworm
behavioral1/memory/632-1103-0x00000000000D0000-0x00000000000E6000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSoundSystem.lnk	MediaFMPEG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSoundSystem.lnk	MediaFMPEG.exe

Executes dropped EXE 11 IoCs

pid	Process
2336	MediaPro.exe
632	MediaFMPEG.exe
1360	WindowsSoundSystem.exe
1324	WindowsSoundSystem.exe
4700	WindowsSoundSystem.exe
4808	WindowsSoundSystem.exe
3048	WindowsSoundSystem.exe
5036	WindowsSoundSystem.exe
3324	WindowsSoundSystem.exe
6044	WindowsSoundSystem.exe
2292	WindowsSoundSystem.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
633	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4496	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-423100829-2271632622-1028104103-1000\{BA5DA945-EAB6-4E0F-A2A8-54326E47533F}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000_Classes\Local Settings	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1220	msedge.exe
1220	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
5396	identity_helper.exe
5396	identity_helper.exe
5364	msedge.exe
5364	msedge.exe
4556	msedge.exe
4556	msedge.exe
2256	msedge.exe
2256	msedge.exe
4272	identity_helper.exe
4272	identity_helper.exe
6100	msedge.exe
6100	msedge.exe
3656	msedge.exe
3656	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeTcbPrivilege	5056	svchost.exe
Token: SeRestorePrivilege	5056	svchost.exe
Token: SeManageVolumePrivilege	5376	svchost.exe
Token: SeDebugPrivilege	4524	HWID.exe
Token: SeDebugPrivilege	632	MediaFMPEG.exe
Token: SeDebugPrivilege	2336	MediaPro.exe
Token: SeIncreaseQuotaPrivilege	3052	wmic.exe
Token: SeSecurityPrivilege	3052	wmic.exe
Token: SeTakeOwnershipPrivilege	3052	wmic.exe
Token: SeLoadDriverPrivilege	3052	wmic.exe
Token: SeSystemProfilePrivilege	3052	wmic.exe
Token: SeSystemtimePrivilege	3052	wmic.exe
Token: SeProfSingleProcessPrivilege	3052	wmic.exe
Token: SeIncBasePriorityPrivilege	3052	wmic.exe
Token: SeCreatePagefilePrivilege	3052	wmic.exe
Token: SeBackupPrivilege	3052	wmic.exe
Token: SeRestorePrivilege	3052	wmic.exe
Token: SeShutdownPrivilege	3052	wmic.exe
Token: SeDebugPrivilege	3052	wmic.exe
Token: SeSystemEnvironmentPrivilege	3052	wmic.exe
Token: SeRemoteShutdownPrivilege	3052	wmic.exe
Token: SeUndockPrivilege	3052	wmic.exe
Token: SeManageVolumePrivilege	3052	wmic.exe
Token: 33	3052	wmic.exe
Token: 34	3052	wmic.exe
Token: 35	3052	wmic.exe
Token: 36	3052	wmic.exe
Token: SeIncreaseQuotaPrivilege	3052	wmic.exe
Token: SeSecurityPrivilege	3052	wmic.exe
Token: SeTakeOwnershipPrivilege	3052	wmic.exe
Token: SeLoadDriverPrivilege	3052	wmic.exe
Token: SeSystemProfilePrivilege	3052	wmic.exe
Token: SeSystemtimePrivilege	3052	wmic.exe
Token: SeProfSingleProcessPrivilege	3052	wmic.exe
Token: SeIncBasePriorityPrivilege	3052	wmic.exe
Token: SeCreatePagefilePrivilege	3052	wmic.exe
Token: SeBackupPrivilege	3052	wmic.exe
Token: SeRestorePrivilege	3052	wmic.exe
Token: SeShutdownPrivilege	3052	wmic.exe
Token: SeDebugPrivilege	3052	wmic.exe
Token: SeSystemEnvironmentPrivilege	3052	wmic.exe
Token: SeRemoteShutdownPrivilege	3052	wmic.exe
Token: SeUndockPrivilege	3052	wmic.exe
Token: SeManageVolumePrivilege	3052	wmic.exe
Token: 33	3052	wmic.exe
Token: 34	3052	wmic.exe
Token: 35	3052	wmic.exe
Token: 36	3052	wmic.exe
Token: SeDebugPrivilege	632	MediaFMPEG.exe
Token: SeDebugPrivilege	1360	WindowsSoundSystem.exe
Token: SeDebugPrivilege	1324	WindowsSoundSystem.exe
Token: SeDebugPrivilege	4700	WindowsSoundSystem.exe
Token: SeDebugPrivilege	4808	WindowsSoundSystem.exe
Token: SeDebugPrivilege	3048	WindowsSoundSystem.exe
Token: SeDebugPrivilege	5036	WindowsSoundSystem.exe
Token: SeDebugPrivilege	3324	WindowsSoundSystem.exe
Token: SeDebugPrivilege	6044	WindowsSoundSystem.exe
Token: SeDebugPrivilege	2292	WindowsSoundSystem.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5140	RC7_UI.exe
5140	RC7_UI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 4504	3032	msedge.exe	106
PID 3032 wrote to memory of 4504	3032	msedge.exe	106
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 3244	3032	msedge.exe	107
PID 3032 wrote to memory of 1220	3032	msedge.exe	108
PID 3032 wrote to memory of 1220	3032	msedge.exe	108
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109
PID 3032 wrote to memory of 1836	3032	msedge.exe	109

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Captura.png
1⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe451946f8,0x7ffe45194708,0x7ffe45194718
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,9221265516554592758,8444777312605452677,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056
- C:\Windows\system32\dashost.exe
  dashost.exe {25f17e54-0e24-492b-bce72da4dfa0a194}
  2⤵
  PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2732

