chimera | hxxp://h

Analysis

max time kernel
835s
max time network
839s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://h

Score

10^/10

chimera discovery persistence ransomware

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

Processes:

HawkEye.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\dotnet\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

Processes:

resource	yara_rule
behavioral1/memory/2040-1267-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Renames multiple (3272) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

butterflyondesktop.tmpButterflyOnDesktop.exe

pid process

4152 butterflyondesktop.tmp
2364 ButterflyOnDesktop.exe

pid	process
4152	butterflyondesktop.tmp
2364	ButterflyOnDesktop.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

butterflyondesktop.tmp

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 27 IoCs

Processes:

HawkEye.exe

description	ioc	process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

155 bot.whatismyipaddress.com

flow	ioc
155	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

Processes:

HawkEye.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreSmallTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-400.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-24_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-125_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-400.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker1.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\CortanaCommands.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WideTile.scale-200_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-si\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\LargeTile.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\microsoft-logo-color.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\LargeTile.scale-200.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\xbox_live_logo_black.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-400.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLargeTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\192.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-400.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-30_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated_contrast-high.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-400.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-64.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\DeviceNotFound.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-60_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-150.HCBlack.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\SmallTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\plugin.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxManifest.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-48.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\10.jpg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg4.jpg	HawkEye.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000279dbe2cb9d5c4499f659dc4fb2861cc0000000002000000000010660000000100002000000051f6858a15048785fb5af8a4cee4623d9b2322012ccda43dbb7fc4a0399782c1000000000e8000000002000020000000e88d335a98d2e76d5a8e693fb0329a5bd2d2cbf75a41190e307b14fef1d51f6b20000000927d9ed74ed0edfef72d4a6cfdf9bbfe10e5bc02cda416fcd4c8558e9c5082e240000000ecddea9e11cfffd06e91851739338d38c7ffca0db730d8b326fb8e7f22b9adf228e95d4c1e7e56903fb83f803abbb2bfaf9cd26950978a88f01bf3c252c575fc	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30b2cb0b0669da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000279dbe2cb9d5c4499f659dc4fb2861cc00000000020000000000106600000001000020000000bd254d04661d79b8990f975baa20c0aa92b9f00fbfc3ef44872622ccc1d87af9000000000e8000000002000020000000d0d3fa45263594efbc0aca2a77288c42d229bc14139f2a9a38022ab0cdff6b9d200000005b6d6e470d17a439c9c673d98a42ad2cd6dc4a7b792b2a22518967689013299a40000000cd236aa9e4b166dd807be2700007c0af41a946acab50474fbf63af935644f928ff345103dcc79757bb4465efcd8fe87a366a8995208dc660ddd31b43ac542084	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "155720405"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415752704"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "145407613"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6010bb0b0669da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31090950"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "145407613"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{34209124-D4F9-11EE-96FD-D65EEEF40ABB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31090950"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31090950"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe

Modifies registry class 4 IoCs

Processes:

OpenWith.exeOpenWith.exemsedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{12C3D145-30F2-4870-AF9B-E5B9982FBBB3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2776 NOTEPAD.EXE

pid	process
2776	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
2008	msedge.exe
2008	msedge.exe
1272	msedge.exe
1272	msedge.exe
2736	identity_helper.exe
2736	identity_helper.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2624	msedge.exe
2624	msedge.exe
4452	msedge.exe
4452	msedge.exe
4768	msedge.exe
4768	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

880 OpenWith.exe
2836 OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

Processes:

msedge.exe

pid	process
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

HawkEye.exe

description pid process

Token: SeDebugPrivilege 2040 HawkEye.exe

description	pid	process
Token: SeDebugPrivilege	2040	HawkEye.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

msedge.exeButterflyOnDesktop.exe

pid	process
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
2364	ButterflyOnDesktop.exe

Suspicious use of SetWindowsHookEx 47 IoCs

Processes:

