chimera | hxxp://google[.]com

Analysis

max time kernel
353s
max time network
353s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

chimera discovery ransomware spyware stealer upx

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/5716-2247-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Renames multiple (3261) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 2 IoCs

flow	pid	Process
278	2908	chrome.exe
278	2908	chrome.exe

Executes dropped EXE 4 IoCs

pid	Process
1032	BlueScreen.exe
5716	HawkEye.exe
1788	HawkEye.exe
2808	HawkEye.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HawkEye.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
278	raw.githubusercontent.com
277	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
302	bot.whatismyipaddress.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000002185c-1803.dat	upx
behavioral1/memory/1032-1812-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1032-1823-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-72_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\LargeTile.scale-100.png	HawkEye.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5348_706043428\_metadata\verified_contents.json	msedge.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-24.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-400.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-400.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-16_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-125.HCBlack.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png	HawkEye.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5348_1789275874\hyph-sv.hyb	msedge.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyCalendarSearch.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\MedTile.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\BadgeLogo.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-125_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\LargeTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\LargeTile.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info2x.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-100.png	HawkEye.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5348_1953652934\manifest.json	msedge.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-96_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\BuildInfo.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_duplicate_18.svg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-black_scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-48.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\x_2x.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\plugin.js	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\bubble\white.gif	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\MedTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning_2x.png	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.ja-jp.txt	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-32.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\SmallTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-72_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-US\tokens_enUS.xml	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\WideTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-100_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\FlagToastQuickAction.scale-80.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\optimize_poster.jpg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluDCFilesEmpty_180x180.svg	HawkEye.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 552d84a44295db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{A5B72C66-142C-467B-B8B7-00B8C00F7917}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FDA59E4D-0B7F-11F0-AA58-5AE1D8468351} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D1DFA913-0B7F-11F0-AA58-5AE1D8468351} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876037411309009"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\apk_auto_file\shell\open\CommandId = "IE.File"	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-446031748-3036493239-2009529691-1000\{54D6AD4E-4385-4F09-A04B-171D3DF58155}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\apk_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\apk_auto_file\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\䣳垵䙟盙㠤\ = "apk_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\.apk\ = "apk_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\䣳垵䙟盙㠤	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\apk_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\apk_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\apk_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\䜙뎽Ɏ耀	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\.apk	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\䜙뎽Ɏ耀\ = "apk_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\apk_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3956	msedge.exe
3956	msedge.exe
3036	chrome.exe
3036	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
992	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
5348	msedge.exe
3136	chrome.exe
3136	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
5348	msedge.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe

Suspicious use of SetWindowsHookEx 57 IoCs

pid	Process
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
992	OpenWith.exe
5196	iexplore.exe
5196	iexplore.exe
4028	IEXPLORE.EXE
4028	IEXPLORE.EXE
5196	iexplore.exe
5196	iexplore.exe
3480	IEXPLORE.EXE
3480	IEXPLORE.EXE
4496	iexplore.exe
4496	iexplore.exe
6132	IEXPLORE.EXE
6132	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5348 wrote to memory of 1760	5348	msedge.exe	86
PID 5348 wrote to memory of 1760	5348	msedge.exe	86
PID 5348 wrote to memory of 4184	5348	msedge.exe	87
PID 5348 wrote to memory of 4184	5348	msedge.exe	87
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 2464	5348	msedge.exe	88
PID 5348 wrote to memory of 3028	5348	msedge.exe	89
PID 5348 wrote to memory of 3028	5348	msedge.exe	89
PID 5348 wrote to memory of 3028	5348	msedge.exe	89
PID 5348 wrote to memory of 3028	5348	msedge.exe	89
PID 5348 wrote to memory of 3028	5348	msedge.exe	89
PID 5348 wrote to memory of 3028	5348	msedge.exe	89
PID 5348 wrote to memory of 3028	5348	msedge.exe	89
PID 5348 wrote to memory of 3028	5348	msedge.exe	89
PID 5348 wrote to memory of 3028	5348	msedge.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://google.com
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x210,0x264,0x7fff8b0ef208,0x7fff8b0ef214,0x7fff8b0ef220
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1876,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2268,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=2264 /prefetch:2
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2564,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3496,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3508,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4968,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5208,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5212,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5220,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3216,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2824,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5288,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5836,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5932,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5932,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6436,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6556,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=3764 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4644,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5412,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5436,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3552,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6272,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5604,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5516,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3992,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:8
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6952,i,14380283516104860556,8591981720818056332,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:8
  2⤵
  PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff7a40dcf8,0x7fff7a40dd04,0x7fff7a40dd10
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1980,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1976 /prefetch:2
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1560,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2368,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2380 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2968,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4236,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4256 /prefetch:2
  2⤵
  PID:6100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=2932,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4964,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:5312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5644,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:5760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5652,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5792,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5676,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5880,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5804,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=208,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6112,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6120,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3084,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6048 /prefetch:2
  2⤵
  PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1112,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=840,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=1564,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4412,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6392,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:5532
- C:\Users\Admin\Downloads\BlueScreen.exe
  "C:\Users\Admin\Downloads\BlueScreen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6388,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6520 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6312,i,17514529253708825798,2641287885184920805,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  PID:3496
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Chimera
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5716
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4496
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4496 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:6132
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1788
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2808

