wannacry | eee7d9e169efb099710aee6f630a258e98fda2ac8bf4b9e178f966ea17f5e5fe

Analysis

max time kernel
660s
max time network
663s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
28-10-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
Size

3.6MB
MD5

d724d8cc6420f06e8a48752f0da11c66
SHA1

3b669778698972c402f7c149fc844d0ddb3a00e8
SHA256

07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
SHA512

d771d74894e72402bbd016787fb102053678424205644bceec17ee3e7598e3f4aeb59b0f3272b5dbe1d26289f659024520653f57fc1bfe18054ffae4f188aef9
SSDEEP

98304:Z8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HI:Z8qPe1Cxcxk3ZAEUadzR8yc4HI

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (15657) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 7 IoCs

pid	Process
400	tasksche.exe
6044	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
5932	tasksche.exe
5644	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
5280	tasksche.exe
5772	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
4480	tasksche.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
File created	C:\WINDOWS\tasksche.exe	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
File created	C:\WINDOWS\tasksche.exe	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
File created	C:\WINDOWS\tasksche.exe	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4400	WINWORD.EXE
4400	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
4920	msedge.exe
4920	msedge.exe
5772	identity_helper.exe
5772	identity_helper.exe
5640	msedge.exe
5640	msedge.exe
6124	msedge.exe
6124	msedge.exe
6124	msedge.exe
6124	msedge.exe
5560	msedge.exe
5560	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5368	7zG.exe
Token: 35	5368	7zG.exe
Token: SeSecurityPrivilege	5368	7zG.exe
Token: SeSecurityPrivilege	5368	7zG.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
5368	7zG.exe
4920	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4400	WINWORD.EXE
4400	WINWORD.EXE
4400	WINWORD.EXE
4400	WINWORD.EXE
4400	WINWORD.EXE
4400	WINWORD.EXE
4400	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 3612	4920	msedge.exe	128
PID 4920 wrote to memory of 3612	4920	msedge.exe	128
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 312	4920	msedge.exe	129
PID 4920 wrote to memory of 2352	4920	msedge.exe	130
PID 4920 wrote to memory of 2352	4920	msedge.exe	130
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131
PID 4920 wrote to memory of 2084	4920	msedge.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
"C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2908
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:400

C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe -m security
1⤵
- System Location Discovery: System Language Discovery
PID:4144

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe237946f8,0x7ffe23794708,0x7ffe23794718
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4040 /prefetch:8
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,6098828192346611558,1907823655863720158,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5116 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3668

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap8511:190:7zEvent1598
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5368

C:\Users\Admin\Downloads\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
"C:\Users\Admin\Downloads\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6044
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:5932

C:\Users\Admin\Downloads\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
"C:\Users\Admin\Downloads\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5644
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:5280

C:\Users\Admin\Downloads\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
"C:\Users\Admin\Downloads\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5772
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:4480

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\ExportWrite.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb3a91e49h8454h4e11h952dh461aa57cfed3
1⤵
PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe237946f8,0x7ffe23794708,0x7ffe23794718
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,7214463983290117331,2531789685893822021,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,7214463983290117331,2531789685893822021,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,7214463983290117331,2531789685893822021,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:1884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dfbf141a7456384163d44bb888b9b2b

SHA1
75bf3f428abb99a4a933f2e69c1ff85fc68937a4

SHA256
aad010d165ab2d45719688984a7c580e590f3d743415a223c70ac42b65524492

SHA512
4f463f2a9c987e8c38df11d32fc2699fffe74d4753b9d3959fced8faddac323589625c5ceb7545ebd5e4dbaa83a7690efa3b3d494045d44e3666b88d5260f86f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8c54c937-817d-4d9f-a66d-67a3113741b9.tmp

Filesize
6KB

MD5
c234ec68c5a988b88b76f3a0f6dafb8d

SHA1
d40e1d075b5c14599f4648c6e58ef6bc1c5e8a86

SHA256
6e6033d68531c8181d46b051016a0459bfe21d108dafca8522289f246dc56080

SHA512
dc37cab084071a89d44d2fe834a9f4591eec8ca807d54cfad6d49088485fab6ad7ac24378f3229db319526408a965e98f7d7140c5b421080e56b7205a7895658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
101KB

