chimera | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Spyware

Analysis

max time kernel
832s
max time network
839s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Spyware

Score

10^/10

chimera defense_evasion discovery ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Integration\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/4636-2315-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Renames multiple (3246) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 1 IoCs

flow	pid	Process
81	5172	msedge.exe

Executes dropped EXE 4 IoCs

pid	Process
4636	HawkEye.exe
5540	HawkEye.exe
3108	HawkEye.exe
5364	HawkEye.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
79	raw.githubusercontent.com
80	raw.githubusercontent.com
81	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\selector.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons_retina.png	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\CameraSplashScreen.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-30.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\AppCS\Assets\OneDrive_consumer_systray_block_light.svg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardLogo.styles.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\types\IEffects.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-down.svg	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\TipsSplashScreen.scale-200_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@fluentui\dom-utilities\lib\elementContainsAttribute.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_duplicate_18.svg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_StoreLogo.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-20_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateSquare150x150Logo.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-100_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubSplashScreen.scale-125_altform-colorful.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.targetsize-256.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\avatar.jpg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-256_altform-unplated_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\FeedbackHubAppList.targetsize-36.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-36_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-200_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\PlayStore_icon.svg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\help.svg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-150_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-96_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\Breadcrumb\Breadcrumb.base.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32_altform-lightunplated_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\powerview.x-none.msi.16.x-none.vreg.dat	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherSmallTile.scale-200_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\PowerAutomateSquare150x150Logo.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-150.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\FeedbackHubAppList.targetsize-20.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-100_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-72_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-80.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_AppList.scale-125_altform-unplated.png	HawkEye.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\page_embed_script.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-notification\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-notification\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\Notification\notification.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\wallet-webui-708.de49febeeb0e9c77883f.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\_locales\te\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\_locales\lv\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\_locales\kn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\_locales\gu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-hub\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-shared-components\cs\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\Notification\notification_fast.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\Wallet-Checkout\wallet-drawer.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\_locales\sk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1224491702\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_39298205\shopping_fre.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\_locales\th\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-shared-components\hu\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-tokenized-card\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\_locales\ne\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-ec\sv\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-shared-components\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\_locales\et\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\_locales\ro\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_39298205\edge_checkout_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_39298205\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-notification\de\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-notification-shared\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_973057668\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_39298205\edge_tracking_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\app-setup.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-ec\da\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-hub\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1128844113\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\driver-signature.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-hub\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-notification\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-notification\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\wallet-icon.svg	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\wallet.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1292484738\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-notification-shared\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\Wallet-BuyNow\wallet-buynow.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\edge_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\hub-signature.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-hub\nl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-notification\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-shared-components\da\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\load-hub-i18n.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-notification-shared\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-shared-components\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-shared-components\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\_locales\fi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\_locales\sv\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\_locales\ru\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\bnpl\bnpl.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-mobile-hub\nl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-notification-shared\ko\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-shared-components\fi\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\Wallet-Checkout\wallet-drawer.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1358730446\_locales\zu\messages.json	msedge.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "456816344"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31170687"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876644313471819"	msedge.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\.crypt\ = "crypt_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\crypt_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\crypt_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\crypt_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\crypt_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{F12644AC-5F2B-4748-B9E3-53870D4B289D}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\.crypt	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\crypt_auto_file	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5368	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	HawkEye.exe
Token: SeDebugPrivilege	5540	HawkEye.exe
Token: SeDebugPrivilege	3108	HawkEye.exe
Token: SeDebugPrivilege	5364	HawkEye.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5368	OpenWith.exe
5076	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5764 wrote to memory of 2360	5764	msedge.exe	78
PID 5764 wrote to memory of 2360	5764	msedge.exe	78
PID 5764 wrote to memory of 5172	5764	msedge.exe	79
PID 5764 wrote to memory of 5172	5764	msedge.exe	79
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 5812	5764	msedge.exe	80
PID 5764 wrote to memory of 2876	5764	msedge.exe	81
PID 5764 wrote to memory of 2876	5764	msedge.exe	81
PID 5764 wrote to memory of 2876	5764	msedge.exe	81
PID 5764 wrote to memory of 2876	5764	msedge.exe	81
PID 5764 wrote to memory of 2876	5764	msedge.exe	81
PID 5764 wrote to memory of 2876	5764	msedge.exe	81
PID 5764 wrote to memory of 2876	5764	msedge.exe	81
PID 5764 wrote to memory of 2876	5764	msedge.exe	81
PID 5764 wrote to memory of 2876	5764	msedge.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Spyware
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x264,0x7ffdb138f208,0x7ffdb138f214,0x7ffdb138f220
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1860,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2256,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1728,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=2472 /prefetch:13
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3456,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3468,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4900,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=4872 /prefetch:14
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5168,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=4812 /prefetch:14
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5176,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=5204 /prefetch:14
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5480,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:14
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5728,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:14
  2⤵
  PID:5260
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1128
    3⤵
    PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5776,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:14
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5776,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:14
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6204,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=6216 /prefetch:14
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6132,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:14
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5524,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=6572 /prefetch:14
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6212,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6216,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=6636 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6844,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:14
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6660,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=6400 /prefetch:14
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6840,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=6864 /prefetch:14
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5172,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=6564 /prefetch:14
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5880,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:14
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5240,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=6580 /prefetch:14
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=712,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=768 /prefetch:14
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5380,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5440,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=3232 /prefetch:14
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5876,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:14
  2⤵
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4808,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=2644 /prefetch:14
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5256,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=3344 /prefetch:14
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3232,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=3188 /prefetch:14
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5116,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:14
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5916,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=1664 /prefetch:14
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5488,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=6648 /prefetch:14
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4872,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=4920 /prefetch:14
  2⤵
  PID:3660
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Chimera
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
    3⤵
    - Modifies Internet Explorer settings
    PID:3144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "file:///C:/Users/Admin/Downloads/YOUR_FILES_ARE_ENCRYPTED.HTML"
      4⤵
      PID:3164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch -- file:///C:/Users/Admin/Downloads/YOUR_FILES_ARE_ENCRYPTED.HTML
        5⤵
        