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:5196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe451946f8,0x7ffe45194708,0x7ffe45194718
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --service-sandbox-type=video_capture --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --service-sandbox-type=audio --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,2205575682581517800,15640740535546813567,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=2560 /prefetch:8
  2⤵
  PID:6096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\WinFree.bat"
1⤵
PID:220
- C:\Windows\system32\mode.com
  mode 100,20
  2⤵
  PID:5744
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:2648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
  2⤵
  PID:4080
- - C:\Windows\system32\reg.exe
    reg QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
    3⤵
    PID:5928
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" ver "
  2⤵
  PID:5232
- C:\Windows\system32\find.exe
  find "10.0."
  2⤵
  PID:4900
- C:\Windows\system32\cscript.exe
  cscript //Nologo C:\Windows\system32\slmgr.vbs /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
  2⤵
  PID:404
- C:\Windows\system32\cscript.exe
  cscript //Nologo C:\Windows\system32\slmgr.vbs /skms kms.digiboy.ir
  2⤵
  PID:6128
- C:\Windows\system32\cscript.exe
  cscript //Nologo C:\Windows\system32\slmgr.vbs /ato
  2⤵
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\RC7\start (Run This to start the executor).bat" "
1⤵
PID:4952
- C:\Users\Admin\Downloads\RC7\RC7_UI.exe
  RC7_UI.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5140
- C:\Users\Admin\Downloads\RC7\HWID.exe
  HWID.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\MediaPro.exe
    "C:\Users\Admin\AppData\Local\Temp\MediaPro.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3052
- - C:\Users\Admin\AppData\Local\Temp\MediaFMPEG.exe
    "C:\Users\Admin\AppData\Local\Temp\MediaFMPEG.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:632

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\64af01902ffb433f8cd86172f8de497f /t 3744 /p 5140
1⤵
PID:5312

C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe
"C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe
"C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe
"C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe
"C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe
"C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe
"C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe
"C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe
"C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6044

C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe
"C:\Users\Admin\AppData\Roaming\WindowsSoundSystem.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
290B

MD5
288fed5fdea802521d99b32aa48c82da

SHA1
ae5f4e74959d7c6a7934b738024467c64ab9d3f9

SHA256
a38ad7abfc619603fb5c631dec4f363281d3957e901e5cb88f73492c1f8c48da

SHA512
8a6b4db1a375bd317fb752ed0300ad4450d8af2bb7c0c771c29e4dfddaf7874cc23aea9f8f1eefd30285eac962cd10bdef21131fb7e9bbebd7dde585ee516cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
26f8219c59547d181c1f9070c2f5b050

SHA1
cbe34c1b41c0d86e1dff1a0bd82b6c803085a39f

SHA256
3f534bb6f67e07afe3baf85bf750122c2e00b86df6aa258e5752dc6c946fc2d2

SHA512
1600ed7fb809d9f4fd571b99e606ac92f0054f684b6b7a3b72ede39d5edaf458cf551c568ca1bf967326bfbdaf2f7178906fb8d15d82c52049fb6c74205c9f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3348de02b433de65a69355ab38a14415

SHA1
352c620071783622d2198b14a7e575ba38fd0b3b

SHA256
47f4f66f9ad01c4d86025dd6f3dc9af7998effe05c5882f3678b93cce0e5405d

SHA512
0593035ecf468415b7256ba65dfe4a4f5fb34be2bfb3c3df63fa31d6e8912a8f44fa5a4180f02089bed4c43c39caa4fec1c9ff147152240a3b7af2cf11b3a62d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c23c5090f849ffb6582cd9c1a067dd02

SHA1
94cb86314adc8c09e691fc13488da33e6bbb0a8f

SHA256
60d3959e298419ba431f9962c73cdba100de3bf7e21103eefef01a4f8f358cfb

SHA512
68dd69dd8162a621caec5c188be3af8be3bcaefff7cb04b7fdffa2b2e04001a523a4d7fc96988011a37addadadb73d6966326eaeb58a42a2828d29169bee1c3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
26f8219c59547d181c1f9070c2f5b050

SHA1
cbe34c1b41c0d86e1dff1a0bd82b6c803085a39f

SHA256
3f534bb6f67e07afe3baf85bf750122c2e00b86df6aa258e5752dc6c946fc2d2

SHA512
1600ed7fb809d9f4fd571b99e606ac92f0054f684b6b7a3b72ede39d5edaf458cf551c568ca1bf967326bfbdaf2f7178906fb8d15d82c52049fb6c74205c9f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
a156254b75856a8b00c51acc1c57e768

SHA1
c1b54bbc84fe0d238aac9bac4bd82f01c0ddda24

SHA256
08e58d5eee13d9be18b168f126bfb0e61fea705dc2de1a0847fc6f2840670b30

SHA512
0586dce2bc64ad5031ae2cdca8459a9634f3f51ce62a6a03f9b082df13971b44023123031267ebaa7675945c635ea7c9eb1a4735e6208ae6c9df7c6afc41a002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
3c3f0b6666358877aa96618a6030065d

SHA1
947d385ba25e928c9a9c250a12e1b0d5496a5cfa

SHA256
f7afbfbc69b7d0380ad3862032d4849067b712d1a97c47de2853b1c5683788f4

SHA512
2b142cddb2d9bfb6f544d0450bd6c0aee26c00492fdb7803b8219563add751ded18c5204f7363cc5cebaad05d5946717013f794609afe1c14cc44e420192af67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
9777469580b1a783f3e487037a59df95

SHA1
d14d4c1cdf7781fba70a47c611d3f120975fcfd7

SHA256
5ccee6c212263fe021769c03d40d1ae0d37cd4060191821ab0373ba858a1ddfd

SHA512
33d0c5dfe4395085bdd188ffa7bf1761f5ea33f095439d8e0328d5896aa916a641324ecc5af8e123d29e821a062698a3f3f99574d4c351e127d74acde4bb822e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
0f533b1f1d55b29b311e9076af3d093d

SHA1
2cae1d1a7e043dca6e515427680e7e9126a5f323

SHA256
be9c8338a59826eaad2c13733557a1eb139aaca4a08d452851319d51d2210ab0

SHA512
bafa4a59078f185c2e1def579c33fe2c2175264a88b4e9c1bc9921d29e5ed21bef9cf1e825d39b883ff42f68d49131169b62864f68d6751acb781a77b4a38f3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
19KB