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2808

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5112

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:992
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Mobile_Legends_Adventure.apk
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5196
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5196 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4028
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Mobile_Legends_Adventure (1).apk
    3⤵
    - Modifies Internet Explorer settings
    PID:4056
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5196 CREDAT:82948 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
f71507c11222936b842e9cdcdc48da70

SHA1
48fce37f071510622bbd9d4ce34af6272fc34f2b

SHA256
0cda47267dd912cd797a5ae2af37dad6d43a797153ab604ba2f184ae360cab74

SHA512
1df2a3bf8229b12c0a8111682e0a66bfc9b79bbfcf8e51851e315fd4fe3a4c22893742e5b3963db391d7600eb5920ce3f983ef58fa9448d4efb18800ef4aa210

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5348_1098116657\manifest.fingerprint

Filesize
66B

MD5
496b05677135db1c74d82f948538c21c

SHA1
e736e675ca5195b5fc16e59fb7de582437fb9f9a

SHA256
df55a9464ee22a0f860c0f3b4a75ec62471d37b4d8cb7a0e460eef98cb83ebe7

SHA512
8bd1b683e24a8c8c03b0bc041288296448f799a6f431bacbd62cb33e621672991141c7151d9424ad60ab65a7a6a30298243b8b71d281f9e99b8abb79fe16bd3c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5348_1098116657\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5348_1481566326\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5348_1553740554\manifest.json

Filesize
118B

MD5
bfd928cc511db8e8550a3e5a00cfe169

SHA1
569543caeacc652b8a78bc1aee3ae06027456eb0

SHA256
c49d97c9219d36b85b6541c049f1fb766a6b587b064253ea7a2a4daf3cad64e3

SHA512
94ba54500dafee7013cb90c921509f1be94de9d9ad4825aa0444f4038c178bf2f70e9210943247582f36af81c93a94af68424b3f3ac25743acab145fc7ff61e9

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5348_1789275874\hyph-as.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5348_1789275874\hyph-hi.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5348_1789275874\hyph-nb.hyb

Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5348_1789275874\manifest.json

Filesize
82B

MD5
2617c38bed67a4190fc499142b6f2867

SHA1
a37f0251cd6be0a6983d9a04193b773f86d31da1

SHA256
d571ef33b0e707571f10bb37b99a607d6f43afe33f53d15b4395b16ef3fda665

SHA512
b08053050692765f172142bad7afbcd038235275c923f3cd089d556251482b1081e53c4ad7367a1fb11ca927f2ad183dc63d31ccfbf85b0160cf76a31343a6d0

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5348_1953652934\manifest.json

Filesize
176B

MD5
6607494855f7b5c0348eecd49ef7ce46

SHA1
2c844dd9ea648efec08776757bc376b5a6f9eb71

SHA256
37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd

SHA512
8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5348_706043428\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\29fa1186-1f9f-48aa-88fc-3cf3f661826f.tmp

Filesize
12KB

MD5
680a9f61660cf55b511397e611818faf

SHA1
4f7b5b4762b01ce17e57b42d24da3911275c87dd

SHA256
bc44edf39424a089930a232f1ba70501aa96a0815250e91d8a5b362a54152065

SHA512
b09871bce986846df043566d8e043334bc58047a8072847e6aa90d940ad89b283f4b11d893ed7f6169f095394b88b5d0c6d5822d924059aaf94dca976a77675b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3cdd80a7ebf370f1cab805980d6a1443

SHA1
69f8e37889dcca456972b8ac029fe4fa34e54fb0

SHA256
6f8b3e8695da15750b3de2b859a75d6473a72e0be5e6b917b634f40f7ee4ee5f

SHA512
56fed60a74b3378feaefd84becb61cbb4d12cf6aafabe87f91893544afbefb02ba45dbd00e1dcb80ae9216a1c4a02d4bdfd0033dcb07ee1c76eb06dbdf1c08ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
38KB