MD5
d36e98c7eab85892d511b0b51eea01d6

SHA1
0c8ea8317eea744fcb0c1af9df57341c44744549

SHA256
840672c51e101e41135abddb0f76488716f6b36e119f88f5a506b06c97414387

SHA512
f5d024625dba24e9553e493c17973d5242bf7726dac83602674d0996b778658be81e08f38dc4238f3b31c64ab7d2c8e439e9ba865a12efd01b2253884c913fb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
216KB

MD5
60c33cd6a95e72f31382008806e23280

SHA1
c81facfac31abba0a31815e4662746d4f75d70d5

SHA256
150c5e8a6535c531002491064dcf9dd224c045d41b7aa72889131c0aaf82daab

SHA512
a89e067a338a896836399c93bbd75657f0311ed60ce0c1598c14a762388efac4b3c9215b9acd5f006d94ff2773ea06cd3ef45c24bf7ad904c4ac8dd24fbb5c21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ef4d2e0615c947362d92ff4bad34e496

SHA1
d42755f0f85166ba87a20944ffd30077bcd50e63

SHA256
36b1fffb81579a4d4c6496bb3556c87369b6dd78e4768a11db9bf7900fa4cc7a

SHA512
f40bf0aea57e3b660d0cde74e1d6cdf34656c62db32cd676f88f8c6f61dfa6ff44a69395d1479e187b25ec60dca95738708b7f3629604269d77229ead7fadc9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
193b7e7eafc1ca4976a44cb0b4acb800

SHA1
7981fb892245bab3364c7eb95e4023486edeb968

SHA256
07e91782dd9ba6196f82a8aa67aeaa388d234f9e29a8b4ea049be45b8acd8c03

SHA512
a7749fa7a4e3ddb294c06853db70e0ff03ce122070b1f9bad5d6422ee3c009ffa85126ba583141b952b3b8fb42862fb06eaefec8b27efb72c04c0470eadf1596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
1a3d2d64d8bec1e0740e6e219fefb40b

SHA1
14cbe460c1256e6aba0742911d98eb696c3825a1

SHA256
c7326f9f79f9d04503d86faa57b88885477b51ac5b00c2e516ed08c28c30e5f6

SHA512
388d05ae142e2ad23f27a952c6519709b1c2090769136a22a54a80e3d40c581810f22a8ab63d8333f220a1fc96840d96552d09400f72aafa4244b18e7d3ea722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
5af4006e57553ea802f175c2b7a99738

SHA1
b57b7ca0e7e03162dd646a243d63abe501a26203

SHA256
d050593ac68cc40771ee06aa60de3364bbd25383f0c1d42a3899a9c8cf5b9cca

SHA512
3cc02f3fceb8b3680fd664783c13661393fe1f50e80bb104536622272d242b60d86b57d1d8b62ef6d65416a42cf0cfb50137f85f56ef6e8165e065166c2c3b65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
55a018bbaa5913e11b9924c3bc301539

SHA1
cb3a58d7e4f7dedbaf6d3eca8297baaa954c97b5

SHA256
1569371d946cf9dbfe705644b8b8d857f8a69ec11eb8e59c9f90c7143456fd85

SHA512
e01d612873a1eeafa1533226e94bd406f375c1313b3d6de560e8271c6126ba1f7ba0fe12e71e95e76abf57f3eb84cc0f44eba584ff0648e97dde423f92d5584f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a1b48781d2eb2ccb4c15bccb779d24e5

SHA1
97f8f56be6343da179bcdb276d831eef045271fe

SHA256
431523bab97fcac4988ab36eb06569c7be59553dde837715eeb15768aea7c04a

SHA512
0136e2922ac0d37db093dcb0679a45c0863aa7a1753a709ad005c014418799ede0cc8c6b688477e2aee9a13f965bbd5a544b0c995e783b44db4658b26aa40176