OpenWith.exeOpenWith.exeAgentTesla.exeiexplore.exeIEXPLORE.EXE

pid	process
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
880	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
2836	OpenWith.exe
1104	AgentTesla.exe
3760	iexplore.exe
3760	iexplore.exe
1252	IEXPLORE.EXE
1252	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1272 wrote to memory of 1884	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1884	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 3544	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 2008	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 2008	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe
PID 1272 wrote to memory of 1636	1272	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://h
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeac3e46f8,0x7ffeac3e4708,0x7ffeac3e4718
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3564 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2572 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1268 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1268 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,17994309820866807726,710633845100734610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:880
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.exe_Virus-main.zip\NoEscape.exe_Virus-main\README.md
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2836
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_You-Are-An-Idiot-main.zip\You-Are-An-Idiot-main\YouAreAnIdiot\YouAreAnIdiot.csproj
  2⤵
  PID:1120

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\HawkEye.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\HawkEye.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2040
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3760
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3760 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1252

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
1⤵
PID:4176
- C:\Users\Admin\AppData\Local\Temp\is-O58P2.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-O58P2.tmp\butterflyondesktop.tmp" /SL5="$E01DC,2719719,54272,C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4152
- - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SendNotifyMessage
    PID:2364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    PID:1068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeac3e46f8,0x7ffeac3e4708,0x7ffeac3e4718
      4⤵
      PID:4740

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\AgentTesla.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
fd3a105e4b335aced70322b9903410e6

SHA1
dcc79ad8602b6890215e3ef1d9e42f9cd16d2d78

SHA256
ad86ac2a61cbb96f7ea0255ad0af491db25e7aba1ec4087c4eed4870c68de029

SHA512
d96ee38bef4090b76a1750932e5edb3a9402e07a270633e379ccbc4103e9f41c9cdcd0a789c5b71e7095bb25f932329f9ffaa6ed655199e814d456becb0c2981

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1af44e7a-24c6-454a-aca0-65b8416cdc10.tmp

Filesize
1KB

MD5
becf0653d9cfb6dcc59c9fe9747f839d

SHA1
b8cf65e561f1b14ca2d4d1a2c7dec3339fa5943b

SHA256
a425ada2d4e7ac85c6d65409a97a5475f0b146da5a06b8f934702666f90015f3

SHA512
2615213b0859d8549f64f0dfcfa3753f7e9302223c42bae6046e7bed169c0fa83dc3682a57c274f9de56d0c39842bf88ab292fde4fed53073f9e80c8830d2b7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
30KB

MD5
452cee87a193d291cf0394c0a8f961c9

SHA1
5ed43fad7737f776e85433d7fe7aa70d37eb4606

SHA256
6c31786e9b268be9d7e56b3e519845551550a8b0df4d3f55fbaf947378446c61

SHA512
355afabaa3be9194b4d47800be51e0ccecd9a857364fa57063b0866ee7595d33def0aed28eff297e582d16978e1ffb61921f3ee723e7c5e940dd48197b472500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.1MB

MD5
eeb2da3dfe4dbfa17c25b4eb9319f982

SHA1
30a738a3f477b3655645873a98838424fabc8e21

SHA256
fbfee0384218b2d1ec02a67a3406c0f02194d5ce42471945fbaed8d03eaf13f3

SHA512
d014c72b432231b5253947d78b280c50eac93ab89a616db2e25ead807cab79d4cb88ffe49a2337efb9624f98e0d63b4834ab96f0d940654fc000868a845084fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
20KB

MD5
8b2813296f6e3577e9ac2eb518ac437e

SHA1
6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86

SHA256
befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d

SHA512
a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
18KB

MD5
e3d17a76087cd47da0df882325909ba0

SHA1
e2e15c45dcabb198a027794bbf8f8bb87639d66b

SHA256
47dbef1f7b83cfa8dba08bd011a1a41eeb4f9a3d5f8616ba0c7fca73dabdd09c

SHA512
e0eb891dad80ebe9f06b35beeb105723803d422beef5ccd3795f839db3be3815b850f1361656f786921ef1ade18789bd2b9165dfdde8e42145ad172d891b3af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
29KB

MD5
9ed67586e29d0cacf4f81404b72f8fbf

SHA1
47431cc62c0cef5ffc92d4acc977fff93a409063

SHA256
65c2150884bd826df35120cadd8fa4a28bc807f438997295fd3fbc9d7d696970

SHA512
13bb913457c1f037e28cee05a172a7f1901d5c5303eb884fce782368aab4cdf1855feb5afac1f1a11e85cf2656897bdeac88430b651bff878fe22c0976272720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e2f4f5436a223849f287c419aa9bd1f9