MD5
f53236bc138719b68ccd1c7efb02a276

SHA1
26b7d3eea5d3b12d0b0e173ebf2af50a7d7e56d6

SHA256
787c14f8cc865430c03c96a345044b7c5b8dc8a032511a500d4a42228533acd8

SHA512
5485bc7ccce8ec75f60bca3be846086a4bd4466009c8e22da9cdd16bb1154529af2fb2667cd3a97485cc4f6635fb79ac0fdda4f3e1f39f25f6196f708a92d740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
25KB

MD5
21ace0d31858ac97b17b2e0959f3d7a3

SHA1
87702e17160c0fc6221e117e6e46a43acb254efc

SHA256
c294235f4ac229e5bcbdfe700726499131bbaf8d41a54290e9c49ecb5700c018

SHA512
e8374e9a80448653acfec041deb4b0102703afee22b811d7e111f3ba931701132fbdc5e36e3de4348be4f27600f9ee8bdab183d95b5279ce55f5392cc57f678c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
dc2dfd93feb56d46e225fb8634d94eca

SHA1
faf218f8339e045483825b7c0dfae1da4ba1e4f9

SHA256
d46eed23db969d18b0d4d1bfffaf4343c34bba3756e7585e4060318ffa0ffc97

SHA512
c6c2ecb3a0c9445914d7347ee30f671a8c145e0d6020959c9e44745a85293e64bec55c39ef1997d3a6cfb7b11431ee900bb8e757a573f8366382c6374b0a52ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
def9256e59a32d911d0741e2a5659a6b

SHA1
0fd0a09f89bf6639f391e6941e0d351488494302

SHA256
f68db599168facadb2c7071743e640d7bdf3b893b6c6cc11a7b2d88dacf24134

SHA512
feab1372defca66c6ccb3fe19a3a80f79ca4827684105add3e7b515fe9454d7f4c19c08097f1ceb4be570685384f81bac39c1ce9cba39c20286adcc7513f1ffb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
841445c96d868e5577e1f34e7fb26d02

SHA1
c039054b31204bc77b0e1e7eb80fbcc3e0de5a77

SHA256
29ada11ab3c5bed4f3af06929372bbb77c711d811bbf6723bf23f1d501f2e0c5

SHA512
144b8ef902dacefbe6f3c59e20e203a8b265bdd20c22b76eca6af2be87a919a18979dbd527459b8db70780a94f1cf19cc38f755118a5461f0ee2a8c242aab28a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
17d41dc8de9e48f44bf2eed382fc3f50

SHA1
3f3a824192c7ddf10d138ef7fb15da39128495fa

SHA256
735d84b50234996cd7a57b756635b6d45d3cb06b8bc0a740ba3a9160ca46864f

SHA512
c06e977557f5847652c614ac2ea64876d1b1b7482f98ab656f0157df9bfd31117e105096b9f2ee67761e9577e200431d92bad804afcb0f48489f57af7eaba625

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
642cf4dfd76d4356c5e935c3bef821dd

SHA1
679887389a7cf12099e3e95c4740815155080630

SHA256
0752bec33adb2bdd1cad498f15130d88884678cf94f14b1fd0341b81e5642ed5

SHA512
5d07fe69890299080a40bd9294409b7b252a1371006dfceff32ffc1c09c731cfcf65c3f4202ae38c8e35de55ee27a1119de1055279ba94678408849413a27e8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c2a328a61f0e4e59eecc32a9ee72fda8

SHA1
0a498075f85597b581cf20de1235a2bcccc80b63

SHA256
54d94627c946dda594befdad1121bf4e71ff5d06c8d444c10577a993a5d4714e

SHA512
ca964555423f244116dc30e29979e8a61f4d38b9c32688a874349a8b5083d6b513db874b7d5ca3e1840b3b92047e99c3f39c06e21dbd3c777453a96b78eae1bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
60d1fdd85a3e84b712f6c4c58728227c

SHA1
f61880666f34a345b68b53030d96f229e330e8c7

SHA256
9e1184333b7610b959acdfea7ea32d6a6982d295a59c503e03c38cb0402b9fd9

SHA512
e2fde39480a96d428e9404f86b9af343bb8ddbcfff545080df55fff0c85f4fd4a5262288af4d7e4bbc2f798736d02d6dd6797a4707bfaf9123536a4fb307cac1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
09722d9764090c4aedb7a008121d5d53