        PID:2484
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5540
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3108
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=2380,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=4208,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6516,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=6532 /prefetch:14
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=3404,i,1553006377313230814,17065810942518069618,262144 --variations-seed-version --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:4296

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5264

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5368
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\DebugRename.ods.crypt"
  2⤵
  PID:1988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\DebugRename.ods.crypt
    3⤵
    - Checks processor information in registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:5076
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2616 -prefsLen 24445 -prefMapHandle 2620 -prefMapSize 268500 -ipcHandle 2692 -initialChannelId {feca83f0-9d41-43b8-af3c-f1b1768f80eb} -parentPid 5076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5076" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
      4⤵
      PID:1904
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2864 -prefsLen 24445 -prefMapHandle 2928 -prefMapSize 268500 -ipcHandle 2936 -initialChannelId {9a846276-1a51-4659-b10f-91273b7d84b2} -parentPid 5076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5076" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
      4⤵
      PID:5028
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 1720 -prefsLen 24882 -prefMapHandle 2000 -prefMapSize 268500 -jsInitHandle 2004 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3952 -initialChannelId {7fcdc137-799b-42e0-8261-38a6b3a80c1c} -parentPid 5076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5076" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
      4⤵
      Checks processor information in registry
      PID:4268
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4048 -prefsLen 25766 -prefMapHandle 4052 -prefMapSize 268500 -ipcHandle 4060 -initialChannelId {6c4486ba-e8c0-4aca-a287-9a413679c5bc} -parentPid 5076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5076" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
      4⤵
      PID:5228
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4392 -prefsLen 25829 -prefMapHandle 4396 -prefMapSize 268500 -jsInitHandle 4400 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4408 -initialChannelId {974a79b5-2b92-40dc-b4f2-fdd423866d3a} -parentPid 5076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5076" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
      4⤵
      Checks processor information in registry
      PID:3664
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4680 -prefsLen 25905 -prefMapHandle 4684 -prefMapSize 268500 -jsInitHandle 4688 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4532 -initialChannelId {87c146c6-3957-4fbc-852e-6364746802ec} -parentPid 5076 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5076" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 tab
      4⤵
      Checks processor information in registry
      PID:5492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
2b3ce593c842e7a4d8ff105a65f37f4c

SHA1
73ffc447eeef53113303f1606d7c8aa9d05bd3e1

SHA256
027c976848c67d60b93652bd71d0169e0f23a472c415ecb74ca8a3f4b0f1123e

SHA512
1602979cd9b3a66f593274af727c8dd79d4200e65c26729e7e0860f1b9e205cf84bed1fe3c97f873e8187aa7ec4fc4691f112b75c4fef4cadbee8ba0b89eddda

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HawkEye.exe.log

Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0e39050b-656f-4e9f-ba34-45fcf4c5834a.tmp

Filesize
50KB

MD5
2c4da625ffda916671f0c3fce04ca066

SHA1
13344083cf4952625edfe7ef40794a50ca7c1bbd

SHA256
1f7baac46423c2f7dc650c35eb33b1454695316bacbcfc2c508ab5208cba3b8e

SHA512
7dfb0013cedcb295df009604cb77b561632608f8fa3796e97f299ed589ba1161abdc71e2d5680b3613a431746e18383d38357f7e75402b601cd0762fe110d09c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
509e630f2aea0919b6158790ecedff06

SHA1
ba9a6adff6f624a938f6ac99ece90fdeadcb47e7

SHA256
067308f8a68703d3069336cb4231478addc400f1b5cbb95a5948e87d9dc4f78b

SHA512
1cb2680d3b8ddef287547c26f32be407feae3346a8664288de38fe6157fb4aeceb72f780fd21522417298e1639b721b96846d381da34a5eb1f3695e8e6ef7264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000007.log