MD5
5c3a971a62d1e324344e0b477c447dd4

SHA1
e2e2a23507221202bc9c37553e695091158c27f1

SHA256
85e0f7cfa1394977f89c817ea3810d597fdddf9b5778fe547f8a9929186a6d86

SHA512
948c2ae639a05364b53560c9cf1ce898b06b08f33c93700fbe1fdec00c2a57bedf71593cb995e2a6f940174baf170b545ed9b406f41e157a35f7ab8c1c2d07ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d12c62e1997b1777777c2356b2f8dc7e

SHA1
ea8d69f413dec7964c4cdb7776dde6c63ae7551d

SHA256
2e0437234561d19adbcfd9f54daa8773e315f9e9e2595db69f6e58a4d5d9b86f

SHA512
c728a24560e0cd2230147244e0ee5d2a012bc6d6ffa90336aca971102adfbd995410ee0cdf2b450b339336c33fdcda75e73dfdf475c9b8e11e2ce7c0550112e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
801272bb4ef3df9454c15af490b0a563

SHA1
a2bd71fc7986c068af9651b952764bac4f51356b

SHA256
8583039a2ba05e7b34abd4511cef3b3d60421f9ae0e31f09eced1748c948f7a8

SHA512
f57622b1d6657a1e33cea4941b785ed6793b79ad75610bdeb42453d48b0aca8ea72693b41092d5c439b6f4eff391dd6e1a82894b958ac0b383cb6e78974d43ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
10b578fed7a5311518504e16b21aa10a

SHA1
f1c231f0d7361120adf2fd78c8274f83f4a68784

SHA256
bede50850e57573da71367245802dd87449eeb119914ee1cb9e593e89dc7f33a

SHA512
bf2a4e12c5bb9f3fb4ef9e2887055d415815140cbb6ee86640c574889d1be8ba8e3946e038a9701610701c83b3f3d5cace16f87d68800bdbe32cb0db6afbaf11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
57028fc186f1a238caae058f7f93ead9

SHA1
37450f3719cfdc57a28786599316b824ba628fa5

SHA256
18b31f8ad400ef4f01017e67e1790f7f326c7eaeb6dd47738b3534aa72752d82

SHA512
65176a112a48734d3f3a8c6dfcbb45232c2c77a43cb17f8881a74609162f7c8a78b08b0e3157aa57c4db5c84d61d71e6bb71409e8556f5c98e4d58614aa56dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
24KB

MD5
6e1b9650b3b9f07e1e52af70efdab980

SHA1
1fc34b82029bee097fcd6910ad79df6989b08a7f

SHA256
68ff44524f1779f0fff0bc7f322d28ad98396ce617ac523613dcc48a45740e54

SHA512
76f295f7c79d4efb5e7437d43f43f134a25e7c4d2773f8b42e2573ef54b6cd873a750bdf06f0c4bfdb59e41ef8e2dd16fe66c649d58ef4eae71444462ab41fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
3bbc193651e20000869c6eff6d30485f

SHA1
81033689d030d2cfe07bd3f7016c4ad37b3fa090

SHA256
6d5ca76b794b1eb87b05686e976466da4f7b6f32d036372c31e10211f0472196

SHA512
f1996fd520f639b79b660a7efa0dc176b78db18ddca90c085425310c15deb7dc59b078890d6265679740cee4f65a2d98e68e7b569bf97eb63c652e915ada550d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
bbc13a60e4a366435ee926756717a79f

SHA1
6fc240cdb7e776cc24e9fce1a6fea8358697d0e1

SHA256
6fcc5273ebd629ac5fcf5ab6c95f0e9cfbf27ad2704250e186f36776a4029912

SHA512
8c05a77d7c977f6bc184b3b5f1d0ad9df02a6d687ac2ca922016d3b065372e3211069699379f35eb813bd9a32e23f6103274c464401a1f07cfd5f4e547adc8e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
327B

MD5
00d212da089949f3a6985d0159650543

SHA1
afd4ffa413aaa06f79952b7157a330bf61af88b4

SHA256
bd55266bda270b42d0337bc930029a4a8874bab4c825e4cf674a911effb8d8eb

SHA512
4c1a01fc39194d253caa23148adb6619831fdfa43699b5b20bf8bc48aeefc27a48ae77c8dd695ccd52fe9fc82af7fbef6f3a568cbe6b214b3b1d5309cccda4df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
6ef88dc988425b54ac5ff841578a666b

SHA1
b3cbf24be9f8b25e0f4c2b32d6141b1ae3417a76

SHA256
0944674c53912bed757e2c2aa7b9e853dc610073eb36f3e9390f8054096d0ee0

SHA512
04fafb5aae974ac10af41188d9fc7ec302733d47b57870f154bec98337363f68f8be200cc2cf05951699eee3794171fe7369ef43315e04f153e2e77161c2bc56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
699B

MD5
450f419a5a8b4b4e7a9d2d569df8cae1

SHA1
81370d605ba5672b54ee1949b73289ef6a8c10bc

SHA256
2852ee8bd67d6f9ded93fbfe429b8c01800275c3452010be92076e52f793dd52

SHA512
f408d622608baa4faad6bda2ef2eebb4ee4d9efe7ec4f895a6050cf92b6741f4fe5e8fd542682184036b1bada61382fd2cc40ab0f82acc530718bcc5ac539883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
699B

MD5
450f419a5a8b4b4e7a9d2d569df8cae1

SHA1
81370d605ba5672b54ee1949b73289ef6a8c10bc

SHA256
2852ee8bd67d6f9ded93fbfe429b8c01800275c3452010be92076e52f793dd52

SHA512
f408d622608baa4faad6bda2ef2eebb4ee4d9efe7ec4f895a6050cf92b6741f4fe5e8fd542682184036b1bada61382fd2cc40ab0f82acc530718bcc5ac539883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f388491aee2f3e67b92774018b4a4a68

