Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 13:36

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe

Malware Config

Signatures

  • Chimera 64 IoCs

    Ransomware which infects local and network files, often distributed via Dropbox links.

  • Chimera Ransomware Loader DLL 1 IoCs

    Drops/unpacks executable file which resembles Chimera's Loader.dll.

  • Chimera family
  • Renames multiple (3262) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Downloads MZ/PE file
  • Office macro that triggers on suspicious action 1 IoCs

    Office document macro which triggers in special circumstances - often malicious.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 27 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3136
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc061546f8,0x7ffc06154708,0x7ffc06154718
      2⤵
        PID:3332
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
        2⤵
          PID:4160
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3956
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
          2⤵
            PID:1164
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
            2⤵
              PID:1776
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
              2⤵
                PID:1492
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4000 /prefetch:8
                2⤵
                  PID:4044
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4000 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3960
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
                  2⤵
                    PID:4348
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
                    2⤵
                      PID:5040
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
                      2⤵
                        PID:3496
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
                        2⤵
                          PID:4596
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5444 /prefetch:8
                          2⤵
                            PID:2892
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
                            2⤵
                              PID:4792
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6140 /prefetch:8
                              2⤵
                                PID:916
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3116
                              • C:\Users\Admin\Downloads\butterflyondesktop.exe
                                "C:\Users\Admin\Downloads\butterflyondesktop.exe"
                                2⤵
                                • Chimera
                                • Executes dropped EXE
                                • Drops desktop.ini file(s)
                                • Drops file in Program Files directory
                                • System Location Discovery: System Language Discovery
                                PID:3112
                                • C:\Users\Admin\AppData\Local\Temp\is-PTHDG.tmp\butterflyondesktop.tmp
                                  "C:\Users\Admin\AppData\Local\Temp\is-PTHDG.tmp\butterflyondesktop.tmp" /SL5="$D01FA,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of FindShellTrayWindow
                                  PID:1940
                                • C:\Program Files\Internet Explorer\iexplore.exe
                                  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
                                  3⤵
                                  • Modifies Internet Explorer settings
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4304
                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4304 CREDAT:17410 /prefetch:2
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    • Modifies Internet Explorer settings
                                    • Suspicious use of SetWindowsHookEx
                                    PID:1344
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
                                2⤵
                                  PID:3664
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6416 /prefetch:8
                                  2⤵
                                    PID:4504
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2584 /prefetch:8
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4564
                                  • C:\Users\Admin\Downloads\AgentTesla.exe
                                    "C:\Users\Admin\Downloads\AgentTesla.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:4816
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
                                    2⤵
                                      PID:1212
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6520 /prefetch:8
                                      2⤵
                                        PID:5056
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
                                        2⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:1688
                                      • C:\Users\Admin\Downloads\HawkEye.exe
                                        "C:\Users\Admin\Downloads\HawkEye.exe"
                                        2⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3356
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
                                        2⤵
                                          PID:1396
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:1060
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3364 /prefetch:2
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:4620
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:3552
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:1684

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

                                            Filesize

                                            4KB

                                            MD5

                                            b2195369934b38f2017298c5b6e391e4

                                            SHA1

                                            8b1e6c167a6246f40e143096c2460597cc988de4

                                            SHA256

                                            8e3814140700abfc79012be3d0b86c180195ddb1df37e7d9e3f0f600d925c0fe

                                            SHA512

                                            fd5bd960b9741b76904660b941d165d30cbab3aef95195d6423925176be43e732b257ccba6f5e44af55dfaf4cd3998f5ca0bd911d0c53a7f1286b138e19cb479

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            dc058ebc0f8181946a312f0be99ed79c

                                            SHA1

                                            0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

                                            SHA256

                                            378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

                                            SHA512

                                            36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            a0486d6f8406d852dd805b66ff467692

