chimera | 6514b345465786d232a61f8aca8e3b60e2bf8a3e45f237086e55caac0c19cb4d

max time kernel
469s
max time network
480s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16/01/2025, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1d93e8597dd860cf81cd913c4b997818.html
Size

25KB
MD5

1d93e8597dd860cf81cd913c4b997818
SHA1

a7dacf6a32b194720a87130a16f2222c44f036eb
SHA256

6514b345465786d232a61f8aca8e3b60e2bf8a3e45f237086e55caac0c19cb4d
SHA512

c35592acafe20b18914ba7ee31201faa7534136df292d7c14436fb3bcbdd5f07b96b3b63897509068b8263ec4e12f55e192de027996dac8e63e08712fb891e98
SSDEEP

384:PqlIcCtF4JVGTHyk9v1o99t5W9ISFaTGHx6QckT/gbpLOXguLZ:sZtSF5zg9ExLZ

Score

10^/10

chimera discovery persistence ransomware

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/2852-1003-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Renames multiple (3294) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
4612	butterflyondesktop.tmp
848	ButterflyOnDesktop.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 25 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
151	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar	HawkEye.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\ui-strings.js	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning_2x.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-tool-view.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_shared_single_filetype.svg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\file_icons.png	HawkEye.exe
File opened for modification	C:\Program Files\SyncAssert.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_18.svg	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\MSFT.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter_18.svg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_da_135x40.svg	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyFolder_160.svg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\framework-dev.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info.png	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int.gif	HawkEye.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\plugin.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\ui-strings.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-en_us.gif	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png	HawkEye.exe
File created	C:\Program Files\Java\jre-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	HawkEye.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156279"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2705024608"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e788a33768db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443811551"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000801839b8f3fbd9479a6615353744909d00000000020000000000106600000001000020000000f0de47c55e9e994ae087ec1122fe04301f11e8fe290600ba5d9f8f733198b15e000000000e8000000002000020000000e8b24b502e0f9e0a2301464ad6b90a2fc1b4084dc1c0cd7f1ecbb731743685a92000000017957c4ec89e12f4a5778bf06c41f6b38d899dc8d62a20f23de0d48463a07727400000005b2ac6cf498310cc8f91db3e0aa9da2dc9b1bc9ab2ba46046d0a9e19d3d86a91eab79b0dabe433e18a1561aa858cd3739907629ed59f3fd11475cf0ea2faf2f6	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 503294a33768db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2707334657"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CCE19F3B-D42A-11EF-B242-42C5672EEC97} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000801839b8f3fbd9479a6615353744909d00000000020000000000106600000001000020000000ec297cb7347863b2ec4c020d6d26cb31920b7c8b84314b060dc8303bd28d1f5a000000000e80000000020000200000007662afa0395e628041188f482adecf2021ac17deaaf282d0d3186625114cd37c200000006b1c466e35db004bb6af448744ec40515c316099ca3ceac1e9be360da294c0d34000000032f5556c4f08be247571fec5662f43c6c3e455627fa1f92a426b1075527e033e4b5d9add0cda006393af2ae88e62e7ff4e490ec3d77f2d8ca2813af855eae5af	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156279"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2952	msedge.exe
2952	msedge.exe
3356	msedge.exe
3356	msedge.exe
1436	identity_helper.exe
1436	identity_helper.exe
2376	msedge.exe
2376	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2416	msedge.exe
2416	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2720	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2720	AUDIODG.EXE
Token: SeDebugPrivilege	2852	HawkEye.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
848	ButterflyOnDesktop.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3552	AgentTesla.exe
4496	AgentTesla.exe
3740	iexplore.exe
3740	iexplore.exe
2472	IEXPLORE.EXE
2472	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 1212	3356	msedge.exe	80
PID 3356 wrote to memory of 1212	3356	msedge.exe	80
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2440	3356	msedge.exe	81
PID 3356 wrote to memory of 2952	3356	msedge.exe	82
PID 3356 wrote to memory of 2952	3356	msedge.exe	82
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83
PID 3356 wrote to memory of 3904	3356	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d93e8597dd860cf81cd913c4b997818.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ffac98046f8,0x7ffac9804708,0x7ffac9804718
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1804 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  PID:224
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7fd135460,0x7ff7fd135470,0x7ff7fd135480
    3⤵
    PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6996 /prefetch:8
  2⤵
  PID:524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7216 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5124 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6434733464832791016,6173231141225140013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:2924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2156