SHA1
3002bca4e09871eafe43a1029161e6c8a0c8dc84

SHA256
05403782ea2f346f4c34f5568e3b1084f6f389efabb774c03cac2a76fc70d3eb

SHA512
d541623b58bc3aa7b2eb8cf2fd42c973afc8e2b09a7038e0de0b829c3c4c9451c3bfe0c94313332a37224e40f2c27a285a79d8216237ce0af76ff3d0fbcb28d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
1fe5b112cb68b4b538dd393d8a469823

SHA1
3f12515ac280cebb5f82b051fa7602f000f052e0

SHA256
fd3a1249f6ce6e6d5d26b9ef5319f1d82eb198c513941a96ef4ffa0a957da922

SHA512
d316094a0fafe84de04abdc4cd06ec763721da92f7d7a7d4c9c07e62336f6ff043ba60ddf9222a9320b51d26d9616ed2e6352b202123fcfaa4b43361eaca343b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
85d9647fc404f437a7abd68c3be0bf7e

SHA1
dcf768c4312c45d2a2e7b9cdb1b80de6aa20666c

SHA256
a9eca1e788230f27409ddccd7fa3e1a900424f415198a4fcb51e329919958b55

SHA512
6b0801f9103564f11e3878148d2569e3980d42a9540ae3148ca4787286e94a790da30444894f756504bfd73e86889560c4e6be82b7f0327bbd6c3e04667a822d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2955d524e2f305735bcd5d38a6b57c12

SHA1
91a49442f57c8ecb745b09b80e7a4ff819b5f641

SHA256
8ea786260a35ef5e08557b2e3906629d5b4d3b133d72951aafc1c8c8ff0fe52a

SHA512
c6281e2ea3c0ee78c1388ee2fd7cf5c2acfb63d21ca59df9f98c1f328d70b0f18d0af9df652069fd56b3ff09f14c350110818c522a29426187159d1ca160cb82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ae1c3173e0e64a6f971f5eddea9d9b80

SHA1
58b6c71eea09bbe2c6d66648170d0f841ae22980

SHA256
275f748e2f8e6b1393372741ee793f1f9f75c99d73f81e90b897d2b89e53ac71

SHA512
c782e58afdb647902cf0be5e5276a2bdd979c508af01e0d1c2bc0c53f9e54454679f06b1f6b34fae90d138bb69a27f7680797a108ec9355f7a7ea9f23b146126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
97d58342fbab28043b053c71d9c65a96

SHA1
b75ccc01600530a124a50890678193c53796b5dc

SHA256
28a46d00e77dfb6e5b29ae75af826d1016374bcf173ad1db678fecd42a15b0bc

SHA512
d976524b20eae0c945489a68f33c87ca5180884cea0781b587debe7807edc36644634c9d0a9f7445c18450a24fd3df2faed6e0bbab66be688ad04c2a961ddc56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
125e3932b162f2fb2acd80db70e7cf3d

SHA1
e04af35979ad8dc2f2e97fd9f9cbccbd050ab22a

SHA256
842c239fe307b233136a00d14d9d36991f08d450db655b2ef0514f14c15e1376

SHA512
eac2a3d320807d62c50c6e92c9d6c483aba524b0644598b28044604297a43f71dc2e6c14f0d7e3af7b8f95d6d9331b650ce52f16c20273e17dcade467fdca24c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
223998ee800f2907e38f80e76d300564

SHA1
e390b6b1e85736084e8832f36c47d21e4912efa3

SHA256
ae31c7265f952a9ca77ebf23be03e0b292401431a8d0e6a3f3246dbd36ae625d

SHA512
c2d09c056716549761f3fa2a4aa8433ef70f506a0dac37c7d191e3d6670301d9202d566c98d6d6dcfcc7c3259917912ed4b5ded2c7ecd810a8363e1dc13a89fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
223998ee800f2907e38f80e76d300564

SHA1
e390b6b1e85736084e8832f36c47d21e4912efa3

SHA256
ae31c7265f952a9ca77ebf23be03e0b292401431a8d0e6a3f3246dbd36ae625d

SHA512
c2d09c056716549761f3fa2a4aa8433ef70f506a0dac37c7d191e3d6670301d9202d566c98d6d6dcfcc7c3259917912ed4b5ded2c7ecd810a8363e1dc13a89fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c4778db6372dccbaaff29f9227cb1c27

SHA1
bb6caebe4d06ee33156e5c13a31d3759080b5b9f

SHA256
d8296547bf650d147c617ac3cabcf1de84c8e027843a7b8a03c1bc68ee388ad6

SHA512
8c435508ab858e87bcec6381e84d7a5ee009e706f0d229fa0baafb3def0819682352b20ad7c140c38e68fee2b9af72ecaf36e70101fb02db1a50bf90fbac141a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2105df7acf457b66d96145d23b9a922c

SHA1
2dd57cf5a0f91fac3c498b12b60cd4394c5cab1f

SHA256
99da5f071b44fb31a74e03c09fdd5c30145c0b6df283038f94230d32cbbb9e05

SHA512
b1e2d2d1f326473d0b89d16e61e158f55008154ed9ac9ae2b5fe160a763762bbf2bb5f6f2d3014e11c5fe0cdad9d506f6c06b11a68eec98f75e75f9d8d02b593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ca9f9a66a459774f21a44c71f181b980

SHA1
a162fd6659c22297b7419f791d3d3556e4151093

SHA256
fc17efbad3d5d6730ea5eb8696e8cb9318801d4e4bb179f03394a5bb08d55ef1

SHA512
3231bf59976c975fae94aaa3e2753fdef43749003abed40ac7c856c943d5f2d0adfca8d2b92dfc5137f871339c542a3a185b4443b27cccb9334f829222a31a6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f53f638ae31037f2a17861f249db7f2d

SHA1
bbd389235172bbea44c01a00afc3dda1ec5aa834

SHA256
f1fd83a5b14e2fb3d6007a14916588227b20aaec395d8027ff9e6fac5671aed7

SHA512
d72f2b45e9d8782bdff19cc9cda1a89dd0df789cc095d4b1e474b56b95043af1326960d32920227b9e2c80b957dfcf934ee7f096615ec515f9db23b3e6c6718e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
7c10326e6cd89d4205c3509189968591