SHA1
9c2a7357de48fdfdc62a3d2d5b7a396a163f0e81

SHA256
60b4de9f1eda8113f5012d0dc2a80af5b0591203eb27ee27258bdd3069d3cd34

SHA512
d9eadfe200a5297738779599228d35f9d08290db7fefde0be959a0244e0912a31f90846e959c1b06093aa7540a3c78ed35220a36e67d26b1e27f81941a7cd5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
196afdac355d16c7725f7a9b53d721a8

SHA1
28825bf799cd321e262e7548f0e0871dbcb8515b

SHA256
387755951a700af8d8cbef95b357feead12dd5808701b0ba6828aaed3d6dffc0

SHA512
78b45e33638ff4a685992b469ee9742f67772ae37d262bb48bc72dd95e3ad0b62e73a1742ce6e21f495d893da510beb0e519b2a364f06e462200e42fbacfac92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ef5523db9ebdbbcd0a508ae42bd59f85

SHA1
1f5dd08f9e7ef6b95b1e7acd49fe4c0724127bba

SHA256
588ed74502c9f398769d3e16bcef931c59d229df75df67c5b7c6add997a74fd1

SHA512
a22673138aeb52613b634d97f10c2beb7851a3c46bd7c71ec3148f7273c1e000414ff826ffc81dd2dcacdfb65328aafd096d52d39f0a17d48dda129b0e7eb6e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
febd62b2d3139c85e1b694beb9683c15

SHA1
b02d6527f3ea533d067f72775a94ad005ffe3c5d

SHA256
e783621462947d8db301166df6de48fcadccc96d2b8fea67c09f26a53b57d43f

SHA512
13dd2809343e4df76e6640bb8e63879e950dd3d4249f4e1222177d54e564a82fa59fc0715480519c21b60b1c72344fc50c404bfcbeee4e19c8617bf5e7996b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c5df7ebfbda07c396f4e683b0f3664a7

SHA1
0a2bbbafabce41588ca8223ecd3b07806cc5c69e

SHA256
1e09d03f7898ff6ef7f2968a2afae67b64c1049c4fbf269047772d94d2016069

SHA512
a35840d418a3d11fe24ca957483fa7618282b3a40cfd7688b4a88ebee5ceee3f375b1cc567f7f3acb12b463a178aa0dd980fd604598d90488f169e4007d43aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
77fb40e4a1e62599077abceabe6702aa

SHA1
3b5fb6fddb4206d532912c0eaa7a3e3d3c8eed8e

SHA256
9c95fe9324007731d5c34e57b4f15299626bbb70b7dca261f14c1f28d4d0ba2d

SHA512
c28a69a175fb09ce507d23cffd5b08f725eb2eb0dd1f7de5c6df9f37916604070d70dd32952a4f1c422d88bf40c851d6fc9387cfbea0d8def82a924f0898eaa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e51277b7f96f1436bbbf1892610bff27

SHA1
e16b7709f8a1eb4359d3077032f8183e599f6eb0

SHA256
9dcb3e06afc24267cdb0405e4eaa5988a7a8d7464430423fb62088828be58e22

SHA512
f3638d8c0c28e4a5f821ac31181a09c481c0f87dbbfffe87ef8bed6ae82025ef0ed0e64128f588dcf21d461dbd0bacd3c7b494fa904e891392ab0e39aca2ff3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1013B

MD5
b1b82052189321d7565074eaca2d3c60

SHA1
59af8e71105a90910936657bb31204b9acd6dbeb

SHA256
f7905cb558913517edf67723e5bc7e50e7b4eb3bef9db5542b607b6f5317f113

SHA512
2ef744175a0b90bb2c7b6e88cff9babe2c690a542fa3a252bfdb7c51d833709610656bacc47794ee0944b2cd02b990c5870b27602e04f37f1d03fdfc11543359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
82931c8ce3e457e5ca9c4b98bbb31550

SHA1
b7bbf789274fece619fbde6c989cea0d86d38be0

SHA256
a882dfb11d493202c93fc323cf5ab63625ae56255d2ac89bc8368333f315761c

SHA512
21d9c0797492a236b221f5e7456f3d083f20a7c4fdfa7a110ae5c45f63e39fcf6a35f4959048be1b620a904f1e0fdc65092937632b4e603544775425154a06ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bab4008c3fe4a5aa912e1f17e136fd2a