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec 0x2c0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1912

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2852
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3740
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3740 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2472

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1832
- C:\Users\Admin\AppData\Local\Temp\is-0NJ02.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0NJ02.tmp\butterflyondesktop.tmp" /SL5="$B0374,2719719,54272,C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4612
- - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    PID:2660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffac98046f8,0x7ffac9804708,0x7ffac9804718
      4⤵
      PID:1080

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3552

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll

Filesize
352KB

MD5
835e9ede7e7c774e7a2d56cfdf6e9b17

SHA1
a43ed886b68c6ee913da85df9ad2064f1d81c470

SHA256
c3a5868584a777422cebcf31d6718fd2b26d5e2314d3b5ba6d8e47aa40faba0c

SHA512
74284fd44497beb74326d11a0f63d96aff20aa44cfa8385f6b63b7e6743403c36e2ea4fb0d991767117a97d320e04d2b21f0a4730916244af4ffdaf51e834a26

Download Submit
C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml

Filesize
6.8MB

MD5
ed8ef3dc9d3ac8c179d4e70836e59bef

SHA1
5a6fd18e7e3632b08b399aa163e8ca5d27e29bff

SHA256
91f3d6351285f8976739460142ae9e390895f03acc6abdad37c615e31fe263c8

SHA512
f1f98b2a1c21b70d06451e5ee5bfbd9342cfd54b965bc7a958d58451b67d5f405e720fc06960c90f05227a3a2bff0869ab1a1da9275fb5ab2ec88a5bddc1db9b

Download Submit
C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe

Filesize
66KB

MD5
9a92468ed371799c9e308d06582f949b

SHA1
70e1720f6ac72d9de635c42e1a90187601e25b68

SHA256
f69e6025d311e93b98986e5842ba19f9252e18a669c2b4f2fdcb98a4def3b7c3

SHA512
c733511318342d976dbeeba13eca1e96080ee34b56fae28a0fe8a665e7539ebef148b0a45ca5de7d3a274c2b88f883d7c2242d317d644898b727538163de7074

Download Submit
C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config

Filesize
1KB

MD5
b2540cbb6ec9839a292c292ea7ac8b65

SHA1
ee91fb07609d9e435206386d94fb43d9ac78c70f

SHA256
af825bd6de06ddb2d1f90d51a6c77ec517c9594dc684075a654adea4dca00613

SHA512
c8047d7b2c602ecc4fe021c0eef58fdcfa8f31408d652e9027b7b9849b89bb4079c65ec3c78f85f60d6b8fb9d227a01925b0adaa481913acb75174439a37cd0a

Download Submit
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
7cf37362953ec4e9aa85b884e04bf42f

SHA1
6507672c13a736b4c912a4f8751a445033a71570

SHA256
c5a576eedf597337ee48f3afd00ca071f821176a00c8ca9b8e1a76eafc71101e

SHA512
9d5f250c883a3ee6bed2992bec20e5505a651aa954523650b6923f1d4957a199e5e05b3c6e82652d611e6393c71f98907e8ebf8a681e3590208749ef93673995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\334955d7-f113-4a53-968c-f42741e2fad7.tmp

Filesize
11KB

MD5
ab4b12301fa8e82c34c4e1a9acd1ca35

SHA1
dae74a9a88a677826d7b248b13b6d6d7252a1899

SHA256
1ee68ec4093247a7d0e6ad51265e4d861f701aadf0f748378e715beec3d26b2d

SHA512
c96664feb08ef34468476c1bc6721ba55f5f542578eaa0e3d20400520b0dd3de941900440c92aa76f39d6388f40027fcea3e86940c471be90bcfcb7e91c6d05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c6c51122c811a0f047374c84954de8db

SHA1
46b9923064d07adc31ab16fc5a6358b46a429329

SHA256
0e2b81c17f8dfc47696bfaabe2abbe02912406734e3e2db6848615ceeb88bef8

SHA512
d75eb7e979694b47f0fde49b3514e100677d2ee7c0fc5f880d2ed9eedb5c215e15a6410db913fb7d9b1c8d4caa9235a8587e0525e4e78c4ab5170b23f8dd4d96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea1c2801aa63b0b7d559edd3adc7cfdc