Filesize
21KB

MD5
aff7d051130518fad054e4834754ad40

SHA1
b97558aa8696065876434ce6fab8a731383089a5

SHA256
5b447d681ac1b6d7aa0a230a63679a3b44ce9fa9fa23ce640b2e0749f0da4686

SHA512
baa658e088e7d4690c8fafab2986a71a6ac26f2110c9b543dee3ae19488499aba2a55564c94be575cf282a54a45968207674687828cd475e572c2f83b0ceed99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
331B

MD5
53b157302e5d56663f4d40621b565062

SHA1
4e03334a04a1a9ec0237d36f89dc66d398eeb88f

SHA256
ca215cd3d5eec8f81bf8d361becafeafb2e7f03fc786aaf0dee74d7924af7874

SHA512
b7dafcd655108f5a229c7e37a31d3ae7478fc09df79750ca8191b2457f86a9cf1aef7c1843e5a135c1509559c0b05a3348df6e0783ecc13b6efb91e41c56c848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
331B

MD5
98a55302ac2b24258d58d81d945069a5

SHA1
0d2d2e67825f58a580681f74377883d48b62056c

SHA256
52579a6fdd722c0bbc661020a01e6d3b93678bbd04419f7b9949ccaeee7a40b9

SHA512
47c11148ffa050cd163a896ca98aee5bd91ba643ceee3ec726e2914eb4f5aa2f95096589acb19dc92902b25a62329f57a948df19d2cd98aaef92973cbde8645a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
334B

MD5
9ee9fcae581f3e9337a8b22833fdb063

SHA1
82d6e5d098cf2a71c4fb2d3d4e811c3ea78d33a9

SHA256
48ffc27e9d3b84af26f7aab7b42d9096b123c4117463a0d7466921190da80887

SHA512
5781d22ed5a96091784d55186ed977c1d618a709aae443cc8c4c02c1c9a438e55d2efa2441881cd205872f6127c32676314322a764921e6b7fde2d442986254a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
159b3d51e0c4553af7ec1d076f245cc4

SHA1
de8abfbccf5b271b102dc584cf6b2085e1435f78

SHA256
713c6d189b5e57762e45df637eb664e287b795acbb49ee858e91eb8a30a3d6a8

SHA512
3d8bdc0b1b4ae8319a9dacc1a728c28d194b44a5c7902d774a30dce0841e8549fc74c0e0abad3288b3900413daed92861f72bb6c9bd6f80793ff83fbcfde5dc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
85b2900db110319f2c5968078d14f1bb

SHA1
ee804c86072c4ecfae44bbf75c7a5580a842f2a6

SHA256
c1e31019f9b68200c32ce643363a1b2c22b18e8affe9b95f1ece0449078e65bd

SHA512
fb10937bd3ec191fdf68eb88967a2ecf72a9023e1778493516a4280b503ca9c01be65bb231e3c9a7f08c2903440c406ceac3b86f74b03a970f2282434295b064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9b65ef46dcba5cda539dc7babc117dd8

SHA1
b2ba2fdcfe935a1cb5a0b1e29ecbb6c49aa62e98

SHA256
c1524619b1ab243b91ae97876d4a19cc6a43764288ffb354bba47cfee594fb3b

SHA512
861ae6f6731e763c4f67ae1b12dee103cd791d5fa4d74e787d2f216c3f94c1d71d79ae2867cd570ba1526d70917a04a1d949fb2c7a5238249e45566e420fa4b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
5605428f58ae3c26c7712ee81cfce374

SHA1
b437489883388218295a5a71c869574138a880c0

SHA256
2fb52e3ea08d4d884f7d4de7cd92cbb09d328d403d639a014e54bffa15c2ab41

SHA512
a91c7c4a0da96fb37593deb9de1a530dd321005ac387a9538b208a00693d62097b4c91aa035cd6648a4ba4d2139a014c5058842c17f92227607c720d2562372e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a0e9c999f4d88c3baafb60b2405a799d

SHA1
e76793b614def7aad21c8f0c0d1f6ac16e2e198f

SHA256
b0d329b49116d677d896c5f1d2165ef6a2e58b472159f800e1de20c64907fa2a

SHA512
0711841e443bf0555db66ca39c684c3b01f291aad769cda16fc7b00e35b8deed2121fa7898bbe05a939d27e44003a9c0786e159c2f3f8ce50a709b43b3e5ed28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a2425d857fcf9131bd4aefa4884db641

SHA1
d41d8b07aa060aa89e2f35f45d7a410251ec6218

SHA256
a37f11c25b964c5ba643fe7119b7df6fac82fa51788b0577ecac0199d1046c87

SHA512
5a3293f4be574555cc39fdc837d900969e9fbde36ededf49ded13eb5a6e2f64fb4f7582b9e0efd72ca96e14afa0f6783c08360ea8f81c94d4403691fd7a7f7b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
412KB

