chimera | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

06-09-2024 09:35

240906-lkpy9szamb 10

06-09-2024 09:27

240906-leqzdayfqa 10

Analysis

max time kernel
466s
max time network
473s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-09-2024 09:27

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

chimera discovery evasion persistence ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/2816-2102-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Renames multiple (3442) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion

Executes dropped EXE 5 IoCs

pid	Process
2228	AgentTesla.exe
1248	butterflyondesktop.exe
4972	butterflyondesktop.tmp
2816	HawkEye.exe
4784	000.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\G:	000.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
34	camo.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
132	bot.whatismyipaddress.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\Desktop\Wallpaper	000.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\GetHelpLargeTile.scale-100_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Modal.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-lightunplated_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\ChoiceGroupOption.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-30_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\dist\fluentui-react.min.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_editpdf_18.svg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-80_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-96_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-24_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateWide310x150Logo.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SnipSketchWideTile.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\NotepadLargeTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesWideTile.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\AppxManifest.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster.jpg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-16_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\Retail\guest.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-100_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-60_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.tree.dat	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintAppList.targetsize-96_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorMedTile.scale-125_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-64.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter_18.svg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintLargeTile.scale-150.png	HawkEye.exe
File created	C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\NotepadStoreLogo.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare150x150Logo.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugin.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\node_modules\tslib\test\validateModuleExportsMatchCommonJS\index.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\PlayStore_icon.svg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\Assets\Xbox_AppList.scale-200_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.jpg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\KnownGameListRS4.bin	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Utilities.js	HawkEye.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1432	taskkill.exe
4672	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "12"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31129707"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "376041904"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3761892313-3378554128-2287991803-1000\{3B9DB5DF-667A-44C1-88A7-09A8DADDAEE3}	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3761892313-3378554128-2287991803-1000\{A1817A38-621E-49A4-B07E-E306C60B1D65}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	000.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MalwareDatabase-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4344	msedge.exe
4344	msedge.exe
4776	msedge.exe
4776	msedge.exe
568	identity_helper.exe
568	identity_helper.exe
3796	msedge.exe
3796	msedge.exe
3708	msedge.exe
3708	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
1952	msedge.exe
1952	msedge.exe
952	msedge.exe
952	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4312	7zG.exe
Token: 35	4312	7zG.exe
Token: SeSecurityPrivilege	4312	7zG.exe
Token: SeSecurityPrivilege	4312	7zG.exe
Token: SeRestorePrivilege	708	7zG.exe
Token: 35	708	7zG.exe
Token: SeSecurityPrivilege	708	7zG.exe
Token: SeSecurityPrivilege	708	7zG.exe
Token: SeRestorePrivilege	3680	7zG.exe
Token: 35	3680	7zG.exe
Token: SeSecurityPrivilege	3680	7zG.exe
Token: SeSecurityPrivilege	3680	7zG.exe
Token: SeDebugPrivilege	2816	HawkEye.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeShutdownPrivilege	4784	000.exe
Token: SeCreatePagefilePrivilege	4784	000.exe
Token: SeShutdownPrivilege	4784	000.exe
Token: SeCreatePagefilePrivilege	4784	000.exe
Token: SeShutdownPrivilege	4784	000.exe
Token: SeCreatePagefilePrivilege	4784	000.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeIncreaseQuotaPrivilege	444	WMIC.exe
Token: SeSecurityPrivilege	444	WMIC.exe
Token: SeTakeOwnershipPrivilege	444	WMIC.exe
Token: SeLoadDriverPrivilege	444	WMIC.exe
Token: SeSystemProfilePrivilege	444	WMIC.exe
Token: SeSystemtimePrivilege	444	WMIC.exe
Token: SeProfSingleProcessPrivilege	444	WMIC.exe
Token: SeIncBasePriorityPrivilege	444	WMIC.exe
Token: SeCreatePagefilePrivilege	444	WMIC.exe
Token: SeBackupPrivilege	444	WMIC.exe
Token: SeRestorePrivilege	444	WMIC.exe
Token: SeShutdownPrivilege	444	WMIC.exe
Token: SeDebugPrivilege	444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	444	WMIC.exe
Token: SeRemoteShutdownPrivilege	444	WMIC.exe
Token: SeUndockPrivilege	444	WMIC.exe
Token: SeManageVolumePrivilege	444	WMIC.exe
Token: 33	444	WMIC.exe
Token: 34	444	WMIC.exe
Token: 35	444	WMIC.exe
Token: 36	444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	444	WMIC.exe
Token: SeSecurityPrivilege	444	WMIC.exe
Token: SeTakeOwnershipPrivilege	444	WMIC.exe
Token: SeLoadDriverPrivilege	444	WMIC.exe
Token: SeSystemProfilePrivilege	444	WMIC.exe
Token: SeSystemtimePrivilege	444	WMIC.exe
Token: SeProfSingleProcessPrivilege	444	WMIC.exe
Token: SeIncBasePriorityPrivilege	444	WMIC.exe
Token: SeCreatePagefilePrivilege	444	WMIC.exe
Token: SeBackupPrivilege	444	WMIC.exe
Token: SeRestorePrivilege	444	WMIC.exe
Token: SeShutdownPrivilege	444	WMIC.exe
Token: SeDebugPrivilege	444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	444	WMIC.exe
Token: SeRemoteShutdownPrivilege	444	WMIC.exe
Token: SeUndockPrivilege	444	WMIC.exe
Token: SeManageVolumePrivilege	444	WMIC.exe
Token: 33	444	WMIC.exe
Token: 34	444	WMIC.exe
Token: 35	444	WMIC.exe
Token: 36	444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1384	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2228	AgentTesla.exe
4784	000.exe
4784	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 1532	4776	msedge.exe	78
PID 4776 wrote to memory of 1532	4776	msedge.exe	78
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4072	4776	msedge.exe	79
PID 4776 wrote to memory of 4344	4776	msedge.exe	80
PID 4776 wrote to memory of 4344	4776	msedge.exe	80
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81
PID 4776 wrote to memory of 4636	4776	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1fd13cb8,0x7ffe1fd13cc8,0x7ffe1fd13cd8
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6828 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1640 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1080535651344013534,7092279860669344101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
  2⤵
  PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:600