SHA1
535995078ba0c227fe78a9bc340e848907e420e4

SHA256
d5daf639f0e5d8039eb65ce05767ae58bfa4b04a6a5b0b01b7a42bfcecc9756c

SHA512
877abc639d9913465eba3e82e2192a03d6e63ca341e0954c9b62b109d1f0547048423f4f0b6825c4a1846b7964f1bd14272663d7166df6a71446328f9241b06b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
67f74625a0679b83e8201838a425986f

SHA1
1f01828bf44433193b7aa439e4a8d688feb26fcb

SHA256
7b0db551a70e12a3612caa8a8073eec1b69fcfeb93172c39806a658b36204713

SHA512
b76f764b8e997b18a2fd3922b23fab65ae67c4e471333cd4df24932f75a4aaa2e799c7a1bae694ddc5c3d26827e3f267a29d3a66a12441edaeec36e3a05a7b7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\11ba52c8-b68b-41ec-bdb8-0e78c8aae831.tmp

Filesize
1KB

MD5
8852a77ba93c497f059c8bd41e929b4c

SHA1
2c204acffd4546e43bc27c8c633b8e2e4f4d11bf

SHA256
855105b6fcd10585494170d9212253c25c03bbf0c1f9b094917ee1b20b65fad4

SHA512
483921d1d17a318fea80845ad682e6b7f4f41524f67ccaf3fbd27e6f4cef65d9813c2c4d9866befc44ef4de775286a4ea49d4246dc9d2523085e8876f4e3a679

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
202KB

MD5
9901c48297a339c554e405b4fefe7407

SHA1
5182e80bd6d4bb6bb1b7f0752849fe09e4aa330e

SHA256
9a5974509d9692162d491cf45136f072c54ddc650b201336818c76a9f257d4d2

SHA512
b68ef68c4dcc31716ce25d486617f6ef929ddbb8f7030dd4838320e2803dd6dd1c83966b3484d2986b19f3bd866484c5a432f4f6533bb3e72f5c7457a9bb9742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
fab031c3972a5f1dfeb9c7aa4602bfdf

SHA1
587e247d8a1bb0a4e5aefd2e57d5827e1795d6c3

SHA256
4b951fc6ceecd7ba4633436b432d7a57c81edb13620a92bb4e43b9d0dd3f9e12

SHA512
65f3b9a989358e1de97839b24d711c555259b0d7d92a60c396183ca17fd82787bf87f87c59ec33c543d7a7c2507dda1860b9c7cb7d46e7b58b310d66140f63ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
307be103f5e4d2039627442cf7f3ebdc

SHA1
84f2553901c43e532f97716baf20b5eae14eb3e2

SHA256
294f6faf40d70a8f6a17dc44184f42c5581e7302af7865a9381f22feadd78ad8

SHA512
cac958cd30246f246a1943909c136894eac3fb26f26d32598b574054b753c35ed6442cf98a16f6ee3f3d096fa8a266570f1db61034a9ece76129be122ef1c33b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
8474fdddfc79fba192e21c88c72e16b1

SHA1
58041cd18e4982d3699ed227e977768fde60a3f8

SHA256
dda4c3139b1cc75ca43479be718493c3180cf912a0802acfeed9f1fc287b619d

SHA512
63dd1cec85ca8da287fe94d4f5757a138835334970bcc864b9b956432c9696fd3257769f136f466688fbe0e47c76361a476c05fe6ac096fbb7de0bef8eec30d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
18ff984401321a73f10f5f1b14fa973e

SHA1
0cba08ff99e38dd2ec7ac4ccfc0eca9ca5fc7e4b

SHA256
1e4c095e1c41c2cebd93d45fda7840fd565ceb1ebc3e32f25f8edc10096558e2

SHA512
327a44040af7edf8466e9117a5b66ca419586485fbe77166aa8219f98e5351bcc2481885924a755b97c44905a07a7294c6b22bae48f58e039b3eb07e938cf913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
85773ec85d9f9d504bb991f9f952ba9b

SHA1
a44e50de3d42b62f29b117299ebc0920bcec2236

SHA256
8831ad58c21390dc3c0a4e202f8d1cf53c2241088e8e874b01cc2d764bc551d1

SHA512
c15a3ee032622bddb4b73e4dcabf6a535b1a2e3b34e3cd980dde1de01d208f0e32f61a046891b9855792247a37facfd981cf58526fbe92ef8dfd89cc60a6f24e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6c30365946e049ae44a6aa59103e51d2