SHA1
1cfeea30bccf2c783ac16d295d69fc8e02359cac

SHA256
b9adbb45ac69c3d664384a74af049737fc6d8ad6655782a6d420be0e9a1b4ebe

SHA512
89cdeffada97fde2c6087b082ce5e593dae76515b7e54a6643b625bcc19c1fc88c6d9525161a656ca6896823adec47ece3fb1392bc67f53b55a0475219a5f8f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
bc31f9c58322cd1b8eb8a246be508c80

SHA1
a2ddff1b61ec55b2b0a0286525d56602f94ee208

SHA256
3e48d1f92eac300ee1a79ab17d281f11c0a9c41380a53a884daf73bc6de7aebd

SHA512
9c7e769a2d32855510b374e00d5ee8414db7efe547907747c8c3e2756376ad829e0f284d665b8e28df77ba58fcc84c3fae49c8af775abde3ae1c75b02883fccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
17f770a12164504980ca82447006a8f8

SHA1
02f20f8a2c91762826382189fdd31c045e224ae4

SHA256
14a1a6ede1141ad7e34d08235cdd5be9bf24931bc205ef0597e8b6f745d47c9d

SHA512
3567cca3c3ca31670ab07f055b53c17dbeced0e72d855db9b5417a32368fb7ecfb1a964c713c5227af912229238835f7505ce9f85b0786f8c13bc41d11c547fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
8f9469bed8525123d960f4c5c8c64891

SHA1
f8c75beaae08200d25a18a0953963692f4c51e67

SHA256
4852ae157d96dfd13d63f4bcefff0089388a4113b248c3a2c27764be825af736

SHA512
81849c12bdd1b1b68a05087fce6808234621f2711d744e642a473309aeb42af58844ce716b38be1670baac4f4b8ef2b767be6633d066f399df68496f46ab383e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13346465349436415

Filesize
3KB

MD5
84dafba21026702800fdf5e834e1cb4b

SHA1
53b7d480a0619e904c1b72fbb2fed0ee69cf0e31

SHA256
118efdb10de54c1222725899312ecd0655da14fd1c51b696c7fd0a7e5fcf8874

SHA512
c5b24c12cbbcc1248bba5e554f41df23df228835d9cb876a1da993490730cc914bf8446fb14b9a33e2e5984c1f0f4fd60708d8b9f986b4f8e11209b5d8e5e2a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13346465349635415

Filesize
3KB

MD5
aa374f2b95b50bedcd4efbe20e860434

SHA1
08b919efe93a5f6f6172e02866195338c25b95b1

SHA256
4a5a05b9835eb0233d6318a0866857c1c43a5f52659b9ab92574b7bbe17e43ef

SHA512
02204878dd11a0b184cfac9193f98aad0ea05371724a492ea5e7343675d93b1d46e4e8e4e765c4e571084e44ab5a253ce65dd972686c847a985c97fa7831e8c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
6ba0818703126396b2fcfd2e48eacf9e

SHA1
b0864dca8c96a3d2a13b2b1ed827a06d3c09da45

SHA256
88832253433a72161753c7a9c80b6ad958d3c1fcb7309504b7d467d92eb456f8

SHA512
98f5ef965cce0e9552cd1302918e39e6b9218d6b38a2afd53cd743201e0a59abedefe5830f64c21bb9c20d5f0dcdcf28780a793e36aa75b875b2fac0360dc04f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
ed9e80b9b09f3579ad4db95fe46689a5

SHA1
df3b6b1e66bc7c40546dacbc296e0743d81483bc

SHA256
debc8b4dc6ba1e791cd114348674dd5b5ca6be7b6504eb4f753a60abcf521a2e

SHA512
7d92a9c3ad531eaa19e6942815b8c7d78ade2d368a9b229928eebae7587c8f7881b55d807137689446450ec1e601ef8bcc3a0ff1bf2b5c8f87de6e91a4e07c06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
d895f40c293101de9866f8d999b73b63

SHA1
2f4869cfa0d90de757ae110f201d1578e2822b7f

SHA256
746a8f420c353ab17fd34e7dfc807e682db93791bf39fb1ce68b1a6c094c6375

SHA512
1c1df8bbcdb7009e3fb6c61cc6866155817a4242a09a3051e2c496a26a40c95c9778cd1af4527253d64cf663694a9230d060366c8cae5bec0353bd3a911b34a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
9cf08ac15a6708130cd622df2b2c4d6c

SHA1
165e27232d4c3dfb908b77139876e98938ca916a

SHA256
287dded2e0f012c9b3075b90e4580ca497905403ecbb7f515f1d3aab867ab93e

SHA512
a1f5c9e3bf9f7bc512844a78cdcdc4d8d8c84c4e325c2cfcbed01661afb2eb40559e08d84be3cead5dcf10f54ab5fd64366c207c4726f01d67e23ce5b2df20e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
202B

MD5
45841b3d3d90f3418ce4ee70c29cdcd9

SHA1
035a2225f82a124925c01891961f9159e78b4937

SHA256
94244103d28eeab4435277540a28a19e4faa36ad0ee1820e354eb473e0dd5031

SHA512
d4b47140179790d4d5c70b9f86bd7b99ff9a4504fc2c4692b9e49e0f88e9dd14315d94223ce01e86f93484a4beda5a6f1df68bd08a77a273f13d81d6e348dbc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ccfe66f96ddf336dceea192a13eb9514

SHA1
4e782affe7f0c3c57929f6a49360bd57a07bb24b

SHA256
b8a9fd39d9376de63c4d6bda157a672c99d2cb5521d2516aa34698f83283ab98

SHA512
ec87c2cdfe7b7781cb559e9e56cd42af7c42ba81f05c5b4b1218ffe036294bae42ad88242f465d27209d278ca1bccf28e384a168542c4dac39c5f0b2a3ee3223

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
faa5a0efbca7cd315af6f30c042d29ca