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\" -spe -an -ai#7zMap1735:108:7zEvent30340
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Trojan\BonziKill.txt
1⤵
PID:1448

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Spyware\The Worst Of All!!!!!!\BonziBUDDY!!!!!!.txt
1⤵
PID:572

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\" -spe -an -ai#7zMap25278:106:7zEvent6698
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\davepl\" -an -ai#7zMap18769:1126:7zEvent23441
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Spyware\AgentTesla.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2228

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1248
- C:\Users\Admin\AppData\Local\Temp\is-1J4FA.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1J4FA.tmp\butterflyondesktop.tmp" /SL5="$1102DC,2719719,54272,C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    PID:2756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe1fd13cb8,0x7ffe1fd13cc8,0x7ffe1fd13cd8
      4⤵
      PID:3720

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Spyware\HawkEye.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Spyware\HawkEye.exe"
1⤵
- Chimera
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2816
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  PID:1724

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Trojan\000.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Trojan\000.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4720
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4672
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' set FullName='UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:444
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' rename 'UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1384
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /f /r /t 0
    3⤵
    PID:5092

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a36055 /state1:0x41c64e6d
1⤵
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files (x86)\Butterfly on Desktop\license.txt

Filesize
2KB

MD5
053f08197982eea68eeb6520fa06a1fb

SHA1
7ab98f7410dc3d1a6192785fa328a39b4deda7d4

SHA256
1b14cec80377cf1052323082210a941b82550c87b4ec2ba59ec809b360cab2c3

SHA512
337e2ce1e3a93eacb9c7fccd7d46bf7b14c5ce2b698fcec1e629c4e49633934dc7ef3988c9dc98770787c282dc01ce6155c5b3dbd80bf4d0d31916190f321a5c

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
c1c24500add743764136e8304ed15765

SHA1
001b198eb6f55ceb29cebf11cc88fc24e3c78431

SHA256
62ca3c29be594f73a8d33557637608a9508819c5d2a480bcc12e329ca4310d73

SHA512
498472f3db92eb9d829c53401ef34fd9b48ee6aef2d7b6c073d823ab5bd3b7adf294b70ec6f44cee5ebc4e4735d1e0d421bd40cdb4f26eef8c0812a8caef06e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
37KB

MD5
3973eef729615ffe9f12b0cad100e6b4

SHA1
ae897202c487c10de5c0e11e335ae2fd6d3b4640

SHA256
930521af373044db3aa04862d9f4068286096ed61b3da3dcf9a8a03c02daacff

SHA512
c5e33bcd9e4689bc7078f38e229d77e109d8419bbb2fad9c3f2ebafce688f55f8a636a23ca80fdd4714e19d0dcff23da01b9ed67ba1a9a52bcd0d500de1f9bb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
37KB

MD5
4446004a15a8f47b59f69e0ff6daf095

SHA1
2fb891f331a4579da782fde0a98708f4004c423b

SHA256
81ab172d1e6c8aadbe47409cbc1b3ac84ae93be69de4f99fb26814cc334279bc

SHA512
06211b4d387ef7ad3f473dca1172165a4b65e10a5182423ed6608354d55cf50c08e6c5439595b93b7b2994ee28dca14c403b59c0bc4cb5a02c35c6c9498f09b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
21KB

MD5
94a66764d0bd4c1d12019dcd9b7d2385

SHA1
922ba4ccf5e626923c1821d2df022a11a12183aa

SHA256
341c78787e5c199fa3d7c423854c597fd51a0fc495b9fd8fed010e15c0442548

SHA512
f27ba03356072970452307d81632c906e4b62c56c76b56dfe5c7f0ea898ac1af6be50f91c29f394a2644040929548d186e0fbcea0106e80d9a6a74035f533412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
23KB