SHA1
260ea1cdf8f91e74b8e02364d0bcab05520d18b2

SHA256
6ccebff6ed520aa997bfef64125b4b859d3d5435b87c5b1e0728bb9bd4ccc872

SHA512
4f2fc023af06fe08336b4f9e452fb2193677ba680f0f77fb4bcf9d421e379fbe333921fc1ca58dde3c03e8b839efd27d05f5b7a3150d944c64884abc8e52e7cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ce79a0ad6ec6c174767564234663895c

SHA1
01ed2736888be5dd4c55ef9e55607e8f629b7554

SHA256
dce1bd3ca235783aeb7d47139d1ee3b319b02c3a4a2a67006f33aef8dcebf2bc

SHA512
02190b1b7197df8a33f56b7a5d803986810ac7091859a50513aed1a398474edebd9ca252d43ab616e1c97722ca3717a60addd6db6fa7f1d45f23b3bb46f3f001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
db1270c889ed92086add66866f76aad4

SHA1
961efd5b41598b16d2b4c49869ceb9e2102faf8c

SHA256
59803eb670fdb0190a0970fccefdce52a3fe458b6323b178eb07f2f3d0969bb7

SHA512
19821de2c17eeff9643119318080c0fbc2747d709036e84424ebb27a9b54e99345fbdceb9097ccf165719f2db8876336efbaf168ba6b53e76b5e91eec6918fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
45192fd4192a0f01f30d97379b5bef1d

SHA1
31a3c8522f27806ef1b990f46f4bc610352b86e5

SHA256
7fe5309be42ce9952cdda6af976e2c08f3056bbd6d6b550e3219580e2ff8bf27

SHA512
5a3b56a30bcf2bf138007d233ddbc93d45b7cb822c85c6821a0e7d188b1abea070263d6175af2e52bae7c20da30f49ed083a8598387580615eb82a89df12de86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3e54829053264a2bbc2d172afcce5760

SHA1
7140dd996e7dce43647650c806397d931a7a5606

SHA256
8da3b39b093adda69c2b6d719241e437229ee32cf2e168dba0a1e8f72230c991

SHA512
5f5b34d308e33f93a283a36d2420dc9395871ea2ae3aa803186881747f2b00603eb49d645b146ff0625acb74c8edf5032ddf1a930ab76c64737ff992489892ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe587b94.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3696fde32d6e2a7259b968e9e78b52e0

SHA1
3ff95efedd4b4db584c839429b846035688cf714

SHA256
47e7f138213fc4e8cdda7fc924966dce831c16f81ff6c88be2fbb27b9437fa46

SHA512
9cc871d9560bce3a1f9929cf2807eae307ab365887629b6f1b2f91ee463c3a84a6a3864e459fe7ce84f115d49acb70786eca2ac3f0418a0645ab89a00e4e70f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9d1228283764975681f4cce60cb0ea50

SHA1
d7de34c0d649c496b2af1a7f842bcb29bedeb480

SHA256
0b9a83c37ef1f88f0d87d0541a73edade15e223293d67be2722733383c3e18e1

SHA512
3afdb390d5d43c986c2e70be70633cd10a4a1e534b26e7fc58124aba6eb2bb6a568f24d5e223110f4915b4cae4cc52e293ee945ad8d8c14e7b45aa591ae4f56f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
cce8b9f31a42e7f42499d014a9f25d5a

SHA1
01708aa74e1df785bb921268368ed9e3ce492660

SHA256
a98565dfd44397535f0dbcb3de6c9af388d92b386f3c7a429ef9b4089851591a

SHA512
b0495eaf9b5f524153bd1f2ce645cde5471d9cc7d2cf6f968a02877193970ea3ac3a03a51f8187621c939f5f2142f52d03eb29cf5677192ecc4a9111bbbe6149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b9b8441d1511d1edb5b32a0265cbfc3c

SHA1
5cd3c3261a49e423f0ccca2c58cda7f0896ca299

SHA256
5e0430be5e6bc85d6f6a8957dd9c42d3ab412a7371e1d5607cecfbcba117eb5b

SHA512
5f15c1d8f3e2a5f12521bc68d3ca4aeb7cece0fed20eac5053aab3529af417dc61533ff11f697b9024bd769b53418fd508f52aac26d031f56546be59d04cf43b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e45f268362df3196c38a1673eb91f722