                                            SHA1

                                            77ba1f63142e86b21c951b808f4bc5d8ed89b571

                                            SHA256

                                            c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

                                            SHA512

                                            065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                            Filesize

                                            1KB

                                            MD5

                                            e095a80e9c46e31c8fb37d15e743eba3

                                            SHA1

                                            9dddc71e3730b800f8bb11f7d391ddbc4ae09471

                                            SHA256

                                            437e88134dd1e75451aaa668af53427a92ee6c0c82f50c0df8cd18d53f24fa6b

                                            SHA512

                                            49e5d7427332b2178899a108df4b46f783bc236d5c59cc58150debd24d4793829ccc21309ff768e4cae13d1e2df3f6e9e1179a7fc168a56898d09a16b8a15143

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                            Filesize

                                            579B

                                            MD5

                                            a7d1701142cca705f833d70023ef4e1e

                                            SHA1

                                            1b76853132abfcddb4fefac42bf9df5d013c9815

                                            SHA256

                                            6c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7

                                            SHA512

                                            806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            5KB

                                            MD5

                                            85417b40c5151d4515ff24f6794df571

                                            SHA1

                                            773bb55ace498d2ce2ba78e0d4d2cb9f3ddccc7b

                                            SHA256

                                            43000692efc34091c91129576709622e0f31ba95453d0f8715c804720aa3a012

                                            SHA512

                                            0141f9fd2712a6ecce2bc492fb450673c9cb962043e660e90f693a2fc74d0f9cfbf88749a6071f8d089e009b4d6c133bfd3a36202f51b761fe554e75c515a08d

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            6f07e7bd94a029354acc9a52da9354e3

                                            SHA1

                                            927a23d5e9211e845aa3e77714be95d5150c721a

                                            SHA256

                                            ed3a675824ebb6285e9ba788b1bb231dbc7bfb0d1f9583c8b48d60f9364aed4b

                                            SHA512

                                            15831225c13f73fb6688e8c11341e4d1d4289b106acae78a7e70f694ae3bf912fab36fb48c331c2bb88b6f10bd0ee1735137ed4ad0bad42ca3c41c42da616897

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            a626ecc158655fb3dea4fb9be8e5b4d6

                                            SHA1

                                            b4c7ebd40ecb1b1ef1849f353582da723cef00be

                                            SHA256

                                            25d9fd53877ef39ed8dad88f12f018e7868c8cd79a55a789ab5de08e1128c15b

                                            SHA512

                                            f11451f5f55eeb5cf37fba77efa3453f8c0253782b9a44a73f124a5362ae21d6178d2801407387d5eeee69c36e9e140b86bb0398d3054b6e9c1b095eff965fe9

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            4393051b73d8236f7f117230fda66ff0

                                            SHA1

                                            0602563c560e5bf6cd953ac0958599edae075495

                                            SHA256

                                            d8e22ca5eef573ad9fe0c0372321915963c027ec01832ce11056464860fb4f1a

                                            SHA512

                                            1d6ff943fa27c965551cf988e5a406215c79ddcae79b5fa2b98de20431d3717870a5ad6e458e7bf41ffc759d42b4d3e5f5728f119a66b5b9b03dc57ae8d1510d

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                            Filesize

                                            1KB

                                            MD5

                                            b493f5a007359068065014cef337a709

                                            SHA1

                                            af03a1442fa4bbde3440968b98bd35a633bf92c0

                                            SHA256

                                            e99a8265d149201dc18979cc15809fc696304b7c8d3db0e005b732c42057041f

                                            SHA512

                                            bc06618bb2e98d559687abc18a8215bd3f0e8c686d4ebd7381b0b73304733df3ad63fef82c2887068a840ccf2efcdb16ff3c833a1e6dacc211cab105f65f2b10

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                            Filesize