SHA1
852224c2bab334a8a0cae38817b7ab134de5a554

SHA256
2f939ef47e6aab37aebec9fb60ce4036dcf6dc8213c5a8ad486c6dcc87b8c20f

SHA512
54fffc855b49bd0a78d9d9980183ac112facd7df35623d09d19e2f0025e05d7b5b3c1f580a5a8bef03ba8b82803003bfaafd566b11daf76c5fd3f54f3cce7040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
c1be70e6e18e8d3650bed75ca25d46f0

SHA1
df209de93020c219f18e27038c4a91fe08aa6099

SHA256
104aa83eeb96b5dcab0670eeb7b0ff11f8664265a8c15c1075e64c9e873e5f9f

SHA512
02b047329e9c58fa15d5940b74886f0d0bc3f6bb09a3c6a8ef0828108367b1436ff66f84b57e642f0f8d1d190a82f64506face46e2c2ba867aa696600aaf5525

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
27ccd178857816d922ecc31cd9a49606

SHA1
76bca8f48638b39b33f00bbeebfb4729c078d56f

SHA256
75d2a3d718be1c5f66b0ff3ca7df0a7612b9c49c097fc445c54208c649e28a70

SHA512
fbbff83ea9edf2214f869d82ce8903638a330084337117baa9625d9b2ec1a5495a528cac1ddf5839e880098b48ba16d7ba17ac5c0e8fdca6f2a7034298e48c65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
94b816ea6a90934408fa036461f44044

SHA1
7eeb7860d6eb803f6724f0379644da8395e6e371

SHA256
9c2fa8f029c28b3fbe2ea7073456379caad67f2e6e0a3b00853ccc6609ccdd24

SHA512
c0355d5229de9fc416bc5a3546b42b9c09258cf14ffffc98fa5eef5209af03dc4f1fe15e09f148eaeec4aabaf82dbc938ed6d48fa3ee02cb5ad4df4c2d9728f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
62ef59f444abb82be65d4ab34575fcdc

SHA1
98b925f2815de2d6cfba2ef4e6e28bb252c5911b

SHA256
d69c9ba269cb7b75916dd8ca17ecedbb2e44e8954b09e7ab085283460dca2e57

SHA512
9cc8bea6fb3974ac7963539301c64c15337cd04a0ed25908777002ecb3d6639e308c57b7203a3d67edb8dc1483872121fbc2c9504bbe35830d8dfe9d76cea00b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
9b68e756161ce42f738b50a3cbdf41b6

SHA1
ba0141a5ec2426cb71f2f7e22b2ede5352996b51

SHA256
ed29369a59d76dfd82a284c63de55546f4f57c425f3f887d1067e85d23d05317

SHA512
bd7594def9203aac7f870344c18d660830c8f56ec6e0115cad974a722369101f8cae198abd1aaa9230b00f375209ddd223b601fe47b9859be295836ecf7c296f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
406435f529c5ac82c66566e68be368f5

SHA1
36489e2c0af1227d6e4ac0c433e04ddba5937009

SHA256
aff3734cf482a3d495ea6acb063a37a940893a4884b6ffa10f5a2c89c32cac9c

SHA512
89dc04ca5aed5eb33fc215332399d2d45944f6ed828ede86fa8b4f4c1c8e61a938dd892c70328fc51e06e30049c1586dd5397e693a4ece76c93c3fff5b4020e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
e8f8c33961d8145e00b02fe8a46c69bf

SHA1
8321fdaa9c26a39eb0a1e5d34f117ab7367d405c

SHA256
325a731dc77bfce03dd0cedd22125e46513d86d4c913ffe925dc5be95a9e2f98

SHA512
250389aeb0652118ed3837a38456fa310e951fce5a6cd7086ed9257b5be0d4dff0cac646d6e9b4e4a62b27a2dc667a1c24cb8ad167795eb1e67258b7f19a6f47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
657182266d2d692bfbd9bbf0b63d313b

SHA1
4a27eafe3f58e646842eae21c350b1642a731761

SHA256
ec9e0b8beea23b6abffe12ed38e27856c8e86f60076adbcb99eddb71d3e28412

SHA512
96670d55c544010f7f2d221c09aa4d3c70aa9b9b88305e0d52dac977e26f7d8db879b157d2111151dadfc7688080bec09570bde4a72775142e0bcb5003a10b74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
5cf4ecd5bb1c5588e31586bfc600e29e

SHA1
7f6d1f9802969a134bd9ea881252ca9da6deaef7

SHA256
419ebcf49956a5e13d511b0c445124a26d23b290b864690858b805ea064b9513

SHA512
bad01ebfb15c143c96f64fcee92f46c6728e16377ae5ad4cc9a674e8d00acc1423c872986cf95f3e65c46b2373b7cc58b44323f38c88ae11cada62f7c894eb6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b06fb45a38c99870f80dabf2469d8a0a