SHA1
2601315a1a12d6af2c2002ef622ca804a3fc8904

SHA256
5c630ba1c15bc353f0e053f5dd4a02f08a84d79f7547fbc714ead594cfb191b6

SHA512
a580e2cfbb0d4dde28b31130d50db7d5a03875b337bfa53c6ef41bb0d31d1e993aef251ba06205f42271da98d6997aaaeb837602a92386cc0b5ff6effeb6644d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e80a60f09b61a0507e11ad73ed873f7f

SHA1
645392abca2d15e411dc42650b4b5de9fa944ce4

SHA256
a793be2b160d992a6ba1a9b281a3d663e7d10793dbaaf40f4472b8d5a861fc26

SHA512
4a69705a744724e81f86026acf5686bcd8ce2039c74b80500b7248e5da3bc1414d92ab4a427fb1c8b18d41687846f35ea59c57266d70ad07f098d46e0ea4d968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1f9b2b7d402ce008ad2eba22f668304d

SHA1
2094278858f28fe2cac909e159aa681720f74e81

SHA256
e582efad4c92c9a55d2706e29d5c5d8da0a204c4378d7cc6eb19bd4db434c676

SHA512
b4ac2e398cbb8efb9bc65045cb1cc9737d2f7d62f0a6672bf06c8008bdcb7d6e4783c1ae120e54371fd8c63fea1ec8a0e8bcc98e737cfaafe85d0543b0669e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b8565bd49601c1c41775d3aeeec4f8b7

SHA1
0ee95dc45daaae0b0ec1b8f1fddcd6527f32d4d4

SHA256
0bf5c665acce64b48e31f90d29d90066742aa5bf54d220eebaefd07c523f4453

SHA512
41fcd062b190945c4d7bf4e1b22cb2883af60aa09d0ba7579ef75092bc4ee093374a1cbb987ef4b0e6381187728fa9ef5206c1b256e7f1fd20e14ea4e3b14e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
61a72a7f97ea8d84aa693ab6c434fc54

SHA1
fd6c68da84d1f043451c205dd734ae007a2842c3

SHA256
73bf05c50d35f95381f9bafd2213db445e1f9af6f4506e16e3f6ad47077e3f69

SHA512
6542fc144173df6f86c2671a3a04bc9a5eeda4a155f8062a707a650f32c35f13a05690608269af90fbea538fbb6584170c0a4daa168e9824c1bef60cb6af36f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c33a1e2b52031c01bc4254c1717114c

SHA1
678cccff307e7353a683a9fb3a82099051d0f642

SHA256
014f731a732a7521a05ecae575a53527866d579211d956c74fa208f50496d4b4

SHA512
a04bb6a6df100db38040aa7ece0702c7c09ab7cd9beda7ede8e8b6376410ef1166a9139838a6ee560cad7bf3d611ccf074d82c556bbf552f67af398a075f47cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
af615448d012d54600c8812385659f02

SHA1
51ec7ed7ddf772c92b5efc2db9fb5db83b92d4bf

SHA256
733ac4ec5dd51a59f6cb183f40d94f8da59ebc5b2ae9a95515bfd3d6cf013ff2

SHA512
3d4d9b6207347e33beefed3a9122b5e7bb9f6eef231b8087ac91811168e63ab65556b6f1a7284fb6b0232499a5d36a963d2ad1fe722dadc6ce8e71f668d6ddfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a1e22657223b56b3437225d4ff28c8c7

SHA1
7324632fd6e40b5c2e8b7eaff5cade6ff655ff9d

SHA256
c31b0ffe7beb680b3555c0a209517b52bab6efbf6f196080b63a9b8574a818d9

SHA512
8f7aff0c37a74c830c66e4933d51b8d1903958cc0ce03283b4e3731d2f38d249150f1ca3fdec98e088659899f157a3171771609746821d42fe034d7de2d6c413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f773267feb9faada14bb035f970d047c

SHA1
c0ce01fd78b532cdaab7df795e8848ac8625879f

SHA256
e7153cfc0879e9e7061d761e3f334b23f2bd24227db70bc36832e79c5ebeea63

SHA512
47fb9dc5d00e0de77c8d0e6b506aa18c3cef467f0cc15af23966d10c757c48ed169c9f5ed88f921cec6ee16c770091bb15de511d9f6b32b9d40b033abce42916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
249745f137c6edfd9ce9141a32acb600