MD5
13c9fa26d781d5bfb4192b4d255dcfb8

SHA1
8d8c1fc8a9835aaafc017cd0ee2e41369ad3be8c

SHA256
d8f57272a95e48e67cefce9eeba43853e2cbd593b3fa7ff84624950e1238f8c3

SHA512
55229d8fd4f23f2ae243d30e7b6844f776e33402b1d00a9651539ea9d1ee014dd2f6096396ff4cb8c8674774463121876e6bc0dd68bccf172f19b9916c5b4b34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
894d43e81c41ef4d6ba3d002bae954ce

SHA1
b6c44d5cb320620ad439825e3d937262d5c26da2

SHA256
67fa44fbf557001effbb7b70d537f6f32d96a5cb1993e2c1e7b277b4b747de73

SHA512
3a1bd7fb858c88fc77784120330b29118b76522413c434ea3cf56380bf34537ea337e998b46956a0270faef6df934d8f0941385c70e6c7941cfd58cbd591a922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5461da6bb690dad9617bd30be6729adf

SHA1
34af41857f77fd712457928f48588568002d7e17

SHA256
ce6a6f5076dd6dbb6e0ab221e07bd0f543fcccdf388fc45827ccf7f95e123711

SHA512
b60997b0bcf841d3f25ffea919c7ddb24d5b6ee4b4abdab8c5f1388237e76b5111a0211e3e27367514877d33e8739b91ff4849a146323313c2cb3683405f46f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
651221040f8553dd7f89ff02deb02a64

SHA1
b49dbaac4da80518100ecb647efac70d5733bedb

SHA256
2f4f7cdc2c54da0f4de8c6396bb01546b1eeb2eba2c5c4595365336163f52b47

SHA512
2effe3e85d0ff918f3258a13deec09932c587c93b79f80d7c3568ff341039b3728d2b7954307e935e9c49ad48f647febb44fcdc2d7f0e29f416a661b3435adb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
606f02eaf5b55275a88f39b024c4d521

SHA1
e90bc98678cfc3aa002631c17422378ba91ae03a

SHA256
661819bdbfdb3e912818395f1b3b6d194248524cc4bc1705d270948a7a682ba7

SHA512
5669ca8b4f8b1f2a34d39ae5ef33a3f346e630541d7e7b0654b6dbaf782763703ced9533c6a2947b462ccf9e2095a8c812f3bb484585709e41e2c79cf41d24c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c8605cc4212dbd3380991324cc91bc60

SHA1
713d8713d21330dea8fd37e7f1cbcd617f82ee0e

SHA256
0b8871514ae63b90b39a2bac53b3d425cd97e73d4e1f22790aef7a258cb916c1

SHA512
355dfbdc4789b3fa2b9622730893a571307ade5f9e2254fae174e370fce4739f60000a4f90442f826b16bcc2e0fb97c1c787ef5381b228b74978f53ae30a10c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
36eb1eac78a2605b1da2d46f240bb916

SHA1
3cc92c0942c2ceb2b2c627598e4059a9b331b55f

SHA256
964fa583c3c34a7e25b85ce8ebf6761555bfaefa2224a9041de5fe65382f75f3

SHA512
355c4d7933ce45f08fe55277792ddb89ad8a7a3ca40fcf40fe7aec729fcc6686d968d1769f39d6a14efe93045e4dc4558180ee021e2d9a2750a9026787a7109b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
48abf5b72d2569e09e5dfbb86e39a5d9

SHA1
486631d6d894551b717661a3200a011cef6fd503

SHA256
36f3d1cd83bce01733cea7168fb3b16535eab854c563a87648756104d2dea11f

SHA512
e7167a401f3f2b1658abb9f3a04a3e69f496eb8a96cd5311bfac06470f97db079d6e1140e9c7afc54a0d483cf7f4b12a4a5a03930dd900b44e923ccd91b59f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
aaea27a60b1ce9f59df9f3733c707bfb

SHA1
ad090a38d068a55742f595bc32e6e1dd61a7a210

SHA256
ac2e26dd082bbb948e15db46fcab4b82c9373bb78e29aa323e6339a474b2d821

SHA512
3b7f508e99f788462360a3d9158217975a79a750bb90686dbd588666275f7fb40965bd89fac9fe084ee09767772b94b296b9557c8a215a1e2eef3183e3e10e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
02f5e1c88301f961744c7369dc071a87

SHA1
847211bb77fe597f4a5d6b7f9f74fcda4cb53365

SHA256
e71374b6c6e395cf1fa975baecc00a0fed76c83bd5d2e54f023302dec38cd474

SHA512
a464d4b3136b6e153e59c1a9ea28d1d74f2594d3c0fd3d352e2dc033093feed13af85cfc91485adbcaf191509553a28aad17156be6a4811be4d3e84e06846ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
4d30572b10dcd7ef7cb1a3721cf84093