                                            1KB

                                            MD5

                                            2180d9b5a18c8a10033ced10a8ae861e

                                            SHA1

                                            c338a41b5afeb14dd85317c64a4784dd9fe931ec

                                            SHA256

                                            12be1eb0e3ecb8423537cf1c277ea365555753168e4ead598e8da749829a6748

                                            SHA512

                                            20388e64f621b6b21d38b29b2865b69d4989e7887cf673b809047e974f31084ec697418215e1eb24d52214ee0ba40466e2de4f82b630a0a1bfe642f840d322b2

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                            Filesize

                                            1KB

                                            MD5

                                            55a550583a92898fd3faf20bde7f450a

                                            SHA1

                                            2c8de24b540265945c7f15afc638bbfe745aca55

                                            SHA256

                                            1be9b51b6ca7b307858068e4ceb7571c0e271a891fc92c0812b4cee9ec91fb7b

                                            SHA512

                                            371b2e1dd20f944ae4c2a638c871d0b42c93733ec7b2dbbdcc487470ed63ec7b771818ca1114615339193acae0c327c3b3733f23506954dfab8bfe6552a8a2f6

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                            Filesize

                                            1KB

                                            MD5

                                            ab047f46461c9e0193d5d342859560f4

                                            SHA1

                                            61cae4d4012aa61410e28b07fdf13c86bb9812e6

                                            SHA256

                                            1147dd7c0fe65dfb30f5a66bf15751be74918eefa6ceebf6f78e8d5d7f9dbc89

                                            SHA512

                                            a8009c0fb7a8e04549192e04bcce971e272163e8112f834d07e108bbd4c547703052a6437dd999f7a9d89527309486546a2bc6c6778dd528c8f8a57bc7d2c8c3

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581d18.TMP

                                            Filesize

                                            874B

                                            MD5

                                            4cac5ba0da6afe93c0eda7f18bef9069

                                            SHA1

                                            8eff9f9b62134bf8dcee1042e60e505f0b9e390f

                                            SHA256

                                            b541e541c7fa817fbd59cead54eaad64005a0667e51e0aded03896c9eace9b2f

                                            SHA512

                                            103b3c70d492e5341bace921b53d807e28c56d57673a6c7bb2bed77a647b44c3c0c438e1732757604eefaa837c04089de38c5ac120979568d2fd5c31000696e6

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                            Filesize

                                            16B

                                            MD5

                                            6752a1d65b201c13b62ea44016eb221f

                                            SHA1

                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                            SHA256

                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                            SHA512

                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                            Filesize

                                            10KB

                                            MD5

                                            9a5f1c08becf6ac0f9f93d7f22acdb08

                                            SHA1

                                            c9bdbcabf2812c3e8b2db8daa58171a2b35ac819

                                            SHA256

                                            0cff696e4d6fabdfa16ec9927d8e04f8febd064f0f35b5605ee4ac2fc3a65e05

                                            SHA512

                                            d39d37baea936877bf3f400c79118c47db86aba16ea671972c240a5366ee02238d5ea5e51dc247adaa4661bcf140e8712a7a55b7c6de5cc62254071b75312326

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                            Filesize

                                            11KB

                                            MD5

                                            9e644e8abc09b80e757e9918c79c3229

                                            SHA1

                                            d97f8d5cd5d29dc2ea296d67e1a196fc6fec88b6

                                            SHA256

                                            a3b7ef1b0c169a62fe3d1858c23ed890dd34ae96814bae61e3a1fe2716b0df3b

                                            SHA512

                                            f4a91acc08488b1b9ac95a9c26606fe080c4e4d89f34c1a0f215ac635caa7bbad092fbe07184d9f0c0232fa1b81ebcb1a63816121c4398990700cea471a7afbb

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ad083d3f-0861-4e8e-b8e9-69bffd1f569b.tmp