SHA1
4515a66789d34c711295f2975b96f3c6622b98a8

SHA256
2b442d9948c1a4c63d23edbbed5eacd5554fcd5bc86ad9edf66db93c896d97bc

SHA512
9f9a88b6256297740a981e549c8455c54f25c5c81ea5f5208b982d24a88065a4bb7eaf673076905f5d368575489a0caf0a17b3ae6c0d6c15019b9ba5d8137de8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f7a45827f0e1203df7e68c2088d9d9d8

SHA1
365557c324fe8a3440736e31e2702b82c297b9fa

SHA256
a4c5567ce1209ee3a8bfa91f1f6e64511972605882395b19aa1147561377ad71

SHA512
0701758cc9b5c1849b364364696728c295585403819f9146553a9a3d432e7643d441f5aceaa6637d45e24c4d340e102a665715678fd1f7b4565a960ff36d61f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
43ab82fd89c7ba23b732ae88b4963884

SHA1
69f1a7134aa433166978aa5dd4167c24f7e3d365

SHA256
4c74351dc132981b26be53cc73bf2989578349b5f5aabc0b6acae22438fa545c

SHA512
34303779b06f905f7b4887328f28327a5ed763826fa5ee49cd98596a980bd15afc824c1f598e5bb1278a570521e70e47639db119e933d18d8f161499d652ec10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57bdb2.TMP

Filesize
48B

MD5
e855a9d65223a7f92757d618e8e0dedd

SHA1
aa98ec513c8ce4f41976e509754e884565d4362b

SHA256
af74167f82f778315b0d93bcc36e3c0faf5e0ff340a3b61032642984f7308ba1

SHA512
928191d319e95af50e9d26279c7a0f153822ebf600e6522ee4d417974d5c919e01ee99abf800786784ad4a5b4c992807d16b902697728a52fcad9f8027268efc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
0c7e2b79dec123b5a21d4665abb93beb

SHA1
b50a812e385bd852a0228d395f7f784047dcf3a9

SHA256
8a041dd1c05a6021538561d2fb2133bfee4545b57ef3ef94b05a9082349d996a

SHA512
7f164be78a6a1428135f6e13aaf122708ab17abd53d9f3d11c22073d74cece4fc955630200e785afb48227559297ac93ea9d7bebc625c52548924010269f957b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
67ef573d1eba367b74bffcc1b167834b

SHA1
aa234cb828e9623519902792aea4009910c3bc00

SHA256
e6c3564e4ebe442e097cd79808ac892a6db60b8dabc96a34ebc679fa799ccd56

SHA512
946815ae294b719746c59aff3d12b0cf2efb8187019964e1ae5dfb9a36d8be17df790698604e27211c6e82c1cd33e4a521d8d7f955359751f7285de70cafb42c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
3853fde220c4dcfa42a246cba7e07ab2

SHA1
8cc61a071d2c0664ee265dd90e234041c93cefe3

SHA256
6812d797745307e8cdaa790cb17b555193d4d453c782d1957a10b655d8cf434d

SHA512
d5eb77250b219e8c8831aff52374f756e604c81a91a7b7be67f53a302d37ccae28427d9b69f3c099dde8862a1e6d621fe955b4f5be9f41786ceaf7d04ac7598d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
efe3396514405861441a016aaf729274

SHA1
5d6691d7f3aa409c8bc43ad8b89e7e6099a365a4

SHA256
bc878ee6f2060d0373b32e881a8960696dfb3104a03b478ca2ed343ff77d87b9

SHA512
9e8d0007ac7180adb9dc3779bd32a180c91544dd27a9d49bfc0eff41ad5ff3441f2259438816e87051b77da8510d58421bf5ace211ebbdee443f3fc002c5002a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HawkEye.exe.log

Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8625e8ce164e1039c0d19156210674ce

SHA1
9eb5ae97638791b0310807d725ac8815202737d2

SHA256
2f65f9c3c54fe018e0b1f46e3c593d100a87758346d3b00a72cb93042daf60a2

SHA512
3c52b8876982fe41d816f9dfb05cd888c551cf7efd266a448050c87c3fc52cc2172f53c83869b87d7643ce0188004c978570f35b0fcc1cb50c9fffea3dec76a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000007.log