SHA1
84519c3af0f3b24f8b69206a93af805b81909f6a

SHA256
a70edb8d6301c0cc8e34426643abb1242dc22a1528dba009c69bfbdd3b672e60

SHA512
bb50f98f9be0a54a392c8d2042d976424bcd935be436952685945efb996874bf3882bc1dc9f415103b39d10bfceba8a1a667d30644ab8ab0b5dfb84c57218610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c3002101db50ab3bd8422340f1ff5716

SHA1
0284b783c6d7d1fff45544b9af58b29b4b0c3e5a

SHA256
bb92d4bdfd7c0aca4189dc91107b4d5552c825992f4117d7a16bb590b3cfecc0

SHA512
a7f2eb26bfd14a308d9dc1c857b82a7dc6bf6932b42e87fd6ba7d6844abed8f8e1a9a93189c9bd5c3b72160835ff236b81e9eb727764e7cc65b2a25011802cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b12a4ec6f1b79bd6cb3c20405bbeaf51

SHA1
66b3564f545aec6fde28b0ec40bcf380280e6ce8

SHA256
7468aaa13fa9b7b992dd6597b0cc581e84a182e6b391d353909a93ee95c7b0be

SHA512
53c7d8e0f9236c192024416e1cf50744aa5b8b440154ab807f26d6b41ba39645e2e729f8efd8fe774d3f3dd952a01b403c4a1e7a89a0b6b9707f1b6e0b9787cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
9691967476d32b8508da0b12b3f4dddf

SHA1
f02d0a644f07d0844de8a80fedb833e44dfc34c8

SHA256
868c7da4246cb508f35fe79c87ee45517c77cded903a425da12885389f9c592c

SHA512
c022e127753b5a531743546497d3855de5e47e54fa8e6c8eb7a98f8c8fd9ae6dc15d82e8fbe1514ada7798729f364790ca1e7cb194f701651344022d750dc8ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
136B

MD5
89cecbee94a6cf382469eac284633354

SHA1
983695bd96e4b29f8696b53a482a958c6722b7b1

SHA256
4a1596243a91e57c79ef4cd50e868f30ad62815e50b3fe48a705964e582e39d2

SHA512
56706c202e611146a3347a9aa0aad10696439680ecd24c2fb1708cf41417731764adb67e3f370664264e3c18638c84c0fcc8e3e7d64503c6e07a3cfc7da55545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
e9470245e8a4f49715e44a6cdb6df5c2

SHA1
8474f7def31e59b28533896323671aa456bb0693

SHA256
67f0ba67fffe28a7a8da1a0c5455a861d7cd21fbc83cacf4eed6c0b4b93e6881

SHA512
fb4001f40e98dd42fff431eeb418892353b834cfed6bf7ebd8aa853888f1de84214096ecf8fecfbeaf4da956995106f47fb9b6afc95e38de1190d90cb502b4b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
7KB

MD5
898d5fd95d81c58fdc6dcc208210b70e

SHA1
da58fadb7bff073591e1c34e22f9e98c19a203d5

SHA256
e6e108c8ccb14c544fb962cde061ae883717b426c450ed211a1a16c651dad380

SHA512
6b5831c260edbc5d45db283c608dc891d9d133e174e344caa9ebdc5e01340eda096742dff84043e4c6e9f870accadafbfcd78eb620043446245b79658aabccb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
1f6f6ff407e463277287422f3b43b719

SHA1
55c693ec51fb974f3488b92dec78c128b1345bf1

SHA256
10032d761f00f6e607edc52527d1d586fed0c1e89e7c19b73180455b66e8fa69

SHA512
8db088a5723fa0ea1279caa8c820d5c9653b5d40e07152d80481b2b859bcff15ceef4013044b1765c50d233ca1b13757e71ffe602e640dfedb91c93d874d5435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
594B

MD5
4a18aeff243eaf2ee741ff55fa01e768

SHA1
c1689576caa4922366fea9f8bcb7149de4fcdc2d

SHA256
b249802a8069c4e197b605dd5c339c0cc94b4cccc2c88462200d872454345277

SHA512
9c3c8b916fb80022196f858ebb705cf34da2d7add2a0e93fdbb70402e391f0acf8638fb24058e46f4da11dbef046abbff4dbdf16bee56cf4e2c86c71fb9c5ef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
5728f0a8d7aff6bc68bbb4475fa0de78

SHA1
29a1bacfaf508f430584a327a0f9621be1a3e5ae

SHA256
fcc526aabb5c9951bf39911737dfde9d9672078710c82c0f6cf6315775b3dd51

SHA512
c57fd827764b0a1fb9676458b040794283cd3695fa043dd87d4409e0ee86b7bc0b0184eebf7d206fca98c32d7f5966a668ce1bedea1e1874a4ffa12fce77fad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
95e03827bf62d4d788aaf9b7fe49cd00

SHA1
291afab5bbb3db2a7d4d9a5ce8997faabb968e84

SHA256
41cbbdf5f9682fc132c725992a0293ce061032e32b2f21ae017ee547dfea9a5f

SHA512
3410488176417cb1eeaacd1adfd537098c06e26d4178256dac54fa99cac806c3c1e5e81333168a1c4a728935ac539885bc33c619500b5b4d01cc245a86b8e48f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
7a66c0c5bd514494aa634936446fa05f

SHA1
3c92c14e50e07491d360cb4de4ecf7167f844bc5

SHA256
6ffab13437bfad207df32bd0fd5ef6bd8ff737d58d417abc227f6930b76ca332

SHA512
1b945c07088c9080bfcb5884a19ca3180a2fbca023fd72ea5f5f27e91499588e180f1605e86f6d2dbd57a28d10e6dc2ae1910cc7d1f19c3ec4d28b5426dba6aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
4e69975c11cb8e597edaa837a86d2892

SHA1
d208ee503610326cf8e79c403a62840615aed32c

SHA256
ca8cfd4e637336383c3251c15cad8a0bd3c79c6c6e9e04537b419f4690d3f9c3

SHA512
66140f63fab489d12847acc77b86e6e629ced83d2371a316c0bea057ad7dd3e36e7a7a8c8ef211b5236402c23431bd8c2bb1ca9076702cb051556e497fe97712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
22KB