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d715f8754a84c3c726aff21e0e1be10c

SHA1
61d6fbd1b229f6ece390d45973b2de2640373642

SHA256
1b9112f71510c346fe9602fa46b20e51c1630bf79c26cb80428de42008388191

SHA512
43fb3b612f1221c84e99d534b27d70ec794426bb6d288095cf9cb229246d50c2a6d7d93af27756f95aaf3adcf6bebf4c83dae6d36010f547b8a374301897c75c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fc74869e2ca35b596910f34386aeca29

SHA1
5db31d905f513967713efa7309a2b4bb0f2ef691

SHA256
8be0325ec71f21b4b692a100fd9c25b4e874abda57f5250b9f03035321e41ef9

SHA512
df7db173d821adf0ecc294b184b7c51f5bfe571b5a361bd5e118553a56dc2f514e090c8faaac4ae2a5ca1af32e6b6c0e2a576af6c996c80a630bd8d6b69dcda2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1f9ca923e58292cb18b3bc384d5ba960

SHA1
ca083916a0fe194fe5b708a8a7532c7ce5d829bf

SHA256
bd766e2fc58a168ee90856b84e4e455c1475531bd0d1a6cff0ce240cfe14b9b8

SHA512
06505c66ac90adaa46356d52f98209035c22137704d1ede834cde669f912ac91ebda149ad411a9ee2fa25a03b863779f20281599d1353ed673b65a4ec37e54b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
69711b6c51faf2f18fb7efa05fa70718

SHA1
fb90be761b87a0996ee53c1697fff793a2e66f72

SHA256
4e3194ca3885624b0d61f65be88b20dfd5e993072141bd37b35a0b4890325c2b

SHA512
8ef22774238c0efcddcc78bd5320211b22b71b92e882698fe90129a2ed5f8c1f1218b4482569fd9736ea556f4d29648bc09e43f2adf509b2f0d78239d3b1bbc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
16131081a726cee2456c137c85fc0e12

SHA1
89867d029d9355ea5e285425caa5bbbd9266a026

SHA256
fbe06d68ed43a7fb7e358f4d7e74680247955d8acfed097782d28b5298586fad

SHA512
e59a71ea5ace0c04096f94484a29333159be5edadeecc4d664ece148d8d725d50e9a0907e77b9cc6eede943cfab33813a0ef58e0ced7dc4e2d802b88f67253cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1c8f58741986c9b92e844eba0aaa6829

SHA1
083322f6ceadee8605aa13f697ed0421d7e7fe4e

SHA256
e07f6f9327fa9c4da520c4a684d672a0c263d90c69fcadc2d0399d6428f6f1da

SHA512
9dbf3de3fed23e8bc560e74f86a62115013a87458bcf0debd2104f0e088e3ff87b07b4f665dec2a7bc050a44c9c0063334ce1099c57e530cb39656a20257efb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
184B

MD5
3ca01c05bf78a115ba4be4e26b428f61

SHA1
859643f04195fd26c91a2068f1756bf93ff19bb7

SHA256
7048202a3273ee4ff7c27dd8ee5b7772072129166dcd7428e73045d143a54dcb

SHA512
b1f39effc60f653a366f1b809b868b66797a6ba8a3908495afaf2d0ec30c483d30dc86a75e5f0fda04211bd764887baee70d91965efeda05f96f46bdc4d2f42d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
9f41c6cbec77550c01e7c2405b659d90

SHA1
a707cd44b6083d546d210dd6605e2207b877d6a8

SHA256
3d4530eaca833469977b31545b65022a0c3b12224f0f6706ec7a3275dce35276

SHA512
04360b6e87285cdbca3c02f1d49c09f84a10888b92124248ed9da806347d25dd38863e8c1a3d5ea550f3b831a795bf518f8166375f0bde8b93f1c9e017c6a7a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
6ec2a975d1577d48d27dc6ada5e86967