SHA1
f6d72348721a8cc72b640662f056a8922333b4f6

SHA256
13116460df5a2b883aba4302cce9ea8feecd364f65cff695f20f7e7c7acf0a5a

SHA512
9107cb92622e92e7a43f7f850f31f20c9817f8a8a1f44bcb47bc74f0859bebb45529debdace82648969d36e3e1f9021ef518b8c3451f4480a1ea4391be058749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2accf4a27ec4c9454c2431083bbc9331

SHA1
0d36307e8acaf5036d9e6ce131c6fd8a66357caf

SHA256
b2072248b044b0132dc8f7aaa7b963de3ffaf7bc269738a077261554d971831b

SHA512
c1254f44eee563e05f691362aeb00b233c1776fce25550c718fde57b2e7365a71031a10b2037f9eb9befa81a87c0ac3a38dfcb1e75ded8727b9e31e6e64b7828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3080e7e475831349180c9d61ff3253a3

SHA1
5271fb2598620e62ad71e89d9e10516467ceeeaf

SHA256
d097c2c1cc7cf9cf7e8ec240dff903887a54973e564f4f224f92a32a8054aa25

SHA512
7b83e665500c9cef7b975931b84ccd0fc9c72ea56f13750f2df0ab4b865cda7f8b0a3222dfc3053af1dde696c7024bb454483c9ec4497b69b0c3d38611e89414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9323dc70ced9dd82057ffd451e70c74

SHA1
53f06c0f5a99ab4eef868beaf1ed7e2cc14b037a

SHA256
d1122a0779bf011dfc899fbd0b6db2fd878c05384973f97a2897863fca63460c

SHA512
356fe7f73ebe7bb7826a8654e4f38b1edd0367f5a19b4be4a79144027e1b86626ecd7ee0961ebc6dd5a468c1aedb02b9ab731d73500b2325c82e9068036bdfb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
44923ce6a663e27cc1bd3fadd2b25573

SHA1
ae6aa3127cd42c70cf525b5c32ed146dd7469b59

SHA256
0fa2e370356f74d0b164ac95de7ddd79bc7f33b3da10c5074d7bf760b813b751

SHA512
2d9e9d820a1ae90e38c6bbe3d64ab1125b84d89e839824b1662ffad2b87d29f865d631ad5f6d1173ee5911ce129c741f4cecf5aab813a68cd40538b98365a90f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
56b17d9dc1f39f20d9dd5c3ff86c2671

SHA1
f5894935dd76d29b8eb64fafddcea5991b1d65db

SHA256
dc4313d1adbb3ccbe4fb118d36e8e7b8bdae0727be0f95ce2f6d3307ec67c262

SHA512
b15f1dd55387c6a3e9590acdfc70b3439d57885f26c3f8c364d66ce1897ea2700f79155737a68dd47aff2f675273bc83f875970191477edcafa773b48ca58ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2ad40d766e10440f64839eb2fd2cf377

SHA1
815e6614d569f41575fc9c9094958cf513f8a436

SHA256
759512e4177a9ade12450299d79cb3ba5028a1e82ace256800d6d67497fa5cdf

SHA512
6e4130316f9f8a7ee37be4f88483a5cc32ae32cb13019d7efb6d9d681ba916bab0059313ba7ea1f42bdaa33e48c06366462b9b182eecd7ed8edce6a99b35f6c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
92867018771c5fd7bb72a992eadb6bf2

SHA1
b68e1ef59093fcbe84a545c9c41cf630ba75502b

SHA256
d4cc1563c31c04955ec95c378ef6a42318e30040c9742b678311813c0f1ca55f

SHA512
8fdfa87cb2a724c7c658d6e62099072c2c7c1de893225edc7e697ecd77d52a9ffb95c93feba10a36750609ed6b3186cce46e72292813ed6698f6bed58e1e3d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a88402d0df4739e222f57db5f1a0ccb4

SHA1
e6be84d56b5eaeed061104dc93285a94e333cb0c

SHA256
3734bf22b7f4f9eb04319441ee9ddb659ff4eec9ccbd7a25b6a9d9273ff48cdd

SHA512
d04db0d5cada7875873d405cc4140737882e06e8f4ac211ca2e4830f6d1ae31798522cf9e06236b36d1cbbc37aa6fe6cd40338633f5cbdf4c72fee9dd9ad294f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
606318ea7c896d8a40575de2e28fa2f4