MD5
1ac9e744574f723e217fb139ef1e86a9

SHA1
4194dce485bd10f2a030d2499da5c796dd12630f

SHA256
4564be03e04002c5f6eaeaea0aff16c5d0bbdad45359aef64f4c199cda8b195e

SHA512
b8515fb4b9470a7ce678331bbd59f44da47b627f87ea5a30d92ec1c6d583f1607539cd9318a5bccf0a0c6c2bd2637992e0519bd37acdf876f7a11ed184fb5109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8948186420a370c9f25026e853b4a39d

SHA1
f305ffe838be580b6447dea0ac8b9e8edd45a9bb

SHA256
9be6e9499be90252cac0cfaf954ca904d433999c2469898a4f66a40daf304521

SHA512
268d89928bbd02c66ac39c7703800221677a7b7fe3d07bf13562630e30550bc75dfba94161be32c79611f9bc250bd46dd92642dfb8a4592213b11f5a6c1a9b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e63779783c5396a527401845ddfce55

SHA1
d8582cbf0a96299f9a040407fbaef3724f540c57

SHA256
da687220278ecd5303a35f3b790ebb99141fec8ab37fb699a6e97b2d424a5fe8

SHA512
52c1a9882b12a84484756ef4ec37bb1f36e3e16556b50cbf276e580936b6681767d83150a44d0b93868a227fc6fb4344cbdcebbc49a663efe2368f44fab27154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4c1a9ff0844b1813360f3cf36e0c1552

SHA1
f5c13f654fa13964015aa2eb7a43bc21cebb3e98

SHA256
a7761b60cb3ec01eea254d1165d715d89bdecad72858ff53ff59bffca8bfe8e4

SHA512
70861c29db6b8c55b3d59f878da6e13ab25a0a75d23f3d30b8e53c4d037ca7390eb0bf2c4f9555ba0b7077235ad2190792f537e9ce3226b739531ac859f50e00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e63779783c5396a527401845ddfce55

SHA1
d8582cbf0a96299f9a040407fbaef3724f540c57

SHA256
da687220278ecd5303a35f3b790ebb99141fec8ab37fb699a6e97b2d424a5fe8

SHA512
52c1a9882b12a84484756ef4ec37bb1f36e3e16556b50cbf276e580936b6681767d83150a44d0b93868a227fc6fb4344cbdcebbc49a663efe2368f44fab27154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c8ae51f3e7601acd3f27ef41147c16aa

SHA1
1aa9f7b16801e3a4cde0079e22f0b26d3955b033

SHA256
b03fb72d07898486d603e0af6a9dfec36393ee7a2fd007ccf48bdcb1c456de9d

SHA512
ad1954c36333853568cc9044bdb72e488491d1ea033d6abdcb3f47567a6527d5e8541f38e39dcfcdca258ec8ea966d2a6f73fce64cc214fe2533996c9965e7e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e8a85a1bb6fab2293204be7e734747c6

SHA1
642946c7c20237372c4e994d9757697e2408ca2c

SHA256
4dcf71a46a134d000c18da55cb135b3b4d9e858105c12925a77a212b54bb947c

SHA512
b8750b4fdd6ae38eb9ff99af05b6936584b33edb89c967b9b74c24ecd8179b1e31a7851b8b36adbc1579f7d98d5b1fa84cf8b74c32cb52d645b1b34aeb0a265f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
14f02db38609ec14eb37a259e1508996

SHA1
adba843b4fb270a563586534f3390667a2f4a0b4

SHA256
5dd1b8c8f34aaecab926f6d9a9363a917d8ed3f6cf2ad32880fe4d7eb33863d3

SHA512
451f13fc2e35d2d398a543d36e51a1ad91b46e966f65c359c113c8be2c4cff75bb794608a5ef7da4e59b23c0174981a9f249cc52d0442ed51d67adad12b901e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
824e2a1901190f02cd544aa4e30147b1

SHA1
ee4c1f9fe00f535102f67969b7e6b9a07adc1c4e

SHA256
9678c36aa98536982fcb9a8574004656378f3e8db2b43eaf3fb4d4c1086916dc

SHA512
912d27e49efb49959ba563412305e5eeaa41e993c34b0a34cfa03e44416205f9fc481abd86ad4071dac004236d8d1b8b0fcac983c81045d983c3e1d8cf01f7ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
b4c70fa28632fe3bf4c24140e554294c

SHA1
637c8e0101812665c50c4f5bd7798fdfc65b7f12

SHA256
0063bed9a5c361a01081dce72450f5726d3df8d5dcf177769a765435a4f8d7bf

SHA512
41c9614ebe5c55d215959554a4e1e174fd3b39c2cb4765c8b1dd704ca6b782eec26711372ac30b4d3a18d574c50cfee9843596a354fd1edfe2e68e1fb56fe97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
72a1ab8857510d11223488d9c766b8a2

SHA1
881160a41479d17d4777af3f3ba381fa3d153cf8

SHA256
8ae1b83d86b0da0b21053901084947cdffff457885fae163bdc577c1304acb88

SHA512
593f6e7417248b7c11ec40134ead1f70a4e3a99cd2b3b6b2f963642300d0c34ce036fb3b0a0e8ec83cc60b83970077b8b7b9787b917f45e7f4d53b549863bb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\MediaFMPEG.exe

Filesize
64KB

MD5
99ddf6a151421800d4dfad68d91d927b

SHA1
b4755386907a1b5dd1f5880bc052d82c341bbbeb

SHA256
2e82fc1be4a91982899744ff91a3552e40007119e7422bbb0a2ceb6913a3eb35

SHA512
89e61b9d8351b062877ef3900aa4cf2c8cec8eb6eac0d5f68ea727bfd2142f23d5c9d30a83fdc375d225f3f8811c84ad301ee25a8210510793725630454f9e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\MediaPro.exe