MD5
381a9f046ce7ed464e7e18804633601d

SHA1
a0f22c36640fe85bc98514df2431d9e8607d8895

SHA256
d87459c887286f21daae5691eff4bd6e0999de4a19ab9d03126b8f96a3fb9978

SHA512
dc6fe1f45f08336eb596d20165d3bf75c0ef5d5658ab1a48dd03b2ee6b877d3451706f1146b4676f016493555583f748a36696a1ac0aafbeac48c1176ab3308a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
412KB

MD5
fa2250d0e64e186d4f3bff6f82f7e938

SHA1
f39ad091769aaf6351abbfbc39cb326994652f58

SHA256
18fca1f50b2096c966faea469f00668c15452c9e9697bda1290c679e43e7683f

SHA512
9976333a20170d8e334bc3fabbb8c9bf7ebf26dc6ee538b8adbfaca05a079945ed874f25d6ffaba5b2ef6368f76bad54d0b9192d791d2726314dd6865c1748f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
412KB

MD5
7fc746ce45d8a9a24a9c238bfceeab49

SHA1
cebe01df44953d4c17a13e8633e2f42fa6a5b66e

SHA256
1eadd29e64f7f127d176d7025032fd72b59852484fea38cea815dff0e04ebca0

SHA512
c4b09152309e5e8d09aa6e3630d9c05f7a38687a4ad3a29d6e2d9545481913e48d2927fa357e9761cfd4c04e459556d43b97992bc4392725a3fd6d685bf55d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
412KB

MD5
5991000f861d90a5e6c7b7df2dc7d826

SHA1
5fb22d2ea0d5b639e55dee7d6d3e7c114c677293

SHA256
78f32ef9a0ea2f91e3a8304d9636d50f0e697f07d5b09c94d579e13e1c6172f1

SHA512
b690133af473498a5690cf9b238be81b4f6c6fd040d3857fd165c4b859fe74342742471ee9afbdeebd2632dfe4646135859b93ef9f2738c1341a05090001f56f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
413KB

MD5
0b9c9f7f4b0a2533e5e231811fa8faf2

SHA1
fd5d9f59fbc17a2289440589590b27f406a1b57f

SHA256
0cb5578343807981ad1febdff19b6ecb698406676c3f1c5256445b28c94fb725

SHA512
cfa54ac9b6fafe7d203962c068aca3bfd7b5b5236cbdfd426cd841caaa99bca521619d31071da7a2c6eaf7dd1947b375d7797b3801bb4b2ddcc2caf22c4466ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
413KB

MD5
70e0f2a3ed0623066fd89e148adb145e

SHA1
ef3f350a15ac8196847bf5d64c4bb980a2cdbf99

SHA256
b99ec1ae3c23cc238501311cb2a0598ac7f9df3510f328d936185a08643f40aa

SHA512
7c7074a43dbc867551c0dbd07e0e71b35be309901252e21a2e804ab9d9f123f4fd2fe719bf013613395e616f1db536f96a4c322b0a9f9fa2d20944065c3a3e1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
413KB

MD5
ea7f2fd016bbf7650a25c34e83d93092

SHA1
ad22a4d846cf9e8ef0175ce4f47a64759e007dbb

SHA256
8ee014704f8334a20342efc5387c78153daee8b4767e60d07f2f4d63528fe54d

SHA512
28e1a1ba4b3d0c212edd9c5179510393e4a9fcb881f6e3ec9c16e1bb5addd191f939890277f237fca1feb797bc485725f409e16e37ddb3b6f9e851cd9c639669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
411KB

MD5
769df21a6a38d8395ec20ae3cfa7aa4a

SHA1
439f7158e38d4fcb3837bea8736b3ce326bd25dc

SHA256
750a5bf18ef4400dcc72a39567da030857b9d8bf34097f5b458ad9a3009aba95

SHA512
32b270400261b589a1e1a7a79887c159d5b9256ef3ef743a6a6567a05b9096c78fec8b20e2260a4ec48cfaf7397c7e1f831dad01c9c6859705d40845ca60fc49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
76134537f01f0bef10ad66a96e0d19bd

SHA1
f33094af2d6fd4136e120034aedd8f30f2099102

SHA256
39500c6fa12e32042377630ac100fae67159c43e3a461404f7ac1b7939b1cfbc

SHA512
80e04bb8efa12484a18d0fb49bbd3cc8094fc4a2a1ef2efc3d56c3f0974d49e3a04f8d952001ee6e42856e59feb579620ac3b2a196e9acbee978dde8312fd785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index

Filesize
1KB

MD5
968adb0f581ffb23ac0a5362f18b65af

SHA1
71a2362eeed4f36caa927d106c9b7be6970a8347

SHA256
842bc584359d52d3abf8c62ec899fc75c9ad47bccd10b00ba6febfed77b1beb6

SHA512
e22b97ff29e1bd2d411f2638e215e6e25d2e63fcf91af7055b8cb649177b4b3307df07b31789debfa6efb4196bba7be287bcad834d2b2c02fdd6fe45d2582fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index~RFe5c0e11.TMP