                                            Filesize

                                            11KB

                                            MD5

                                            9bfb35a7ac2a907bf03866a60abcc6d1

                                            SHA1

                                            391eac71351f2a766f4951d2bba3353c66b0d202

                                            SHA256

                                            82607bf75a4263f10f567ac6c9e3b5998ae3509eefd58cc9dc05a2cbfa107279

                                            SHA512

                                            512c158960ebcd107ea5aeb6f4b648ff15b1143dae67cb16d61c2f540ceaec914537badbc92aaf538c7fdd7ec4e5196db94c0274d8ab011ee7057c18d94bc39c

                                          • C:\Users\Admin\AppData\Local\Temp\is-PTHDG.tmp\butterflyondesktop.tmp

                                            Filesize

                                            688KB

                                            MD5

                                            c765336f0dcf4efdcc2101eed67cd30c

                                            SHA1

                                            fa0279f59738c5aa3b6b20106e109ccd77f895a7

                                            SHA256

                                            c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

                                            SHA512

                                            06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

                                          • C:\Users\Admin\Downloads\Kakwa.doc

                                            Filesize

                                            72KB

                                            MD5

                                            9a039302b3f3109607dfa7c12cfbd886

                                            SHA1

                                            9056556d0d63734e0c851ab549b05ccd28cf4abf

                                            SHA256

                                            31ca294ddd253e4258a948cf4d4b7aaaa3e0aa1457556e0e62ee53c22b4eb6f0

                                            SHA512

                                            8a174536b266b017962406076fe54ec3f4b625517b522875f233cd0415d5d7642a1f8ff980fb42d14dab1f623e3f91a735adefa2b9276d1622fa48e76952d83c

                                          • C:\Users\Admin\Downloads\Unconfirmed 268217.crdownload

                                            Filesize

                                            2.8MB

                                            MD5

                                            cce284cab135d9c0a2a64a7caec09107

                                            SHA1

                                            e4b8f4b6cab18b9748f83e9fffd275ef5276199e

                                            SHA256

                                            18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

                                            SHA512

                                            c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

                                          • C:\Users\Admin\Downloads\Unconfirmed 641381.crdownload

                                            Filesize

                                            232KB

                                            MD5

                                            60fabd1a2509b59831876d5e2aa71a6b

                                            SHA1

                                            8b91f3c4f721cb04cc4974fc91056f397ae78faa

                                            SHA256

                                            1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

                                            SHA512

                                            3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

                                          • C:\Users\Admin\Downloads\Unconfirmed 682682.crdownload

                                            Filesize

                                            2.8MB

                                            MD5

                                            1535aa21451192109b86be9bcc7c4345

                                            SHA1

                                            1af211c686c4d4bf0239ed6620358a19691cf88c

                                            SHA256

                                            4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

                                            SHA512

                                            1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

                                          • \??\pipe\LOCAL\crashpad_3136_NGTAZYPEQLLQEWTX

                                            MD5

                                            d41d8cd98f00b204e9800998ecf8427e

                                            SHA1

                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                            SHA256

                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                            SHA512

                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                          • memory/1940-266-0x0000000000400000-0x00000000004BC000-memory.dmp

                                            Filesize

                                            752KB

                                          • memory/1940-6888-0x0000000000400000-0x00000000004BC000-memory.dmp

                                            Filesize

                                            752KB

                                          • memory/3112-265-0x0000000000400000-0x0000000000414000-memory.dmp

                                            Filesize

                                            80KB

                                          • memory/3112-397-0x0000000000780000-0x000000000079A000-memory.dmp

                                            Filesize

                                            104KB

                                          • memory/3112-395-0x0000000000780000-0x000000000079A000-memory.dmp

                                            Filesize

                                            104KB

                                          • memory/3112-393-0x0000000000510000-0x0000000000526000-memory.dmp

                                            Filesize

                                            88KB

                                          • memory/3112-228-0x0000000000400000-0x0000000000414000-memory.dmp

                                            Filesize

                                            80KB

                                          • memory/3356-389-0x0000000010000000-0x0000000010010000-memory.dmp

                                            Filesize

                                            64KB