SHA1
d575574caa16ae974cdecbe7d6e57eb0c8eefbe1

SHA256
267679e7bef0a024c4dcabb49e14dccf3e21a2c1e82e79bee1f04d6f987e5167

SHA512
208ab12bb05dccfebbb1279b95b9c15542342e55142b05788b1a65a29825e9b7f76f5efeb64fea965d4947782ff41994941b108860f254fcf44bc040dade0ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
48feae6bac07b733a8b90f693c0f3888

SHA1
9a9d96c8b632c93eddd5be7658be22a02a8e44cf

SHA256
026b8941fd24167daa59956dabd19795dc333115f097a82daf05dafbf2ecfbc3

SHA512
3101ebf2abba13b3c13c598b7cbb932d6462ab2cfb9ae2d39cfaf7f9da5f7aafa7d5048cec4df650af36638ef2cb12a07546a6084480561e5e6f6e9d0f955643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7dd7403166706e6f7fd2cdc584874cac

SHA1
1642c1abfb1b14b83d5dae410a9a222118e48a30

SHA256
fefe53b649549e8233349bbd01e47d06516da3db203f5080fec44ebc23944b22

SHA512
181f73067271d66d05661230258b6e8608e012a9edf305c8df432869a38c3e4dd2790f80722d7d99990333ffa29eda6c3a3207336717654d893dc69b955048d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
71b2a37a09cbb863c4ede1030032baed

SHA1
034fcb7ad81abe4e178ee9927efdf9c809a1e4e6

SHA256
5db70a3e394e259eaff282937da8fe5c46cb500a9e386ed06d2cacc2a5a52ee7

SHA512
44cf2f0b7538b449dd268e7db69bbca29a1ad48cc1abdd5fc9bf3ae5fdef25275aa33db7c256e5d85bb30186561132ebc0b6dd85b8491fe4de6c767b83cea629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e9c11f72f15678cb1fcea3b0de8267ac

SHA1
8b93f841d05448ee9a4c5442762095532d66dadb

SHA256
d242e20b4f5699a75ba48aa05140fa154d7eb05f0f46d2f1d17bd4abb580fa98

SHA512
15a320e0fbf34c96dee94f00b3f5df0a0d9aa4b0a2c9a3cddfd8571d70cc9da16e75d518a1aa59c05cc3d99b5379b1e58b274ac05685782e78df457de3b3d778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
15ff3dcffaae347234571560f1fa6033

SHA1
080740670d8e4fd3a7771f1ece4bc2209d54c324

SHA256
08100ee5e76010e7007498abf777ab0a48cdbf9559b4426f4210425c2166114b

SHA512
e6c972fc7941e5126973f9d6956b79c6f58b31f29500f65b45745dd03aa21f7b8e9bb45ca6d01c355c04cd3a664c49c0ff0e31c013436c3ba7d65f5666e20d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d060e12582c83258a509dc1d1545b7cb

SHA1
35c4675e5a91ba273f32f33e8bd7119e6be3656d

SHA256
d47e05455d915c4d6816027318b85eadfbd509a9cd45cb7af6ac24352d0b0a50

SHA512
b8fb709fc4ef8f1492575cea1378384b6c2910cdc54a32f384ca08d50175d71a6734ee8264b8ecf8c6ff689a91701fac96ab886263cb8d75ab9f4d1a4c471850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4ece36d5d16d6e656b1f860a9a1b0bdc

SHA1
523b3a64bbcb872283459f560098435fdc10e64e

SHA256
fe2f43361278c84b1240398204cc2e7290af3970b5d043496250a9a985a64a51

SHA512
7f3edd0895ddc18c224d551fa5addeb0d0f4f05220d53217205f6c07046de90599e087642ed3e6dab1702ef26f9a9ff929adb301e5dba1ad6b9df6e5f460f5d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f782db16c5aea28877ea06266de529d4

SHA1
d8af6d236629e8434009e4eed303d07fa57e2567

SHA256
3d3876deb5017bd0c62b14628b5b958442e76565ce9d90b20be424dbe8e4fe5a

SHA512
edc29ef2f44b2454e7429de4cab47889ba483203b74dede23d60bdf46b102861df29d24d4f139afdc587a99533b47f99cc4d687868029842a6c5802457d714af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
01ad4355778737e54f90bc1389ad0e84

SHA1
4a1866647c612f217f9a79e5a335fdbba9ebd09f

SHA256
d4d0aaa048b0ebb7a7af5c1c013c1e0654333d6b3b44f0f587418c85310c2bd5

SHA512
11e1a56deac51f7706c92cc84dfd78c8d3333b2a5853a4954ce4307e1ed07c881e9d7547128befe6bd12fa55af9557a4b1fc5c751dd57790c5921d05fd4c44dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cb836786b830eb21a276407b442be5ec

SHA1
59d3e3e082b1fe97075b8c61be39bef409dabc0f

SHA256
e3f8404748b5c34854b699fbb95f50e4bdb96e880d4ecffd7563d4db2a52d8cd

SHA512
d60330e1c17210c5d751b585064bb2d561891626cffda5821ce03428507f78a482621d7d1135dc325f72dc6b9da6051b27ad4e5ffa460db5d4cbdcd48e2cf409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1236a4b911068da5622342ea5a78f03d