Filesize
229KB

MD5
fc9e510f55135245c1941e024acbafa0

SHA1
ed386ee1a7ee1172e64c25599dabc0e80ce76633

SHA256
f52ca778f7b6c0d6bff56549c1e8d06dcf02a79382c7e39ab2bad261ae1f03d6

SHA512
c4883fb0e0b7b6a1342cb1dadbcab6aefd8e508f3478e541656f092a7e633cdb38cb07e6f0f0e82e6941ba6205bc3007462de6e83a03701911b76f9adbfc8056

Download Submit
C:\Users\Admin\Downloads\Sin confirmar 512446.crdownload

Filesize
10.4MB

MD5
87dd7e7656967acf2576926193508f67

SHA1
9a8f76bf1e7c66f77b515044889db15cb2aa2f2b

SHA256
a0b1cfde1a11f03119d6650b8d6dd9f5faa1a51469b1be70ff26f4f02b56b414

SHA512
0da941d7a5b201a4dd04eddc7d56b963c5b6f4fd6935c3b5ad2305bcf11cb73641e310a913bd716e0a4015117b4c69dec55fee23206705fd9e2086e2c929fc90

Download Submit
C:\Users\Admin\Downloads\WinFree-main.zip

Filesize
3KB

MD5
b5162a74ff3ffb788fd21235d75e7fd2

SHA1
0b9db40bed84db0e99a0f1cceae16e032c20bc12

SHA256
dfa711cabea7af43cdfde9539452bfbfe8ef1dbeb023c50111ddec024fda0222

SHA512
224fbc5ad0b0c89c8a90da1f0841739cbf30c50dc62faabee6c46d4889df8a88647449e46dcf67dd836deaf94bb40da7ae4d71a4aee2f19207cb0f1bf6b3bedf

Download Submit
memory/632-1112-0x000000001ACB0000-0x000000001ACC0000-memory.dmp

Filesize
64KB

Download
memory/632-1121-0x000000001ACB0000-0x000000001ACC0000-memory.dmp

Filesize
64KB

Download
memory/632-1120-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/632-1106-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/632-1103-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/1324-1142-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/1324-1138-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/1360-1137-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/1360-1135-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/2292-1152-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/2292-1153-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/2336-1105-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/2336-1111-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/2336-1101-0x000001FBA45F0000-0x000001FBA4630000-memory.dmp

Filesize
256KB

Download
memory/2336-1107-0x000001FBBEC10000-0x000001FBBEC20000-memory.dmp

Filesize
64KB

Download
memory/2336-1108-0x000001FBA63A0000-0x000001FBA63E0000-memory.dmp

Filesize
256KB

Download
memory/2336-1109-0x000001FBBEEA0000-0x000001FBBEFA2000-memory.dmp

Filesize
1.0MB

Download
memory/3048-1146-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/3048-1141-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/3324-1147-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/3324-1149-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/4524-1104-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/4524-1072-0x00000000009B0000-0x00000000009DA000-memory.dmp

Filesize
168KB

Download
memory/4524-1082-0x000000001B9C0000-0x000000001B9D0000-memory.dmp

Filesize
64KB

Download
memory/4524-1073-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-1139-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-1143-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-1145-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-1140-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-1148-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-1144-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/5140-1132-0x000000000A830000-0x000000000A9BA000-memory.dmp

Filesize
1.5MB

Download
memory/5140-1117-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/5140-1134-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/5140-1074-0x0000000000240000-0x0000000000314000-memory.dmp

Filesize
848KB

Download
memory/5140-1076-0x00000000050A0000-0x0000000005644000-memory.dmp

Filesize
5.6MB

Download
memory/5140-1075-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/5140-1077-0x0000000004BD0000-0x0000000004C62000-memory.dmp

Filesize
584KB

Download
memory/5140-1078-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/5140-1079-0x0000000004D80000-0x0000000004D8A000-memory.dmp

Filesize
40KB

Download
memory/5140-1080-0x0000000004D90000-0x0000000004D9A000-memory.dmp

Filesize
40KB

Download
memory/5140-1081-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/5140-1133-0x000000000B7F0000-0x000000000BF96000-memory.dmp

Filesize
7.6MB

Download
memory/5140-1131-0x000000000A650000-0x000000000A6A0000-memory.dmp

Filesize
320KB

Download
memory/5140-1130-0x000000000A2A0000-0x000000000A5F4000-memory.dmp

Filesize
3.3MB

Download
memory/5140-1129-0x000000000A210000-0x000000000A232000-memory.dmp

Filesize
136KB

Download
memory/5140-1128-0x000000000A100000-0x000000000A1AA000-memory.dmp

Filesize
680KB

Download
memory/5140-1127-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/5140-1126-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/5140-1125-0x0000000008F80000-0x0000000009082000-memory.dmp

Filesize
1.0MB

Download
memory/5140-1124-0x00000000088F0000-0x0000000008932000-memory.dmp

Filesize
264KB

Download
memory/5140-1123-0x00000000089B0000-0x0000000008A6E000-memory.dmp

Filesize
760KB

Download
memory/5140-1119-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/5140-1118-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/5376-292-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-296-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-303-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-302-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-288-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-287-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-301-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-300-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-290-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-299-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-291-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-295-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-298-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-293-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-294-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-314-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-297-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-289-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-286-0x0000026396B70000-0x0000026396B71000-memory.dmp

Filesize
4KB

Download
memory/5376-285-0x0000026396A50000-0x0000026396A51000-memory.dmp

Filesize
4KB

Download
memory/5376-284-0x0000026396A50000-0x0000026396A51000-memory.dmp

Filesize
4KB

Download
memory/5376-304-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-305-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-306-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-282-0x0000026396A30000-0x0000026396A31000-memory.dmp

Filesize
4KB

Download
memory/5376-307-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-308-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-309-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-310-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-311-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-312-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-313-0x0000026396A70000-0x0000026396A71000-memory.dmp

Filesize
4KB

Download
memory/5376-250-0x000002638E640000-0x000002638E650000-memory.dmp

Filesize
64KB

Download
memory/5376-266-0x000002638E740000-0x000002638E750000-memory.dmp

Filesize
64KB

Download
memory/6044-1151-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download
memory/6044-1150-0x00007FFE40700000-0x00007FFE411C1000-memory.dmp

Filesize
10.8MB

Download