SHA1
42ef0396036888b0050009f4ded51508c8a7eda9

SHA256
63d6121059fbd62a76873b228a3e86b50719527d8053bb76ea9aa67599efa2ee

SHA512
39c260aae7366361869c5327532dfd1a6c19609d29cd1e83d9488fa5a91b609fd2f1c22726be5d8f8b30527ed4a15d79d4f6bba2c6c2520beb8a6fb75c14362d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cff4cb01dcf1b7bc1999ddb8d937824d

SHA1
defde7115de1fa6fc232e409d22e0af463afc52f

SHA256
ede4dd7efed42901dbc090d6ccf14cdbae1acc0b028ff0b2c326bac331436311

SHA512
2d3fbf200e446fcb7c890e5042f0e33dceb759370f7251bf30d20f7d2bfaf1f6eef6b21aee39cb632b99c75309aded8246be70e481c0e331b9f806930940c9d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
db0cc03b1657f5dda4b38846f4eb7157

SHA1
1deac63712a9f66b4a33ef65305ac5f0c678a34f

SHA256
2b79c7a18fb021ed166360ffa784c4fb44b5784d7bc8e6187dfaa80ca4c07761

SHA512
55dfbe0425daebd6fe6cf54019e690fd4dcd28917a91d1fa0db57bc120d84d2f11bf119d836b8f0cc2e5c1387fbeb911b1a08a452fc493c06850d80621f45f3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
fccad2652971ce1f105ce6354c7d5235

SHA1
47e2387537bb38fc7db14eb46607dbecc093796e

SHA256
c9f86fcf54928f7f4f85f83bc696505cb63d1300f7a1ffad4b97f3cd92784c40

SHA512
31a536c04ade93a676958046da98f24b439ac8541011be47d1514a6556788d052c1950cd37968c1a9bf57ce6e0b29db9ca3f2d22e28c8b6cb653527b0d74b3a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a98733104a2cf2283de97bc93acf984

SHA1
512c6cc68bb67b718c308eaba2a5f86a8984c77d

SHA256
1f39008ffe3cf7ac7d6625f5dc82d8addbec176a312d3b2a87596b955e3c5b65

SHA512
5c5e7107d5f9ca13ce85f1b2e08ae92a097f62d60815c94373e25f24172d1884abbba321efbd14d09052cbaa87d99355b977b65ed859afde10ffbe3a7bfdb5ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
541b183bef23e2723a5b0ac2cb9e8976

SHA1
f2bf744711a7f7523a292a5effe9fc696f9526e2

SHA256
86c1dad39cb17538e2d2cbfb8e3f90717cb0b2de3b953ecda134da7e9a4d29d8

SHA512
c95fabc5a04b5e8d175e7b2ae922bd2fd7b3f83b973368a6625e921d1dd2ae7911b5a90efc655f4f09b0918b63c2ca4bdfe35e9fd3edf52bb71bd2bf7ea602f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f1f678ce1111c62b5faa280aebb3636e

SHA1
767eb320cfdbdbbcd7f76464f7da986f13ad39fc

SHA256
5019d4170b19905e87bcf9754bed5e6e81dd088826a365cd4200ff187de0e04d

SHA512
e8b53a9c9e8c731d9cd89cfafe834ca6cbb978adf72f2128a669240a1c5f22586ace2f3366e823f605eabc52a212dcb2b11f319e1d8a2169b08609dd7e3a64bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
18331a3cebea3a1655a01defdc98feb3

SHA1
de532b5cd793eb98eefe0c473e83d369a32c2885

SHA256
a8f96f4d6663500a7c188e250a191ab7e147f0e89f2c939ed3858f747cff5ea8

SHA512
0cf7e0dcd6b8897d4e171ab5e1e6b94e35b1c51feb971c400bfe0a01408412f7e47c2d1db7dd4af2509e0cc455a5d125f7d2ae2d8e18643095875473800aa197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
85e271256491a1ef3f3667e85f2b50e7

SHA1
8dae2c3ec8851e9c95e1371b8a3ae39446804ac5

SHA256
82302bfbbd1a787273d5c436df87ca796029f161dc0652876bd966698be1d8dd

SHA512
5293c84fa400844782242755508dc0ba3ddb667ccc2d5f96b06caa3aa9365af83f7336a458b1cac0b1767b4b8bd4acd5c20ae51818d88aed34c6b9282c7770fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0ca86c162a5361a8f1b9841cf5156100