Filesize
21KB

MD5
2a89e297e45418c5b2b865b969595705

SHA1
19885ddd0bbd53daddcad6d2dc45c1e7f7dc6eb5

SHA256
f7108bb871f28d3c7b44afff7625ea364a26ae81ac5f331c80339043686163e5

SHA512
521cca310b5e8fb22d7789fe4ac657791f6a6ac24d035693836b8e2fd5f407a4fd3da73ee64eb5452b1fcc6a74bb14edc88ebfd38b88f6cca18503a2c2bd8756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
331B

MD5
fc2557855ffbe6dbb4199b92e897a40a

SHA1
a832a780eeb6c983cac0e14ad9c151d25a008f9d

SHA256
69dcf0a1997b98668ab680632ecb6d128783bdb369d4417609bd9b44b26e40a6

SHA512
48c8a6e59209c1d8acda9c868e19297ce2318a01aa930f6e4a57cf675ef12f8dc5eb0439a3591c3d51acefd6f169973bb397b2ff5942bba766480ca04b82426a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
05b4656b24f09dcb266e33e8fe6f59cf

SHA1
e55a36e2e5173e3d0d19f2be77ddb9286f5a99f3

SHA256
83ee2efae534915bf62bb57654038fbd17fbcf922c404ee3a12dbce8a96bae88

SHA512
3c832f525a88bb82d92a381dfd8fcffdf8b502b6d91047cfb4c00a57f177ff721d1238c5e129c136c5ecbf532035b47fd97af7e4f4729becd6016cb6d0213bdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57cbeb.TMP

Filesize
3KB

MD5
a19d50596a95a69edaf109d91f1cfbc3

SHA1
61840d16c7ed3db0f530de3b6f4d185346c0089a

SHA256
65ebf4a99784543bd350022c74ec9ae84203b2c237edcc27d84a003db95cd843

SHA512
20f6e47f372d669d6ef0432ab702bb736ce34f99b9ff58c8b708c0c5802b9e5bc1f3b8a96531d67eaa010b9c5edf1104d03f31c450b00cf66570241b7a491752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\_locales\en_US\messages.json

Filesize
1KB

MD5
578215fbb8c12cb7e6cd73fbd16ec994

SHA1
9471d71fa6d82ce1863b74e24237ad4fd9477187

SHA256
102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1

SHA512
e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
50a606fb699b92919ab3c80af26e46df

SHA1
38afe9d8d9dad305589b2a3fc19ec57b8b2c13f7

SHA256
9e08e68e238a85e4491ae73f88487ab949f3ad3fe905ce9a839a8ff2eba5b51d

SHA512
77c9392f256fc0cb5c3135fdff7a3e4f1a0c90e8491c58524e8dd5d299d8f2dc75a7f8f6e469107d8cc15d9c110a9ad239284e5a8af157cc21e158a178f5de8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2c12e1eaa5a9ad35d371bbf9f11faca0

SHA1
e05d5257c44509bbae409ead93c2c7d8bc6917f4

SHA256
fc0006c0f94d9742a97c1ac69ff34517afcb6225f56d95cd2d4a5d449897df06

SHA512
2b0c970906b3a7f28584ec5eee95f34fc72cc7b77b7fd43fcc8807ea744bf3492ba35a73404e4fde7a3526bee4c9099ee945543c1b09668a7760996df59bf8e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
dffdf91abf1fd267ea750d1ddac67338

SHA1
02f9885a4b5137d791795bdac0379cec335fdfde

SHA256
01b45a017d409dd1f46de518f9f48a97ea724386b7744623f4f3225b1b9cb59d

SHA512
71dabf44e281ebc2688b2b5a0b75e2f16cb8864c1cb4b1229c0ec7ca3999af9046e28d8d648f38ae48caaf2c657585d21755db4ae0550d94ec1053cf58673bcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
e3e0fe28b61d7c075d8fd4352aa3894d

SHA1
79c72b950b862651dbd04ac1d32314ca302417dc

SHA256
f21063ca19b857f4be6c212370cf10e07e3020d7f53b3ff77925286f65fe1f4e

SHA512
5f6e2e8916b7250596cce99c7da76607b1d97d7020ae79512fc64931398a299023831731215c5ef34727ca07cd5741f45f849620bffe5fac0a5a931ccbeb9d17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
8103726a088da3a0d7d0684f2b476b3e

SHA1
0b8ebce339cd26ecb9b457d92b77fff917e7343c

SHA256
ef033b25bb144b4cad8338ded51a33b52dcae4465167aa4294f843e7bb0101f5

SHA512
5e90f41adc279de7fb04ba45fe906de1fc299d74653167f81610dce401c07dee4a903c222d033dd7ff5ad24c22eabb5fb857fef65b65c470d8b0f8aba608d7c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
c7918a167c2b0539cdf43d896fe0b795