SHA1
34894fff9ed47c5539590edf66dbc444410cf046

SHA256
14761719b437b74f981f4dde854c1b4d403a0c53365d8eb21490f70cf7f3a1dc

SHA512
f58f2e4d1d21fb1455642b6cf7e5e273952656e54742cc42794515609f270517761ac9b1c8acf28d8f51b1396f3f6ede4ae2187a0d4fa7c8c54c8c55e923b972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0e3da596bb9ed24b2dce33389582396f

SHA1
f4c09d5ca4678ebc084e648965f8021c98fb1f7d

SHA256
90f531aafba8caec01dbe5c2be178b164cfa5e78ca00eb09a0b73d89a69651c2

SHA512
353ce5f50ed800e7a06811c8406373ce541487ca4a197aca0d31147463be7c395d62eaff12b7354a2896be42306f23694e59b1fda10c98dba30c7e60e956aea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3d79b9a64f57cf0cd70170062b60fc1b

SHA1
76de48459661d7d25049d15aa9c8e8e130b0793f

SHA256
904c87285b95de82356d8db17ebaecb926540ba1d58e17ba144bf797e726a9b4

SHA512
103f258c581a7a67901cd95ef56517921e47684f04b1c66d6c0e0152d7310f60dc19cfff83047bc7e3d2f1c4ab87c624f8e96d52369255a44526d2eea8ac85f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7e45f0a3937464f63bb27ee27f7a98a4

SHA1
d9b9ed586462a386f2c8a783b3263dfb4d1dd4c7

SHA256
eb7c2a6faa8543909bf457f75a93e1429f075db0d8baebe0d0c8c269be0fc767

SHA512
dad051aaee94feac8f2df0e701226368341675e6762cfd49058b7b0144f2b78fd90887ab4edc87394f51bb01b6c5c206290a48db54ba8a0880179a9d2b369dd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4f78694aaae873dfc8f3f948077eae90

SHA1
cb9e130b2005bc087a2defbbfe554a2e56a48e70

SHA256
dff6f021c8211010f43e7d4c27b32ea5ac4a6e45a4c85f4fd07991e6eaa4a5b3

SHA512
f5cbf0b5f434791e8527f21e1d46177b9b7b835ddffcc5b96c48d3203c923ea6c58f8bff82808c904d0ac1ef38bf5f667c12e4818226997f68bca223c88ad13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
77582a07fba9b4ff8db3b07ce8ae33d8

SHA1
fdf1d766b91bc3c01c0c28e3e8f9064929e2e873

SHA256
9a678473713135e4dd42f4740dfddf31571a433c2557e12b021c57e47c882fed

SHA512
0d3702fb22b3fbf64a2122f5badd9ffd48b9a3117c73d62fb212688ccbf4055dbf653662770f127eb99aba0ae3f134b740b83d929985e2b8188301bd4e06625f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a7e4cf8fa13f4410101e4cab44fd9de4

SHA1
4662fd31f48737a63630c87745a9722a83627737

SHA256
480d6c9d080b15282382f20da6a91f811023218f674654dd84100ff60be33ead

SHA512
be19e9920f2c52d1c7eadf7b1bcddc6dabeef104fcac7f944cb4b4167da193e9d57ff696ccbc661192d4de5466e2631c0ea8289b2875852e7586a421146c0e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2c53ec49269d2ca38fd3860e48f6570e

SHA1
27462fdf9f5eb026716e9f976714d4032f1e742d

SHA256
f225a09c389bc41f34af64cb7fdd972bfee65b40b249bd63296a07499f411cce

SHA512
28bc9b85f786d8d7b4c416ad24277df5dc7a71ff60eab0770962d3f1ee78d34e0f93a43bb53180a0aedd2aa8b910bbb8b653873e53ddaf4ba44d7bd8ac9c1e89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d4330b94d7cfb590f29891ed7ee333d1

SHA1
780d806697023113b5c8b8867ada38a9494b69c7

SHA256
ef52fe321955d25ee6731072b61a7c7bdbcad745fbd96bd4e6e99a72ecb53911

SHA512
d00054844cf52102473cf98e897f74fc5621c5a8d6560fea8788e5e6ed4cd264733f5472dbc24495c76d66fb13eff7ace0a9c54e36d083f63ddec91d924f2103