SHA1
52958477d6f6e69cd99cb6066b7140901d5a7c8b

SHA256
434a1e966f6c042dade126f7b78bc1bc07593cf5400d8071bfa6bdc31452c5fe

SHA512
80b100533535fff4d04c019195c720d35f681f9a41abaa09067c5e10ea74115672e4938dc763e7335359ebf2a71f15a20cbaf502a55f8e2338093b318654ec8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ae1a646e51c8af82cc825a3fb0fdac20

SHA1
118c667beac048f97a86ed29cd04acb42b2d506d

SHA256
6cc8545f7e9635921c72e56e63cc45d7581a0149e0e8e3dd2df5a06435a69ed5

SHA512
cd61dc53bf498b32c83022a04b1da0fe63d97d7ff5dc29ec934ae016b5e53ca8cae989b2e5ff81ff7142481943a51e0d297dacc7d9132992e4e286d943e2da8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
578fb6048d90e5efd9915bc74af66a7a

SHA1
a6ec5316883327c5a08b6fb5c6540b47f662152a

SHA256
35c1572df67b6b447c01ba30258ec596bee0d2455f35f623aaea84e7b90a0ff2

SHA512
48ba0df9a652fd0eb07d925f05fdb976d36cf6c3edb44f7304ff13973a65650dbcdb4ef0b9442c4f190661a9d2be3ea7c7e88d427fd389dad9910294e300a193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b93d800f92faa4cbc77fb61121055080

SHA1
f4a23b7872a37410c39578b4d86eda3125e8dbd0

SHA256
84ab4ec71888979cb34a7683e09ca4c778dc805a428556effd55f2e02bbed5b0

SHA512
d77dbfd3c3881ec27de9c24c3e91105dd8fc7a7aa1b4a486c49d9343697d3f8d0883f7e17cf1785bcabe45e46fd45b28245947023e495da105f178435f48a3bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
040adb4933155ec4a67ca53686d317cf

SHA1
9114102da38bd60fac58682a990f6a25ed0b5bec

SHA256
fa4ceaf7a673e99ec015bd6d12d9f241852098a4dfaa3a47812c2af7b92e373c

SHA512
0589faa2bb5ac3e805a9cbda556cf5ddad781e3bae3f947cc52d4d736c0c3b6acf6c60097074238dab03f6f94fc97bf7ec7b21c9ac40be0840bcec8be5c96c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9c790adfe4d54cb4b3d2e36226ff256e

SHA1
c42855fca0b3d3a4bb430cf85b82fd6fbd9b9af1

SHA256
abff3d3007171f3cf40c3313c0bdf1a8b805eaf2330a415a915d8c0af77d4439

SHA512
d55dfa3f5fc18440dcb22d577f3587113980607e3f89a427bcb55c80ac9d5d70df1250cc355a8d0d2315c6ea2559dd10807a6745e2276c06ce09d88b1e342dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
df7e3e879dd7a0e348895aa726003a0f

SHA1
3e828144de81470ea8f654e53b136b6f577850fe

SHA256
3fc5e2318f6dcce3cb01edd2a6d05c97c97d0ab263bcec461c7fa3f3829dd843

SHA512
c2c1ef9d80d8b2225e4d6825ddd0feeb36b7777bdab9270d7b73b4241e694e251c268bf7ce426e973da3ed27485d6b86e6afcdae9deb17d929f96d5b17f26615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fbb4ab0493fc6bf7f90339ef2db43160

SHA1
5ecc5e5639eeb1a9e23e0045c6603303be4986e7

SHA256
07dbb7a136d6617cdb0fc6340e2a5a973f9cd5c0084a0cff7970037e5e575852

SHA512
f24b1b82e0fa72324b820a906089168750c5a5d2e3dda28f1a67679bfe77f8387e85bc410fe5c63ab3e73bd7b444f86923a352fad42bf4a2dd2056731bd4b7e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1956981ec360d5e219ac053356670de4

SHA1
7e14606b1b982b896bece7c5ddc7ca67aebe76e1

SHA256
23ceae25086d060a6a7a213b01e3c5fe022fdcca01ed56c2dfb393eae2e4afbf

SHA512
4993ee4e4065cad0500fdad31d8b1622588284ad46e81eb00b9d7afcaa78780eaa1aaa3e8072c644e43902c995e7694a73f3c5b98cac13283c0ea32636409018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4ce4c71818196500942f46d131e98f39

SHA1
edc2825ba524b7109083f86bf2ae49f38069e53a

SHA256
6721fcc4ff240ce8927f9f0cb07646c7c0b2e68bed488c058da1203ef8745404

SHA512
443950e7ff140e45f1c0f4eaab7fd3ea183487d8a264fea562d2dc7d9b9501824f352638f8c7ed697b08ebab94745716972a5869bcc08cf31d1f556fdc76f41f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fbe4.TMP