SHA1
b3bb27373957b1475880091d3704375f0a29a8eb

SHA256
0664e37632fe504b51105d31b57a9bd4c288e1816f8b441a53beaa872896e845

SHA512
3b2c3bce2eeff94cf117c12b2fcf937f980b0cfc6cea6245bdb5e80c15c2862b0f48de410d0bffbbb496609cee03043e1732d03c126fab9782c477aa52ef5354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589f19.TMP

Filesize
538B

MD5
40bd8a27b2d1f75e4b68070b6b51a09c

SHA1
1c1ca7361edd98af7fa8eaccefe8adb19dbc9064

SHA256
0bbbbc364c9a6897f57c8ada65616e116143be328664ec21ae9c184283ec32b0

SHA512
89b9f833dad45e2e2a42c8d8de7226bc147cbd8305c61f85dc21df5a7a9d895d6f0ea43be40e27e29889ecd88cde8cdde59eb3d4e806b67bb8f66feeefe18175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
79677ac52c604acc37ca8fbd6e27d414

SHA1
af70cc3a8f71acf3219c1ffc240c9c2ded90fcd3

SHA256
0788633ab12d5274b133d28a5b39b154ebf4a3d9b146e6e975fcfe5eec87335c

SHA512
bd4f4ab1f9cabd4388a4b22325c4a33452c5de7b562d566cf1cd5928a8ce66328031ec4c5e0ec5d5e7241fae6d1f4bfbbae24280793bc1372fa650942f9e34fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e2ab44d9b4fc9925c6ae41aa30866c2d

SHA1
23ec1c8b8830554b041c40d8f21328c2b5c3cbb0

SHA256
26203385c252cb8b2abfd24560d91fab4f495cbe1526413178e5471c12076861

SHA512
28a2be066b65fc674e33d08eaa9f43c02f53697093e02711827ebb6355f742f5c3516ac3dc8563b6d6311fe8b958e6e63043474dca250c15c2a19028a69e99e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7895e0ddd8175917717d3251ba4e6f93

SHA1
fc54bc97349cdb7ae2d80bfb9c7d46c67668ca8a

SHA256
b0af4a533754d14b84241a1cebc8cfc7f6098150089980673e117d54ecfdfcb4

SHA512
e846c5492337fb37271f8f7a2a837d1db7db7a4327a4803d33427a289cc93bcbf60084e66ff810ef7ae16c49ff23177a938d7ace75dc33086fc5fe011c42b7ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GANWAP0Y\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0NJ02.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
1885e3998173e72de97e10bed1e041ab

SHA1
6af0253f5d548deb3c0d33ec8fa01c3614d8b02c

SHA256
71a2c846e00b609f1baf2f331ae5de8dfb8f52c36355db2a7b0ebdc66b8e799a

SHA512
51471c4b6a9f4f998b0a63eb84f04fa6aff8f5d77821c62cc68b5983aae1357c99dfe0eb7f1997d455eb49f445b159dcc3018c5a5118f1a5459eca171fd6b196

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
cda9ece2bcc0ba27462d23fce72df33e

SHA1
20c593e636ad9f211a0ed37b43fb22447b70e5b1

SHA256
ac98dfc293fcdf98d72a2eaba27cb8b1951f673decc9761e07ab7927a09692eb

SHA512
4a07a64c5e4c9df34ebe37209bcf469f1783e9bc2cbb6d8c206cdbf1c182a549c6369c208184d4e4695eb749923a67b6f4501b4dee817094462901ce3639a4f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7249869311581a3148f9b9da7f6a4453

SHA1
d8f9516f3382a83d1fd8e030726b685c267c902a

SHA256
c81a300db7efb6dd1644d8d87ba5f762f8a7a03deaf093bf0410bd88734e8051

SHA512
9fd04eb7f4f8224e2c80483ef5258ca49e62e3c8b7b04eb0fc38c4576596c1b455aec75792199db92c86bd5ded45372a0eee894a153a09c05e1491bbc8bf9de5

Download Submit
memory/848-9059-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/848-9137-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/848-9145-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/848-9144-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/848-9138-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/848-8374-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/848-9127-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/848-9100-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/848-9120-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/848-9121-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/848-9122-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1832-1385-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1832-1779-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1832-4610-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2852-1008-0x0000000001010000-0x000000000102A000-memory.dmp

Filesize
104KB

Download
memory/2852-1003-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4612-1780-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4612-4591-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download