Filesize
1KB

MD5
0ed71fb678fe0c2565b82c6a1bbec1db

SHA1
640caa8b48406ef1cbb8726734362e893811a0fc

SHA256
7853098169b7db5d11fa96d9ea38c702e9ab3047f54c3f1ab019a3caf836cfbb

SHA512
c4ae185596fb387c302df734003755615a9c4e7eb9b97fa3d6c0f958b6d00d6e5d614a8d080dc5f56760f756f3e1409909d0ef686929db7bca75d32a4a707da5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
9853ae3bd29c501f78be20e7883608c7

SHA1
c598d8f4765a77a6a9d43db045e94987d677eedb

SHA256
346a158b712a3af7533ca5ab7aec4cbdbc13b26744568e822ac4938a875dbd6e

SHA512
b17a60fb25a157b17977b359b2bee217d2d7dcd52de7a672bf7bce5d597dd0da8e8f03a49822fb340a9627e2ddddbf754e27f35630fa02dd14d2b547aa9d7cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a247a2516b1898215c05690c674d7782

SHA1
77b7926b738f15cc2e7767f2ca7d2d5d5ee9eeed

SHA256
6009a3d20877c3939d0ae316bc33cee7fa49dd4312443fa0450afad2221db12b

SHA512
8f665f59f7ab7086ece7ca26d688073107416ef620aeb5ff3b9f43665e8d3a5e3f5845d62127fcdbdab2ff2ae105ba29b53bb3e3e4e04fbe64c5f6210f27925f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe63cbe1.TMP

Filesize
48B

MD5
2c73ae7327e4783c4b9151e11a45d076

SHA1
51d3739bd75468f345c161030f26a3a9cd329356

SHA256
9e0896f54083b0a3300033f3fa231eb24c1ff0da694aafb9e9b43551664639c1

SHA512
35efb4e202ed420199cf25ad3e1042395194d9bcf1b7293c1e019df533ff113d8e574eaaf05a7049c55b60a4026d04a93509d83ef85e9e7de6e733a6ed4493c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
291eb83cc9eaea5cdc136c78685ecf41

SHA1
2a4f20391dce7027d6a3c7e3c430b42cf8ff9ad7

SHA256
185b5e2883e122609b640ba105721bfabe7de3e0d5ceb65c505d494450b81f96

SHA512
20a9706c6bd3bbb968d0957cde3435f0ccfdbf1ad110f1a8d8ee00a7c6c2e0ede80946acf8897a48bef05ece642f88c2c667d9aa17690e9bbbc5954be134b102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
e41c7f90e3ed79d75043903adbd79e09

SHA1
b04403eddd62d65bfa5b16a636e1ca65ea29b59d

SHA256
2f9a503720fbd8a8295e0ccdae96025cf630feeda29bf1f84615df3a034dcfbc

SHA512
95d4657e79b37f18c4bc0f10cff3afe6c1300856d0f20692a5f314a5fdce8f6d675932136c552a6e00ccd416fae636fcf77e50a67a43a0e099678c3942ffeb2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
749bca8d951cf79233817865711864dc

SHA1
b4d3ba2b76688eb5bd6abe1cc33a1e31d1080de0

SHA256
fa6b7efd0d3dd149c5da92782078946209b6c1c862ad2bba697a4fd0f24dde09

SHA512
da8e049d9bec8843a769140c3bcd035a443fbe96424aa2e4ef444151dab425ac472cb0eb246770ea94f672cdad003920ad5bbac0e40e6a480d9a63829917944b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
09bf574aa6d244b3d15b853c8686eca3

SHA1
34e520efbfac6aeb8760c74c4d8220636b8ff3ae

SHA256
5b87aa8c1c77fc72fd2299b1ec837a70eec212ffbacca55476c2bb6d3dcf59c6

SHA512
7d15d93a8397208c8a57a964d46f857de48e9b57e6e84b5dda55053080cc9228f25530f476b222a71a7632d439d7f1aec3df9c277d03ebbcdc6bbe43c638937a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.1.31.0\edge_checkout_page_validator.js

Filesize
1.1MB

MD5
0e3ea2aa2bc4484c8aebb7e348d8e680

SHA1
55f802e1a00a6988236882ae02f455648ab54114

SHA256
25ffb085e470aa7214bf40777794de05bf2bb53254244a4c3a3025f40ce4cef7

SHA512
45b31d42be032766f5c275568723a170bb6bbf522f123a5fdc47e0c6f76933d2d3e14487668e772488847096c5e6a1f33920f1ee97bc586319a9005bacd65428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18346.18345.1\json\wallet\wallet-checkout-eligible-sites.json