Filesize
1KB

MD5
e2deac4862601e98798d737d16e8d6d8

SHA1
d802d6fdb3412519a0d6ac8b466e632688e442ab

SHA256
09a5686ca28a8c6b73ac6e88366bd9034c8cd83df0b08d6633d84e28544328bc

SHA512
3abd1fa20b0a29fdcb2bf58149e41664f9684fd30bb60e8c196a3b6c3c41c7d8f6f54b395e76b0b41ca465b9272ed2f36a11873c1afc99e24af3353483c1b7b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c9b630fc46f5415dc2ab00550287c0ca

SHA1
d4b9904d960e79a79266434b0eb931c83cb3da00

SHA256
da2863bcfd2bcffd27148632a1b77e2b52058e59ef91df15c70a8af6b75f945f

SHA512
0667bc4e72ba57d6b18e6ce2d1c5911d2e3528da370a99ddef204d8d86ee1264a2fce0021bf160417f7da94f7ea2d5b1b730c2f5647d2264bbb6ff3b9f72a5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
96a518627082f7ea4efcd6dfd4dc9936

SHA1
68b730c78f599ea2d9e14e94c3f990f05341b30d

SHA256
deda65865f696a95106d30f0f84878e8cee43b78ff1523cde7c01e8bd7b5c11e

SHA512
09decd215041da7196ad803da9db8da3104e8d4a201f58c199501c4b49d441623de5fe5636640c951618651cfcdb3d99a262e17fef68e9205ccfb9e5bdd933c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
00d970dd7923200d1a95687e34d99ca6

SHA1
c1e44a6f52f4f98c1646a63d9813d8426e0c561b

SHA256
a9779b2c5e811429f22041a51e5ed626c7cc7e5c8ccd783293efaf1758e5409a

SHA512
0ddf77d8c6aea2a5bdbde8cdd675cf8702ea2a2ac0488ecd2b2b118fdb39593ff617e91aab18a9b2a62fac3270f5c3b9e80e34c1abb886dd213c1c6a601e1c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fae22ddedfff873ff8e92e6dd5a30d8a

SHA1
6e2a5a79fce1fa11ab079a9438af9bb472d87312

SHA256
61e8f4b1e0840616fc166945be68bc78b8015102f7644670967971043a5e88a8

SHA512
94d64f1dfab66ef98ab6543ac7b578ab59b8d0c0bf9c3b492d741e010bd88fee25a60b1d35fb6c835b9b1af6721fd7b243ebfc3e860f0c5bf385f70b0d1ff355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4deb92e7f1f37ce349b5b4a7504ab219

SHA1
739675bfc29f70e1fd0b0ca87e87ad9ae57a4c32

SHA256
72adb77f29fad9ce84c22eb35485115bb0d5e75a7a497265d1bca171260b8733

SHA512
9f1d0ed1eb3961cd675b545770cd6f2393c01a13d50c3776afbedac889b9cc342a21d73b8561f2fdcfd22588ad30fddff81871f626a74e3f2bf0c4e446ca448f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e468ec0409ec3769106d80e3530ec050

SHA1
f1b924480973ffadfa85ef51eee8f5c8847af940

SHA256
6eb52f657eb4c5001f4c59f032e953beba9630f994ffa66eb78da19eabc12cd1

SHA512
bbd73a918cbd29c1f9622328b50060736aec0fc2a65268c2eda1aab694231526cd68df77b3786877ae6ad4deff490b24060a416aa850d431021b2969091ee839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8d01cafa3ceb6436c7e8c0ec43b2bfe5

SHA1
bbe8b9f45bf7131044e898bd47f8ea2189ecb8d8

SHA256
8566357d63a9b991d31674017d10791f2487ac1c1bedc4299ed999cac15686a4

SHA512
5a58c3dd2856bb727e317ceadd85c126733cafc8332221db8d38838458e1328de5f20504bde5b397e309df9cc3adb6fa148509aabbed77d8867613b4064b75e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9b9241605afd5cd556ede261c100d343

SHA1
db1e521add6412b02b176e4cddaad6e326b57b94

SHA256
115b3175e5a0173ad43e2edc4290c4a20a57d047f62df56dc204aebcec4ed3f1

SHA512
fe98e89b31b7c46c82b10806fb88a08b64237723f33125855c591f2b323c05decfbc5be461d5d58e11b3dd65a6c639d3529e95b3d14b145b1c225c6b618471fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
8a410ca32cfa68b6af87dd2a15895e22

SHA1
78218033b8278df0e23513baaffdfc346efaf5cb

SHA256
078710f879b2d154a2ca8d9983b4ba9a90fc0be52a52c98658ad9c2c5fa5592c

SHA512
de46b955a9e9ca25d045efae4f34367a5b5832d36e49291d0c5e237381af12045a479b0d53777ab135db15b7af09f24152d48210ba24e4ffe0bc815b9936972e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1J4FA.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\Downloads\MalwareDatabase-master\davepl\AdvancedSystemOptimizer.7z