SHA1
825a1b132ec7c9328cb401a146ec3d745de5b3e4

SHA256
30399d8673f7e5e89f8e6aa282df3054f5e140b8216d299534295bfb1bc85e8d

SHA512
58807fdb5f8ab3733be6a82c9b8f41b32fd3cbb99f896108ffcc918285b5ce4da4d278e33268fc0240d5cfdf8af8e9b2d00c35204a35f4a4772b9be34177bfa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
b7b2546b35fa1716d5f108d5f40674a4

SHA1
c11e273b30b6dc57fded429cbfd47411c03ab080

SHA256
539106d5387098c665fd61d1193c4ccf71dfa2595dbed4e6e25a8fc22bad5eab

SHA512
c307111aba95f48dc133f9945589bed8af95826c2ea62f3b5424840c540a72f574839bbce747dbbe124343518d23454ffca82ba3790297fbb7bc7550ddebdd8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
f5c3de13f0284af1153d489be8808491

SHA1
214277767322d00a5092fc71a989cd284f85322a

SHA256
2a3212b5b6e64832afea3bdd7f62ee540b8e1d8abc9e791a3ae62bae42c28fbc

SHA512
c3a4f1f111e96b659283c5f5b26b56ce44a509593c631098d72ca20baed0ec02484869a39f3c7bfeffddf8ca1a7a263db1fc305f59e1d729f338de7b7537cc62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
b69f3e606f95d209262116d8f482981a

SHA1
881f7b2c26c91e4a2d48e094d23476d7e1144220

SHA256
c55f4064fcca13326f64d74d98081bc1ae829cb5024435335bd23224cb00cf09

SHA512
24415849ceb1014562509cba16e82c8f3be2080198e0aed639290eecae77da83ec0d75e135282e02720c28cf2dcd865b0ac7b8699f24c6417edd1b03f014666a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a1ba7.TMP

Filesize
872B

MD5
eaf49733c5e842e2a92d4511bc368139

SHA1
88c4a4a1fff4ce1389cc13d15249ac7f6575a7f2

SHA256
ac59c01a59e7ab83b6a02bc782c0566ec7bd7a659f21e396f3d6be1a6b88355e

SHA512
1f5f75d6741e2ee1610c00ca3f078c5ab58383f54b1f383e512d507555848e33214b7ee073b0693982b80390cdea9dc1208bd1a6ff56981e8e03938b7c6d610b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
1b7ace0fbafdb8728672e54a809a273c

SHA1
8cea37912c41a53bfa435c9a0aa8a078985d34b9

SHA256
7e354d253bf4121955c1a9732153f062ce60be77cddc7407cd8a69c3aacb7f07

SHA512
414e7e6051c927465eccaed97aa78ade6d602702429f34797936eb7747b3d30962bc836af076503331a595f55fe881170a6b020c90a64b203c52fc8efcc6d492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
803a0c5904b73cbb85e83246f8a8a916

SHA1
c5d15b723df9cc55b4b4ab0e64cbf7e936ba8ce0

SHA256
58af3cf9a583e509a824781058904190314fdc38f32095aee8dd7994c83f1427

SHA512
c2138b8db5422e67daceb14c05fb9d2076fd79f52e1484f376cf3cdedb27c657173459b37a678ffac4356c9cca91704639c6c474bb0678094fc70fecc3e3d558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bc0337adcf4771297ae95a99b22a0ec0

SHA1
42343e2706797f396b1c4197a893f95ba8fa2a46

SHA256
83e0d68533fc1bcfea5207a4d8611880fa18998d0063d9c057b686d62103b7ab

SHA512
6b6699c340d68709dd80ee3d01df0cb29689121f07ee7255a4a079606f979cbffbc1be2874034e575644c60305e4e7bd62bc068d6e4387727483b4c3ac1b003a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f7f12ddb88c8d0e3be45af5b5d66aba1

SHA1
43015144c0df59ec9ac6d76f7df7a880d8df9da0

SHA256
0b014998628c6a17da714fb93346ecee5abb29f16ec83b43cb810f0df574b166

SHA512
0f5b620793d7b4452f1935bd3b9a8eaec84725244e0bb552e7f36ad7a8bbf81497b525b000e4b2114ec12506ba63c7ca0c7ee61db7349e053724ec92b738e246