Filesize
23KB

MD5
16d41ebc643fd34addf3704a3be1acdd

SHA1
b7fadc8afa56fbf4026b8c176112632c63be58a0

SHA256
b962497993e2cd24039474bc84be430f8f6e6ab0f52010e90351dc3ff259336c

SHA512
8d58aa30613a2376ccc729278d166a9b3ec87eca95544b9dec1ee9300e7dd987326ea42d05dca3f1cc08186685f2fdaf53c24fd2b756c1ed9f2b46436689dc74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18346.18345.1\json\wallet\wallet-notification-config.json

Filesize
804B

MD5
4cdefd9eb040c2755db20aa8ea5ee8f7

SHA1
f649fcd1c12c26fb90906c4c2ec0a9127af275f4

SHA256
bb26ce6fe9416918e9f92fcc4a6fe8a641eceea54985356637991cf6d768f9fd

SHA512
7e23b91eab88c472eec664f7254c5513fc5de78e2e0151b0bcc86c3cd0bf2cb5d8bb0345d27afdd9f8fcb10be96feaa753f09e301fa92b8d76f4300600577209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18346.18345.1\json\wallet\wallet-stable.json

Filesize
81KB

MD5
2e7d07dadfdac9adcabe5600fe21e3be

SHA1
d4601f65c6aa995132f4fce7b3854add5e7996a7

SHA256
56090563e8867339f38c025eafb152ffe40b9cfa53f2560c6f8d455511a2346a

SHA512
5cd1c818253e75cc02fccec46aeb34aeff95ea202aa48d4de527f4558c00e69e4cfd74d5cacfcf1bcd705fe6ff5287a74612ee69b5cc75f9428acfbdb4010593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18346.18345.1\json\wallet\wallet-tokenization-config.json

Filesize
34KB

MD5
ae3bd0f89f8a8cdeb1ea6eea1636cbdd

SHA1
1801bc211e260ba8f8099727ea820ecf636c684a

SHA256
0088d5ebd8360ad66bd7bcc80b9754939775d4118cb7605fc1f514c707f0e20d

SHA512
69aff97091813d9d400bb332426c36e6b133a4b571b521e8fb6ad1a2b8124a3c5da8f3a9c52b8840152cf7adbd2ac653102aa2210632aa64b129cf7704d5b4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
80f75b4e86738c045267d288f25c524c

SHA1
ec1cb341d861f717357e5a5fef9e3482184a05db

SHA256
ea31c658f722d5be8991dedbae0cf2dc76c6602ca8189ceaafeea654824f1b48

SHA512
4035713e3a775db3756a4b90089c4ffa469f2bf35f4a9a2c6ebd2ef0a78c54fb5b0e46ac8aca05c9a544c64af92fc2d045cbd6ca87fbfb650af8c782b5068b57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
897fb8009f297eb2799bf6cd8c9d7d9b

SHA1
dd23f7288a05fb2d145ab4c6b386dd5c2400a38d

SHA256
d77f692777def8ce90e3bf171c7d3726e7a47a2edefc5ab3b393589399d6201b

SHA512
b1e5a1e272c155cca41513f85305e25198e39bb717c912e8ae4d916ffa21a18d43056b71b77d35c47eaf8a03cd8d292378199e2415b785ab633408a4ff84b0a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
3b065f82c131de003d6781fe6edfccbf

SHA1
2962c0b09aeec2d7d075a3910d1f40ac7162a2bc

SHA256
f4c91bbe1db84f567f6bfe6ff9f368b8c7a714a8811d73cf09fcdf36c917bf22

SHA512
04c3620d2eba45c24d8deebfb5ffd68cc8f034d11c709fe386568970b4717fc775b5fad42a86c135da36d4c1820174ee86d84f00b14d90899d94fda83eadb67d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
ab29dd2994ae85d9821602cb312119ae

SHA1
1b11da78d9d9b13a64e12bdbefe39a77ca02fee3

SHA256
5f4ecce3d6e00ba4983c191dca994b42a343b75d6876edb08720daad7be10719

SHA512
5710403f146c3393cec108f5c1b084581577dfdb3995c99da6ce225893d4cf686fe3a4bbbea39891292c22189eda568244e2b282a691f50cb07af5353c0b2773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
a6266413085f1a0574aece0c08949316

SHA1
14f7c2fb74a4c56fb741ed2bb8ca722a6e294ead

SHA256
9e04593f6abd2b40388161c579f017786ed92d3e94e4a7c4fcb531bbb4ad4dc7

SHA512
499bbbe78746c29b21ed0648ec7fd08cadcdf27a154acb8d7d65f3eca87546a7118aa807c52e6fc735127f6fbcc7abc4edca55b81bd69f8c55e249df199928c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
2ada77311a16c35fef07518174157691

SHA1
32e279c162459eb09a112c673bc871ec4e5ce299

SHA256
b6f92044ccdb7846d3dee7d7a1f259471c51278664fb1e23cb29989d14149f44

SHA512
ea7b6fbdf7f780ad5d687cffc29d8aab3fd6df6d5025570241977cb8b826c92c2576fed6eb7f44a09db25ddf46063bd68bd090994982958f1eafab5b308eb2a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
34aa6e35587013f48d1dee38f1342cd2