Filesize
9.0MB

MD5
9c451b819786df8d31eae3387b5e4e3b

SHA1
de2a7741a52e9a3accd29b5c7df1c06fbb0f0ef2

SHA256
3c614c930ac65a06fbae126571ea951885450364e2847b3d7964d29233008765

SHA512
7632058fd9e99004707979e8a3dd38ca511e67f0d2ab9affd1478ded15103f86cbeac714ce05ab18f30807406ea5b524358792a40a1fd98154ec4f7140ec6b95

Download Submit
C:\Users\Admin\Downloads\MalwareDatabase-master\davepl\SoftwareOnlineComplaint.pdf

Filesize
342KB

MD5
f9cf8ed0c94ad376ca264d394a8d55b5

SHA1
2c756132d00196d1448d81665d2f28caf461f7f7

SHA256
78e8e4e0e7b5cf337e679be8b4e5052353eccd8f9a03eabfa81fe5a52867cc5e

SHA512
d5396487416df626e08a62119d14a679fa3bacd86442c4f4b4a2d3a49ae122c5f656dc21f2f0de5f7ef503221133d4a4a3dc86f36a2ea89d4e10516fb59706c9

Download Submit
C:\Users\Admin\Downloads\MalwareDatabase-master\davepl\SoftwareOnlineJudgment.pdf

Filesize
610KB

MD5
62fd57d998efdba6ec5c54e6870b24f9

SHA1
8d614770f1329b84e726f0e5925da5054954f68c

SHA256
64c73a5304ddb353e6f2a3d598a2cd75a3cf450eb5ab893e9cad81137f86aab6

SHA512
80cf4bf256c9188964cf43132612552dd952ef1bef57ad84dad1017ce3470953f41386a607dfb6faeba7d07fbbd1f63fe8be3db12d1ac266cc7f36dc5c37b1b2

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Banking-Malware\Zloader.xlsm

Filesize
94KB

MD5
2368467e209eb7c8784f84386392d627

SHA1
aeec6a2aa29e2d6639181e85a9d6aacb544fe8db

SHA256
4761a2e2bde8acbc4533753d7719fa0ce1f6e8c4fc8b3e2022f6ded240d4cb3f

SHA512
6cf2e85300bc06bcd7de479242a16e665243b6c4aa58d910c73018cf8b0c1a6fb50948330eeaabebcaf3259f0da9c5348af07fac3f6a09503f77e48470de9944

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt

Filesize
1KB

MD5
7ca87fef6ca16f342d2a9d6f7148e530

SHA1
a818036c3917c3a09b92b4c7eb2f1e1f960c561e

SHA256
a3e0fcb5750ac7efb04877efa76cb66612247adea7d45fc9f9fa29d5b1274629

SHA512
5a4a791cb680d05a6e606c53056029a9ede95891b3dbcff6bc9072d2b4d49a6c2957f18cdd07820a53e66cde60a1c6e9ec98beda0c0dc920e9d36fe29ec2b46e

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Net-Worm\Blaster\Blaser.C.sourcecode.txt

Filesize
1KB

MD5
455a750d9daea8718a60d5b95c9d6e5e

SHA1
98999acd864a712fda017a73b4fe92c26d8cb4b9

SHA256
d825ecc88a5741cde4e6f532a9b650b3a327ef1548d2bf02ce82b1377a5446ef

SHA512
fdcb32191ac0f8f070ef351ad634c8d0dab35d656959a8f2f502c0e5124cc09cda6eb654b3e81e706fbf6a971bf36e2d82bc48c491f60a8467b17615d1482646

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Net-Worm\Loveware.txt

Filesize
1KB

MD5
1adf68d52afe48eef29ad4aa6e68cad1

SHA1
63c72645075064f33889d7bc7e9a27b39ae40a9d

SHA256
c4de72e5712580cd26c5587605b023f3906e0d72821e24817f9c7ce11d99a227

SHA512
d23111779bddfa1aaf416904e0ceb5db84f027d3ea3b603b8f68868a3e3f77d0bce6b4e6009fca1ccc67128a681a2d48a591ded431b275e78cd2e09581aa4b31

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Net-Worm\Sasser\Sasser.c.sourcecode.txt

Filesize
1KB

MD5
a26d249f5279891748507e8947802cf6

SHA1
04aed544795b9ba56382214530cc2ad508372dcf

SHA256
134d81b9a81548286c7ccc536443ba83ba8e64ef15b244b8cc444a1517154a19

SHA512
c37433c21844b9ebeac65ed904dda245017a9cfafad3fce831e447aea1b37a31c62a60045ba67190edccf0a35f45efb44ecafbad04ec68824cfde02fd8776ec5