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0deba45bfd05152234d86a5a07cc783a

SHA1
3c9e93f59fcbc1a0955f41fe944df1e73fedf755

SHA256
82979edb8cd1c6f0e4f9490da7d82d9587d85c814ffc5f55ba501d0c6377d582

SHA512
85cfe63bc0517b6b0d19afd88dc186203310d34169569b676c76b12ab9fcd85e6b26752dadadc8463f1a9f385aa2ee18c8386712254da95f13e58094ad05394d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
71456a15995666340fae3cfa3a2fa448

SHA1
9ace1c80204ae04b2b42880c767d28d426501a31

SHA256
779f980ad511fc133d0da4ade72044abec8605ba952a2821900bb44dc3e4493d

SHA512
f7b4e13bd7ceff37c0d129f9575beedf1754ee74de600205b68cb05a691602d5c8bf4446be420a9c67988472324002f0570620de0df0a0545fec40762d89f369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
390824d82c9f4b66dd714c7e7215b341

SHA1
4a1018bdbd667c91524f94e938d88c5c4440bf3e

SHA256
76211b5c51f68e33ed0a576566d0e3a66bdbaba8fc87f8dabb2f0af036833b67

SHA512
156a7d0e9a31fdc96ed93fee01b8bc638f004ce962269c8d426cbd28721259f7a7d44eb8d2221814192ebffc013cdb81c2ea4381156b7686bb0f9eb201715cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
e5911ba2b6e2243bd6b4f44e37a1fff4

SHA1
98a7b67222405dd3230e205d9be5ff5bfa2c5d4f

SHA256
de6256fdb5660a7ee78acea902d05978a9150c5f2e19b6f155bd8efd50239a43

SHA512
9f77c571f792e535b08e3bd8af42b3671976280672406e706f04ec6af5ce36ae773cae2a6d97f4c70b5afd034bea25f9eb3b16148b3bb75257bf03b263f885a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD1C7B.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe

Filesize
3.6MB

MD5
d724d8cc6420f06e8a48752f0da11c66

SHA1
3b669778698972c402f7c149fc844d0ddb3a00e8

SHA256
07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd

SHA512
d771d74894e72402bbd016787fb102053678424205644bceec17ee3e7598e3f4aeb59b0f3272b5dbe1d26289f659024520653f57fc1bfe18054ffae4f188aef9

Download Submit
C:\Users\Admin\Downloads\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.zip

Filesize
3.4MB

MD5
4b54a2b597e5f7c311d31d1cca8a3639

SHA1
0cc5a0c0342b277b7f88f9bdc2e02fbf96f270ca

SHA256
877106336681a4998689248360a88a6162b793f4baf234db37a879c2519d0fd8

SHA512
cbb41e129011e6a75f372fb23b28bea81196911cf53b91d03dfd8762c9b99c905fc31ae0f572fa371a8f56867684406e2a1a14900aca85c547451594b0637de5

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/4400-587-0x00007FFDED060000-0x00007FFDED070000-memory.dmp

Filesize
64KB

Download
memory/4400-586-0x00007FFDED060000-0x00007FFDED070000-memory.dmp

Filesize
64KB

Download
memory/4400-582-0x00007FFDEF990000-0x00007FFDEF9A0000-memory.dmp

Filesize
64KB

Download
memory/4400-585-0x00007FFDEF990000-0x00007FFDEF9A0000-memory.dmp

Filesize
64KB

Download
memory/4400-583-0x00007FFDEF990000-0x00007FFDEF9A0000-memory.dmp

Filesize
64KB

Download
memory/4400-584-0x00007FFDEF990000-0x00007FFDEF9A0000-memory.dmp

Filesize
64KB

Download
memory/4400-581-0x00007FFDEF990000-0x00007FFDEF9A0000-memory.dmp

Filesize
64KB

Download