SHA1
f966a255a00bcb26871a0994eb438e0d6f82e630

SHA256
44d406a4163544c16d45decc6da494321a815fcd1400a4f4a8bd310cc3ab736b

SHA512
4f6425a039ba489eab290be9545d107ad72472c02f4e025f4fe6648115e75227498308c8a677f7216dca1327592e4ac0dd155725a057f5d83af4c366fdaa41bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\75b67b01-d915-47a8-b1fb-4d0df8910bb2\index-dir\the-real-index

Filesize
2KB

MD5
18c86bc16f29a3ad167fb4a9f788d134

SHA1
6d2df8243bdfbfe34e2ab284001b524dd329e7f9

SHA256
783cdbbd831d9d2ea17e1dc1ef524df55c47a0fc4e75939953c4daf1f8c190c9

SHA512
21bad9f4906342098e955797ca3aee8b24f6c8e56072ec739d0a4d3b0183dc9c7f406267321f7ea8e90f67e78085e4a0e3a3dd724f589ba3c3a07493aa7a2072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\75b67b01-d915-47a8-b1fb-4d0df8910bb2\index-dir\the-real-index~RFe5bfe04.TMP

Filesize
2KB

MD5
76772f2238f4278213223a704c49b7e5

SHA1
03e04bce3a740828958e07e931cd02b1a8785dc4

SHA256
3100a2337e8e1eac11c2ced7c4f46b1cac2857384bed15b9cccaec355f13659b

SHA512
10e9fb83a3b82d2b77b3e99835ab3fe635051310970c317a298c4719de61441362a263717d34663107ff19cba6ef78c0acede474c52415d42753140c19797b12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
6e045e9b0bfd93f84aa7d29daf0b9202

SHA1
344aafbd7956a52232e27879984461e8f4fcb8d7

SHA256
146597e2628eb63cc0e19c70e6e715acc466f2f2739e822ca295e80c96fb0caa

SHA512
5101b2de5f94c34a0189802dba3a6b6de6e05160836414fdb4f3132cae5514b140aef90d802f102ba94b55e9eb65fb65c38e140a283ad9cbcb6a4a60f7828d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
23KB

MD5
21360ff2c49909dc8ee6b9b70df2184a

SHA1
9864a4d44bf42c9ad6f5be2d8035c680a94bebea

SHA256
4b72da60423e1e3cee5baef9ecc8ede0c5c8261680b02f73eb1390293f0c6ceb

SHA512
c92a7cd4bd0753a93133add4a82783ea05f222042361c78aa18bd1a1b4c96b6b76cb029d985d7fe38dc21ade68c2dc448c7339a83635b42afd85bad306dc9c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
9d97218857a5df3616e7d66e66ad6def

SHA1
372d766c75679f95a2f87fcb3731d9d07c260ab7

SHA256
411dc27aff59229e4fa4f60a9e3c530b63b22d5b6ff7cf1eaf031d50d493882d

SHA512
354c6ed2b120b22cdc70d5979ee8bfd4239b5f043d44658a11a8301f5449319475ba892dba5e5d5c45083684f6326b02ffe5a179dcced6b2217757de0f997d73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
d512288415d4ab192e4204c08b30a5df

SHA1
8cf1c5b6024583c62f60e98c7708032c28a4944d

SHA256
2070471bc834e41aa3b728b4d5f3ec631d7bc237be6cbfa11090efc6ca608519

SHA512
08e37d6e801e89bcbe4db291534b9abcc7a58eaeeae8d109503be84bb87a73ab7cee5ea41c45f2e03146821c9b375ffb5e6525c1c62752942799fac8119e653e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
900B

MD5
c09a6b616a38498498dcd7b43e6f3a48

SHA1
6da6c7194fded2d8d38fde2f0c223eda02e4b258

SHA256
bb2193fa85f607b0d33b434c9c59cd0ac4d6803b6bd67316ca21fdaee1e8c9a8

SHA512
3d51a99be4da2d63564b58b3de45a6ec9bed1b8a502418d68bae658c0f4d627f05cd15f02428be450c05f830539ce83d41fe4601419180ac3748f1eabfb6c880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
6574d8d0e93a5acc1dc6513efd9538a7

SHA1
9ba466f9261e2087d674583c40d2930aa1afb23b

SHA256
a96f4fbf6695fdc12ca28cc62d513cf473ff34d3197c80e6e25043b2f46a24ab

SHA512
c6b057c53526da424cbf33ccc27d2e063d8b955c1c5fb2971d5a6b9348d0dbe57a6bc19b07e337acab601d909e134c011b3e12b989e0536ae30b2afba10d85e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
5bde5a4b11f9d533e6d9e8ca955e9df1