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
03dc624b5750d22c494ffa7288793862

SHA1
4b0eb936690fa35f889d519d647a17ee2cb60ff6

SHA256
ab533bb99beb425f862ee087fcf4c1d81731bc8ec05291e9c1e0a9e5bc55e067

SHA512
a103815882f5753e4a973346ea980617cfdd1c70d18b6b880d961c9daaac8abefac2ec31b37550e8e6c393dfca95811e57d14fe0f7d7f39a4da336c10db895b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57efde.TMP

Filesize
1KB

MD5
4d53297914258d5648a5f14d24757113

SHA1
37e1c61b7dd65fe518ddf8792641a84ff6a9cb90

SHA256
5aaf516c882d810dcf0679d8a971d1c02f5a555b154e101542e5ae4f943a8ff8

SHA512
4c07ca887130606031abbbc1cbd543bc0f2f35e0d9ebeb9d426b992b524f0bc25c1b80a39d76450648293f9f54f48a33f0038c6ebd932644c62527a82302db12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
673a5c438c4bd8bc6f0903bd39005b9e

SHA1
0f3bc514029c2fc7c5398b2baf014ff979ffff0d

SHA256
a1a6bd9971b445ebff3cbf319aa5a48c5a10feab2bc7d8e96aae23ba9370db68

SHA512
7ce935d075755e5d56950896b1bd332dfa935c0b5052a6af8789e32a20f71e980732a95f79581a60c13b0b3cdc51d1c5ee8bb17bc8d3346f32f54daffe88ee25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3ad0d49e7181360148d615cb91754a4f

SHA1
28d1d3eaa5c85c25f7a31ec4b1095fd5af331c15

SHA256
14713b00b0fa4c1f5c9906521b5e22504964a885e0e9ff967685a9e1ff9afbf0

SHA512
84c927db5dc54ecae6f6f1d51e2f44ce41b9c46c560758c2e9114ee06944e22bc39a480224ba1ebc16b1d2674523c5afd2e1fe0c8e8651af6e3bf9d26fe5cf6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a6931abf258d4c3adad29faf5134f410

SHA1
5ad1c65b94f104a8d20014abe207041b7c9a903c

SHA256
4f34fb6d80c5e9973150a6ca13dc4953a550c12f4c827798c40fb134f2457d35

SHA512
68abf28e2e028cc496b9c0de4c9d46ac8287c84a45d7c81e3048219397ed85e49b2ab83529831790c2b405976cde1dc102522ea1ad44fc24a2551a1a173197a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0dacc83c0a4eb9d182365b0da3a7c209

SHA1
25316ae8b42c1c71765a5afd271fe0e7ef19b1cd

SHA256
7b9c8463c9c7dc647e2aea647e5a2e22b93b57be7665675054bb8faca4728b9f

SHA512
92665cd42e3fa3015629c9c02941f22975192ae092d899a8b9a010c4194dc4ff6f0329fdd31a3d5447091019a037a288ca97220469888826a1c534b921251ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
24921ccb898bcaead55420b4606116a8

SHA1
7312851407602b99d97b182ac880db26b630b726

SHA256
fe30fe64f913e19137ae592841000d2ff3b7f143a579e168ea97e591cb0d8155

SHA512
83dc2e99793ab4d4484788b018e69e683ff125ab3b98157062cdffd271dfa49e23a928bf67c142199c645840c120e507740e9cd3e8fa3edb3945059d91357e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\20RAD7Y0\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O58P2.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
77bcde9bbbead3d61575ee769476c792

SHA1
258bc1c1eee9d342a30b9abbe3d61d7513f38af6

SHA256
c61f56cf04d01edb209940d066a490ceea74e445b430d6eaf40084212d3d3e8d

SHA512
3c3ecc0c04428769ec9b239b78e1721a6285a46408449e4c890b72d605aced20fb759dbc97c4e96131485993779b849a9cc66da6e92bb84dd05d109bf72ac2fb