SHA1
171d20860615d2628df1dec73a8abffd0ad91e7b

SHA256
486f5c07b407eed95eba55689c08522096016e3f8b33c8ccbd69c9b5a3004cf6

SHA512
1bd9e4b04f99180065cd8da863399d46229a2801125744644daf0c5d7806db8ba14098d2873fe7025413139aa161ce9f9782aca07bd11a3acb6f0ef6c1c7cecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
413fa52c83565038a82749e82c973b9d

SHA1
b70dea3068d7af401b0eb1f285d792f06766a2f7

SHA256
84d631356b7143640fc9e9b93f2c73521140acbb36454c92307f1f70eb3f86ef

SHA512
d0b3167e1ddba5c6247d101f3c240f9344f9407f8d62b714a80f7a5cca18f8bb7924b5c45c8db1ee225579c4f15f6827a6bc376ece6e72eecd4456239d862236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
a987747e9839d3ebf505fe69d7810c3b

SHA1
e55642200e962264d96fb5caee56bcffb94a928b

SHA256
26d4bd39d27ee02aeee2277f307b8cda42bfc1b19331f1e412b4e82f1b23d5e2

SHA512
16f6249f404f6d455a3f05fd2e9583d6bb293728233758a0a03b39f2d17d2c76c5507f821ab0afc4c40c6d889d2bb64d6d1cb9e75f8643e25992865d833e50d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
1e5bbd14ed625c026cf24562406cd0b7

SHA1
fbee091bfc3a3fa5f46146fe39c35c474b067476

SHA256
2ac7db042e885819f378f345e69e414feea044edd0da9c94f5bed6668f9f0c39

SHA512
e74f67b20abcfc3b7f8f05b31bcba15a402cdacea6b2356cf39001940f6a1ff5d7fd19ae553cd6f2fe0b0915f9f6741213d075a287d36c9b32c9836347038bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe635181.TMP

Filesize
392B

MD5
33610f934e36f5d555c7331aee6ab6bb

SHA1
581dba66ed807f85dfa1dd8ebb8d1459bbeef156

SHA256
2a15f05f52487a1836a035f79477f32eb6f90735a8cc1997b2ea2a370433fe13

SHA512
76b019db19602165889a3031fb553d65585b484921a0d163abc9562bd81cc1b56790f30f12ced72d642ff279034b417a266a59a2dc58d974f0cde107f17a3bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.28.1\typosquatting_list.pb

Filesize
628KB

MD5
bd5eeb9c4b00955e5a0f6a332d78cdef

SHA1
cf9e85ae41cf1ef2385a73ef36ebeb3c3378ea3a

SHA256
dbbea874b4b73aeb3ad17355c90f692767a947516481f158b7319f7c43f0e657

SHA512
2cfa521120dd1ab9c2cc90b74cd8d3f6f8991a086bd2dc1b9d225b08aeca8420f565e047f551ddf6d2149cfb02e4ce69b641e328a774dde7017ad374fd58eb96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5hwoy0t8.default-release\prefs.js

Filesize
1KB

MD5
c60f6d15440f63da492bbe7d9f6449a5

SHA1
938b2d5c5f73acf029bebbbb180975bc81040143

SHA256
a39e429ff78546916b6bc27a82e46dd8e088e4840f05dea2d6d3aa635f746268

SHA512
129b1d12e71eca3143849b66dac196bee0138937f711c51cb382305cfeacd9231cd86dde282037be90a457281ed2142dd65ee8f7364ced15d88feba9f931ddad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5hwoy0t8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
48KB

MD5
86083e146afad3cdcad6a8b0e237fab1

SHA1
dbf342be37980662c580a5135408f7e097f361b1

SHA256
8eaea52b05eb61682b4760971fc954f8e5c5cc79a812d08401baf7c8cce77d46

SHA512
50a6c3e95a14801830118cce1650a957d16d5ba1c23521ef81badd25f87d636616179b338e1348e5c248d14a765347a5c95f8707ce3a4bb7ae991d35e2ea0f69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5hwoy0t8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
a3c9d507ab3a8d9b6c75825abd832057

SHA1
4c20b4324633b5a275d56e94eb3283bdb83ecc74

SHA256
9a40432fbd50f453b6a9aaef6fb647bd5b101e5dd30c785bf908f33ffcb49524

SHA512
b31e9f25b51c9662b82d1ea5767a50ff40838ab618035a4e856170f3901d1af288930b5759bdb79c5fd77c1108e14e829ab954dbb8f7e0b064fd949b22c77700

Download Submit
C:\Users\Admin\Desktop\DebugRename.ods.crypt

Filesize
128KB

MD5
c3bfcc3d262406bb6b0a81d75e0b833a

SHA1
d1a7ee774b73533ea6166a9ab3b6b9283c22b83c

SHA256
4809c92b92484f8dd7fe1f82ab014eadd83de250aab0776de41083340c72bef2

SHA512
22907ab824f10f7c8ba2ed8b0dac662be84020760747bb2718de21dc84a01452f735d5a5d4c0fdad7a7a10aed22c23ebfa2f70c76aae76fee78ff39f667a2a43