SHA1
1074f131d2ee1addb8e3b82d8dc470fa732427f9

SHA256
7cf2a61f652057d611452f9809c9bfd7db1a9821f1a2eb8ffca99a9ce4b97a02

SHA512
c12da6daf8ef1302587c0ec999cb0079196a89f85f84eaf025a67d8174ef605838667ff7b8b706f2b1b83d7fc55a844e50cb43475c14d4e0f2ed1c3977089e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
b47f6414032d5964bf5705ae123920a6

SHA1
ac446c7d8e6423bbd7c1e1daa1f83afcd756c475

SHA256
6d58831340130d2ac44cd208e64f17c1aa2b38ecf48a7d5e1e6c06cb813a3b57

SHA512
0a44d6ad4c591a69e3dabebba57d07a47bcb51641fb011bde6ca297e775b7b73cdaee3ea6a27726360db72a9c85798b71eee45eb2178ba2b61c053ffd70a818d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.27.1\typosquatting_list.pb

Filesize
628KB

MD5
291dc27655975b5be12155942f2d5fe5

SHA1
a2ed705924a4876ef92d17cca8883e7bd0ca6318

SHA256
e3ad9d77cabb94127ba2788196495e416bc58e7e7062fde2dfadb49df8a54296

SHA512
a34ead26dd64d97a30f2c76ff6a29d71573e1c343da5fe8b499e764fbd0a9c0cc432d309ed8e5b627eac59dd5597a8c64af69a96791ff5b9b85f134985fb6c65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
f964b4fe59f35244acc2d010273e0444

SHA1
7a6c19fec4801ca1bdeb064c454a9d4b666a8300

SHA256
abd6f0545e8e9bdb813193405e443012026a7dba1e66f929ad0fc7cf7110d962

SHA512
ee261494444a8c2030ce2e5aa004c2ab9c954ece4ad53a3ddcb56844d5b66ebdc2d716f4c7acea343bece9f2bdd7207535090fac420c4bc14efbda595134e2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ccc7813-9594-44a8-9a20-804631739977.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3136_1773972104\e8f7d16c-cc56-4fe9-a915-fceb5781f7e7.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5348_542186515\CRX_INSTALL\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5348_542186515\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5348_542186515\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
2a738ca67be8dd698c70974c9d4bb21b

SHA1
45a4086c876d276954ffce187af2ebe3dc667b5f

SHA256
b08d566a5705247ddc9abf5e970fc93034970b02cf4cb3d5ccc90e1a1f8c816e

SHA512
f72b9190f9f2b1acc52f7fbb920d48797a96e62dfc0659c418edbbc0299dccf1931f6c508b86c940b976016745b9877f88f2ee081d3e3d5dcdcc2cc7e7884492

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
7KB

MD5
1046ea24f881c8103dbfdeef4456c0b4

SHA1
69c760cc1dae7e45a28550b1c565d8dc4d6fc94b

SHA256
d1c3ec48a627d6df59ddd670f468c0b4dfd91b7b379528b9b9887ca28524dbde

SHA512
6cca673aa7b43b284e8bd5ff774f78ae1c5268dbe3b6390f35426d1817a0cd0c18a2654f0d9b9042ad7e64a79423635f1ce1bbf169f250796ebae22c804a96b4

Download Submit
C:\Users\Admin\Downloads\BlueScreen.exe

Filesize
9KB

MD5
b01ee228c4a61a5c06b01160790f9f7c

SHA1
e7cc238b6767401f6e3018d3f0acfe6d207450f8

SHA256
14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160

SHA512
c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

Download Submit
C:\Users\Admin\Downloads\HawkEye.exe

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Users\Admin\Downloads\Mobile_Legends_Adventure.apk.crdownload

Filesize
4.0MB

MD5
42585ccd2b7867c12052653e4d54b7cc

SHA1
a9348c3aabcc0171d1e35edeb37fd2da0fff0ad4

SHA256
b47bcc55ca8dc0625a145d6809cfa3ad78e9e3b4f33bc608b5bcaf7e9e1e5827

SHA512
e270bd1fbbaaccf3382048e9ac2489444a735ed32fb83f7681526a1edb0b7847d6adb8d75064b065309293ef75c45e2ea85fb132a1c12afd08b3a1346caad550

Download Submit
memory/1032-1812-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1032-1823-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5716-2247-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5716-2252-0x0000000005320000-0x000000000533A000-memory.dmp

Filesize
104KB

Download