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe_Virus-main.zip

Filesize
632B

MD5
0d5a6333fe8512b3e5aa7af299b8ef67

SHA1
1a2d7ca5d0f4a60efd84bd2323a2fb7451533b66

SHA256
8ffb3fffd3091b5abf18afc49d79af7d444fa2d11bbf1824d49674e220578280

SHA512
1dd1cddfa6f4703abc38b2d132a2eec8387b6878ff3f4145e9269609b64a9518863a126ab61f0f44af7e5275be26062b13e271c7afcaf4032175d3ccee48474d

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe_Virus-main.zip

Filesize
1KB

MD5
53031a22ccbf8af161cee34e68a63d59

SHA1
38d1ecc69301ee90c9b68fae749d177672f867e8

SHA256
7f409af3cecac416bfc7bc43752560be0c77e18fafbb6af0311b4164f3606d60

SHA512
8841e362755bebcc50e43c3b1034269dcaeb26aa6ca004d8e9baf9abd15b7d4e08287793e84b1b53a5c4b68e35a1653d52a868b2e8731526cf2fc51a26b3ddfd

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip

Filesize
13.7MB

MD5
de3ed98d9a3c473813692a85ec6104b2

SHA1
96dc275de7eed001944a0260060820d144474792

SHA256
0e34cb64b7ee2bd2abcdbb9686c07363ede15294f974781a33e573fe9c9e706f

SHA512
8e1b3ca31a3ffdb3c8dde991432de32485888229b00587c7877b91b2ed3f3ba09b9e11ca7ba69b0f0e1718805dc952423d7734b320e5723925eb17e359be0538

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 786855.crdownload

Filesize
4.6MB

MD5
7cae6b379184f1cc5444ca2fc9a8ec75

SHA1
9a68fb4fed6c6f633275480ac481b7d24a1e60ad

SHA256
4b6edb96987da0a7714e705a7af8516ee7167c8a616eff6eb3ed9e54f6d02ee1

SHA512
fc81537d3fa0aa4fdc56ebcbc13bc43167cf1cd5424077c65292d7c86dd1e7aa11c44a5c78d8ca6fb31d942c034c1a9ee309aa8ee8a75a39dea0d3ed65790604

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 859624.crdownload

Filesize
596KB

MD5
518a488bbb994b3d6874fff4ebbbb9b6

SHA1
b3c012816a4667949db4a32b2cb342c82cee261f

SHA256
0f825486986fe6c9b5e76a43a8b736fffe8f3661b5323ceae1a5941368dc8cca

SHA512
50e64a4537cfd9856b921acef67f77507e0d9a598baf017faa9f17721084448a96154e7704de3be7e59d67354e8fc9cbbbcd14ca778cfeb84176dab086e5bd33

Download Submit
C:\Users\Admin\Downloads\You-Are-An-Idiot-main.zip

Filesize
4.6MB

MD5
634ad8fade39650fe6081ea46ed64d84

SHA1
b10e95dad829d500d968cb54ac34ddffa269d26f

SHA256
ab4fb25cd5a5e79e9744ef0a562b85d81a42cc08077b91de4a719d9b07e5a80b

SHA512
857bc27680ceb56b9841f38400b17cc3aadba79d54f12f4c179233686eb3a00650c107fc3a4b7aac606ac12ae265558a5ace4ecc9d43481a468a08f1d39dd002

Download Submit
\??\pipe\LOCAL\crashpad_1272_PBZLOXLCAGWZJLOQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2040-1266-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download
memory/2040-1274-0x0000000004D90000-0x0000000004DAA000-memory.dmp

Filesize
104KB

Download
memory/2040-1264-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2040-1957-0x0000000000BE0000-0x0000000000CE0000-memory.dmp

Filesize
1024KB

Download
memory/2040-1945-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download
memory/2040-1265-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2040-1267-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2040-1272-0x0000000000BE0000-0x0000000000CE0000-memory.dmp

Filesize
1024KB

Download
memory/2040-1926-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2040-1273-0x0000000004D90000-0x0000000004DAA000-memory.dmp

Filesize
104KB

Download
memory/2364-9286-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9342-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-3240-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9350-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-5877-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/2364-6793-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-7974-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9235-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9349-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9348-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9347-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9346-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-2009-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/2364-9319-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9320-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9321-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9330-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9331-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9332-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9345-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9340-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9341-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-2153-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9343-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9344-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4152-1956-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4152-2013-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4152-1895-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4176-1955-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4176-2014-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4176-1889-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download