Download Submit
C:\Users\Admin\Downloads\HawkEye.exe

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1128844113\manifest.json

Filesize
118B

MD5
3e4993f878e658507d78f52011519527

SHA1
2fce50683531c5c985967a71f90d62ab141707df

SHA256
a2fb35b03e24f5ba14cbe0e3c3d8cb43588e93f048878b066fd1d640ef8e59cb

SHA512
9d24ef876ac989e50e9d4d06732a4c4f61e12df366b3d4e5ff93d6a60badac36c3e55e7f13c2539ecb525017490a887fc56580ef8e83483019041ad9b13358d5

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1224491702\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1224491702\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_1292484738\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_39298205\manifest.json

Filesize
145B

MD5
465cc76a28cc5543a0d845a8e8dd58fa

SHA1
adbe272f254fd8b218fcc7c8da716072ea29d8ba

SHA256
e75fb1fa1692e9720166872afe6d015e4f99d4e8725463e950889a55c4c35bb9

SHA512
a00286cd50d908883a48f675d6291881ad8809dcae5aca55d5d581e6d93a66058e1fe9e626852bf16e5bb0c693a088a69d9876ccac288181b1f74254bf1da1a2

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_402300518\manifest.fingerprint

Filesize
66B

MD5
496b05677135db1c74d82f948538c21c

SHA1
e736e675ca5195b5fc16e59fb7de582437fb9f9a

SHA256
df55a9464ee22a0f860c0f3b4a75ec62471d37b4d8cb7a0e460eef98cb83ebe7

SHA512
8bd1b683e24a8c8c03b0bc041288296448f799a6f431bacbd62cb33e621672991141c7151d9424ad60ab65a7a6a30298243b8b71d281f9e99b8abb79fe16bd3c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_402300518\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\Notification\notification_fast.bundle.js.LICENSE.txt

Filesize
551B

MD5
7bf61e84e614585030a26b0b148f4d79

SHA1
c4ffbc5c6aa599e578d3f5524a59a99228eea400

SHA256
38ed54eb53300fdb6e997c39c9fc83a224a1fd9fa06a0b6d200aa12ea278c179

SHA512
ca5f2d3a4f200371927c265b9fb91b8bcd0fbad711559f796f77b695b9038638f763a040024ed185e67be3a7b58fab22a6f8114e73fdbd1cccdda6ef94ff88f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt

Filesize
1KB

MD5
8595bdd96ab7d24cc60eb749ce1b8b82

SHA1
3b612cc3d05e372c5ac91124f3756bbf099b378d

SHA256
363f376ab7893c808866a830fafbcd96ae6be93ec7a85fabf52246273cf56831

SHA512
555c0c384b6fcfc2311b47c0b07f8e34243de528cf1891e74546b6f4cda338d75c2e2392827372dc39e668ed4c2fd1a02112d8136d2364f9cab9ee4fa1bd87f5

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\json\i18n-tokenized-card\fr-CA\strings.json

Filesize
2KB

MD5
cd247582beb274ca64f720aa588ffbc0

SHA1
4aaeef0905e67b490d4a9508ed5d4a406263ed9c

SHA256
c67b555372582b07df86a6ce3329a854e349ba9525d7be0672517bab0ac14db5

SHA512
bf8fa4bd7c84038fae9eddb483ae4a31d847d5d47b408b3ea84d46d564f15dfc2bae6256eac4a852dd1c4ad8e58bc542e3df30396be05f30ed07e489ebe52895

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_405004269\manifest.json

Filesize
121B

MD5
16f004af39a3675a73f5c15f6182a293

SHA1
e7027edbadfd881e03d8a592ae661a985fd89cd7

SHA256
4e5ef1851bc910ceeb59a63bb53725cf5d8149feff9483e960b54cc26fdc419b

SHA512
8ef0d80259b5a38424676918f07238a76c527b643267008999dc3b2cff5c93e29ae85cbf0605f0d0b4f880fd6ae96254ebd30e5b80097eea95f5d27b5d461ff6

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_63115946\manifest.json

Filesize
1003B

MD5
578c9dbc62724b9d481ec9484a347b37

SHA1
a6f5a3884fd37b7f04f93147f9498c11ed5c2c2d

SHA256
005a2386e5da2e6a5975f1180fe9b325da57c61c0b4f1b853b8bcf66ec98f0a0

SHA512
2060eb35fb0015926915f603c8e1742b448a21c5a794f9ec2bebd04e170184c60a31cee0682f4fd48b65cff6ade70befd77ba0446cc42d6fe1de68d93b8ea640

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5764_760273793\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
memory/4636-2320-0x0000000005550000-0x000000000556A000-memory.dmp

Filesize
104KB

Download
memory/4636-2315-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download