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Pony\metrofax.doc

Filesize
222KB

MD5
4eae1b15f2442d45cefa9373d540e5a0

SHA1
7b5e60120b5f908ed66f1f2c17912ed0c5129bed

SHA256
96b818e7a744aec36642cb70af0b0c09bc794a7c0b8a8bd2966cdb090762d79d

SHA512
f4d4d180f008ee990e8c25ad5e2f6e8eba41d0abf2eca3d4acf26f7c07aa5e00c13f0116c89f5aa044253d567ae24c8cf8aaedaa4b2cbfdb8c1a4931a032a573

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\RAT\CobaltStrike.doc

Filesize
87KB

MD5
31ea9be66861a28d9b9f27bb339a7dcc

SHA1
c02f0abe2354905d4611742645cd33a0f42189fa

SHA256
721239710ff281e0ea2c3a1a7b7ee95004bcb58f8c3964d95728848228a22231

SHA512
1c3da9aaf6c3b0137d3f8f079b0ebe346ae31bc1927901ac031c50413915fd2291b6a2d9ac6a9546b42a7fcaecdc3a7cae415510c6b8add71974c10d3c156e0b

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\RAT\NetWire.doc

Filesize
7.3MB

MD5
4c6039b71cdd27785bcbbc9242359c9e

SHA1
2d5556ef582c0c25b69a64b5af0d12cae33d8435

SHA256
102a739030944150c2307c328b49c14097769d6c01ea59a5aef234488251904f

SHA512
95066ccc3c36f37efa6a947d83617b0a7efccb97bf407ecb7b82767dd8b848fa189120aec6bf3acd216c67ce0f259ee9475b129198419905cc33964d66f0f749

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Spyware\AgentTesla.exe

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Spyware\HawkEye.exe

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Spyware\Kakwa.doc

Filesize
72KB

MD5
6f993ce448b70b830d4cec63fb580926

SHA1
42033bff7a9b7888ca0db4eeec7fc87dd501352b

SHA256
a395b2c19d7bd6de94db5d5e7e6708060aff639b4a7865f71f19220eae66b13b

SHA512
17b13745af0295a21f79a7a1c9786936775d1c92c47767df1d847801c43c2adb489a7a7c1413b730a999e43ae6afc81e0eb70ff2503e6944b3b49bf474bc884b

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Spyware\The Worst Of All!!!!!!\BonziBUDDY!!!!!!.txt

Filesize
58B

MD5
804161c9689a11073cb06c6efb14df48

SHA1
116c59bb54d5a46ec5b01d1d46864e4e73436c37

SHA256
75af24573f8e21f6f34e6ad1b6e25ae91dd6cc2ba97ad10e119354adccff1e59

SHA512
2aae2ee83aa598adbac09c5b02fb13c41d4191b71395b93a29aa05b88e2f92a5e02b63aef130a0c6cecf82559d155339cd7612c73624aa12486c666d7320617b

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\Trojan\BonziKill.txt

Filesize
198B

MD5
d5d9094b24ee344ca83e342175df4750

SHA1
e12568dadb918e941df1a41104e67832f9011c1b

SHA256
c207b0a91f8c340ea9b08f334dcfaaeb5307eecb1bfb01d68cc7b9ad994a037c

SHA512
56375b35df448874cb2f8622de19d2b30cab63aec90a84a746ff6633ed37c30b9575c159306c60b78c32a0f12a92684b1f2bdba95f75e9bcd109b89c2336135d

Download Submit
memory/1248-2005-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1248-1975-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1248-2011-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2816-2106-0x0000000004C60000-0x0000000004C7A000-memory.dmp

Filesize
104KB

Download
memory/2816-2102-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4784-10364-0x0000000009360000-0x0000000009370000-memory.dmp

Filesize
64KB

Download
memory/4784-10365-0x0000000009360000-0x0000000009370000-memory.dmp

Filesize
64KB

Download
memory/4784-10354-0x000000000B890000-0x000000000B8C8000-memory.dmp

Filesize
224KB

Download
memory/4784-10361-0x0000000009360000-0x0000000009370000-memory.dmp

Filesize
64KB

Download
memory/4784-10360-0x0000000009360000-0x0000000009370000-memory.dmp

Filesize
64KB

Download
memory/4784-10359-0x0000000009360000-0x0000000009370000-memory.dmp

Filesize
64KB

Download
memory/4784-10355-0x0000000009310000-0x000000000931E000-memory.dmp

Filesize
56KB

Download
memory/4784-10337-0x0000000005FA0000-0x0000000006546000-memory.dmp

Filesize
5.6MB

Download
memory/4784-10358-0x0000000009360000-0x0000000009370000-memory.dmp

Filesize
64KB

Download
memory/4784-10366-0x000000000B910000-0x000000000B920000-memory.dmp

Filesize
64KB

Download
memory/4784-10362-0x000000000B910000-0x000000000B920000-memory.dmp

Filesize
64KB

Download
memory/4784-10336-0x0000000000730000-0x0000000000DDE000-memory.dmp

Filesize
6.7MB

Download
memory/4784-10363-0x000000000B910000-0x000000000B920000-memory.dmp

Filesize
64KB

Download
memory/4972-2006-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4972-2010-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads