redline | 121e4e191ce00a7e9c0adecfd344c71117318aac7d2f6ca9b4f9a8cb3f7d5149

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000a00000001af29-1110.exe
Size

175KB
MD5

6efa25c26be8b5c15a761d31ae6a2d44
SHA1

be3e836eb74fae552794b84e230bc7f944deb86b
SHA256

121e4e191ce00a7e9c0adecfd344c71117318aac7d2f6ca9b4f9a8cb3f7d5149
SHA512

14c49bfb32116a87383f19b09937e6c9a26fec71a1971a7c66fe7e01d39d1d2a5acf50d8e36f87b554a6f75c4afbd4d35895f77758e6a91b922c465a472e8223
SSDEEP

3072:4xqZWZRanU2n0/Z62eJ5evJ9ih+PxNn2pU9f2MKTV/wi4lr55R9TxlnsPsUw0jOm:mqZg/Z6XJIih

Score

10^/10

redline from discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 2 IoCs

Processes:

butterflyondesktop.exebutterflyondesktop.tmp

pid process

3616 butterflyondesktop.exe
4016 butterflyondesktop.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3616	butterflyondesktop.exe
4016	butterflyondesktop.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

butterflyondesktop.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	butterflyondesktop.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

Processes:

butterflyondesktop.tmp

description	ioc	process
File created	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-SJOFF.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-A87S9.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-8JF0I.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-5FTB9.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133244644139770423"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0x000a00000001af29-1110.exechrome.exe

pid process

1504 0x000a00000001af29-1110.exe
1504 0x000a00000001af29-1110.exe
3128 chrome.exe
3128 chrome.exe

pid	process
1504	0x000a00000001af29-1110.exe
1504	0x000a00000001af29-1110.exe
3128	chrome.exe
3128	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

chrome.exe

pid	process
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0x000a00000001af29-1110.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1504	0x000a00000001af29-1110.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exebutterflyondesktop.tmp

pid	process
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
4016	butterflyondesktop.tmp

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3128 wrote to memory of 488	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 488	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 1508	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 416	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 416	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe
PID 3128 wrote to memory of 5004	3128	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\0x000a00000001af29-1110.exe
"C:\Users\Admin\AppData\Local\Temp\0x000a00000001af29-1110.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff9a2919758,0x7ff9a2919768,0x7ff9a2919778
2⤵
PID:488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:2
2⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3180 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:2672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3308 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4556 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:4248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:2280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5104 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:4032

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7a86b7688,0x7ff7a86b7698,0x7ff7a86b76a8
3⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4688 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3480 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5496 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5264 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4920 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4696 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3460 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3396 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5980 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6284 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4956 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3272 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:3304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6064 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4844 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:1336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5816 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5480 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5708 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:1884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=4736 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5292 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:1
2⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:3960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6048 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5324 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:1220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1724 --field-trial-handle=1812,i,15905118885535383692,345884858030803012,131072 /prefetch:8
2⤵
PID:5048

C:\Users\Admin\Downloads\butterflyondesktop.exe
"C:\Users\Admin\Downloads\butterflyondesktop.exe"
2⤵
- Executes dropped EXE
PID:3616

C:\Users\Admin\AppData\Local\Temp\is-PQQR9.tmp\butterflyondesktop.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PQQR9.tmp\butterflyondesktop.tmp" /SL5="$601F4,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:4016

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7a358a52-fdc5-429c-9f95-2f5542aeaeb2.tmp
Filesize
6KB

MD5
985dc15eaf2f911f99436f1e66d8c9ce

SHA1
294a52b1fdab857f4ffb1950452bbff6dba0ccc2

SHA256
2584e3d82e5964148dec138b783593f886986baa794553918ca411319e2f08fe

SHA512
5230052a31a92306b6b545b1671f8d1ba44d66e41a0de1ffe00e737c25150149f167e65983282f39331c238a64ffcad07608853c7c209ea81b4f39d6cab4d992

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a
Filesize
26KB

MD5
3afecc191d9909d908c12ceda31f4598

SHA1
866a52cfa47f493770808b75720f01c18367a4f5

SHA256
166c2e0bef546aea3005d2d4ffccbb09cc5039084b64d40132a261b49cfe564b

SHA512
e7a6f9fe8a1a4b08952efb4f618cb28817113431468cb8f28e68ddbb3ac7ace535c62b1104a4c50544840b8cf7cd63b6fcc11436311f6b133207d9c08b8aa975

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f
Filesize
47KB

MD5
16d37bfcf9ea6bb90ab76e957657f735

SHA1
c01b2c9f74b54c0eff4d9cfd809dedbe69a0262f

SHA256
837bc4c4294885c32df92efb2bfbdd14182f883acd22a53c97665fa5e3d71a3d

SHA512
1c8cd09e8b74e9bd41ebd0fa3b75f314ef596f285603faee8a37bda00a48c38da0d154bd845a223e2ac4d499593f7caecb7add5d2fbfca996a56b76b41c24f39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003f
Filesize
132KB

MD5
e88a6e1ff28abdc11d44341951e0a203

SHA1
67014decb09246b04e3148e65692c492cf9462b9

SHA256
d2b55efdd466e905bbab627cbe845d4f2919270024b0ca7fc674d4e808ee6716

SHA512
6136a68f5a81a76d0d0661299413eeb91c0910251121aab3b133ccb7f9353eb538db15cda751c02d77312bb3a77ee390a8a84c10c881a5a26b7697d9d1a76db2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
eb0edbc426c7c17a3de95ad9dcc1b554

SHA1
786f4769a4c632e012e20a711cc2c19627abd54d

SHA256
a91225e86b1e30a926672103bc4236c07f76f9e226674f6b4f814b563cc2eab0

SHA512
afd59b161081cbac9dc476f01cba9ef47928f3c2fccbcbe0b0a8739690dd8dc5653b6f3c25e3fd16a38f92b610da5ce4ffcffbe1c5e066c631b0266ca0a51378

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
64283a4b834bc9c96b3e49f9157737b7

SHA1
8a28ae61ba1765eda82d1548cca9c1efd3d2df59

SHA256
d2f0fd24b5f18e26db44dcc3f15e568383994447b0663f94e6e25d3f844e88b2

SHA512
9440f217f5e6ebf21973c563f97dd914d7d3474cdb10e6ef4cb3549c8afa241ce407d72893cbd09b6865fe60723edab8a63425353847115f87d4a16d45fb802f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
fb83c8a6faf12c936e9dff0c34dfe52d

SHA1
206e7314c411c5e695ba83197668c9c9e0beb773

SHA256
628cd0ada0aefe04d0303a6f37e7946b42307fd5d9bd88856876968876437dec

SHA512
93a0fc28ddd822ac651b0e2657dd6d6130f94749c6d5a0d5d593de61c2de0920b7e688499f3ed54a60557933a9529fc1e3b949cceca458f4dc533416d265c3c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
da5568acc6cce83b73a0a7e670a15106

SHA1
c4ce61deac14cd9160334e43b9bb20c15b214f5c

SHA256
c7a77dd0f81d3a70396d45d71d7b7c6b021b60a0e061e16cf0108aa9393a99a5

SHA512
3567b15be6dd5ef74fe0a24d2321b30d5d727778698ff7f1e7f73103f355b57650aa803e615da78dd226a8cb2468d1630e0f1cc94d5b179d64ce933f2bd397e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
30b350c3778673f5240573d8366dd8d6

SHA1
12d0ac719e9628ecc719670dd1da400acf1e1d50

SHA256
45525442311e63a005b8955279d2bf1470f79cafe0ca09be8b1915b7303c290f

SHA512
cad3a69e3f3030453ebdf40f214adf7ee79f3498605eb1a6955f226ae05cadbc745ddd7a08d0065aa7985f7bc9d2dc6e2148bca54910dce81bf5ba36e4b25293

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d7ffc1565971c2b6e5eb97e2e096ea6a

SHA1
efd039d70c731d81c0ca2223e68d82b1b2a137c6

SHA256
03ab6d1b290536e262fdfc24a655e20a0afbedab2d3544748f4708bfd6c594a9

SHA512
c488cf11dff805075d83aeb90e268cead68e0bbe24d56cfea34ec9a7eea8c2e1771707bb01cb642eda372a69241790f3ea31071767bd08ced0a8b9fcbfba25df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c89e157731d2a6e11ad9f9c9b86063cd

SHA1
0f999a8ba6e218e1f269193759de7f382ccd584b

SHA256
a0ba1f395d6ba3f6237d584a388efa2e635e24b6b282a727ff78ce2ae6c38755

SHA512
6fdbe2ad4abf1b7ab823853746d07854805357949ffcda5435717b8994fc7c681684930af45f289752f3207f7a95e5b969487f65731f4f53ec4ae68d5f07d801

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
8f3ed41241745fa1b0d8100d86d4c339

SHA1
662b5d5f2c73c4d958269fa9902bd71cc3253851

SHA256
454610def078015beb30142ae0d0011ed72d60a99888b2bb39a1a4ecf5d0d92a

SHA512
218f6e3688fc4d3d39caab6b9c864ce0c0182695ee3c2535ff226b149cca0d1106c58b7c912653f2fc845296c2489c10563702b6661fd2c09592a64b59d055d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
c8eeb4fa944f8fa9cf9dc71dc9475b33

SHA1
c59bcd6c4bb3a0429ef9a687a356576a65793e6b

SHA256
26538c77e1d73ba6a0fe6fc854238e0cf75aecf501685e63fe9bcee13987c626

SHA512
e4af0db9f104858f9ab155abc169d51e3747c315a3be84328ccee67c8d34711c7725303db4faa27f2b185c73c3320619a16248aee07150f38811addf85e48cc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
7514c185f783247bc4e8871290355e9b

SHA1
598bc39decb1df9b9592a7b51bd6f31ac4970477

SHA256
2d476d8d5447d062eb22a64539086a98c2cde92a55c267eccd7eb97fea0128f5

SHA512
d04396216b0a9ee9606ad3b7f7007613b6fd6c660efe3f668ca6051eaa2089f8bf6192e3bbaa32d98501a977dde8619dc0499e1c6ea1799a286180616992d798

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57782d.TMP
Filesize
120B

MD5
7aec2be6f6fe024003eb1ae0cdd77d48

SHA1
561333c7a66903e9e167802dcac923057388f5cc

SHA256
83d2755f655b47283238091b816c3b11d2f593431af606fab7b8becc05edf0ee

SHA512
df666277f73e5f23fd64d0cd82a4d3c9d5d676bcfd7d329e4567737e016871d97f75937358fc29e4c0597fc3ce8796bc2888365d356eaf38333aa4bc1079a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
1e67f262e85aee9d2d2fdcd66e09460f

SHA1
79dfe8c496c49016086698b9a296529c9419dffb

SHA256
e606603d29af61bd55087453fb615ed0087fe1219e5cd7ca9f402da9edf7cfeb

SHA512
0127302fa59477bb8bbbe0bdcdf2039334ad43fb78d52c8ed9c869f95a9ae0611d99e15bbbe2606ef492b16f12a84a83d2b86a1cb7eb8364294f7e633a3bb574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
f0ab86a1e46c2c5aeb610ebdbe44764a

SHA1
abc1d9af72df9bd9859f6ec5b518e908207e02a0

SHA256
00fc5818d625157a463a1ff0a0cf1d8cea38e3f71c12e562b4da9925a24e5e30

SHA512
5fe8600a56f156d3042569cb1ac6659366cb27600d07a1df74540516cf4b157ad3ba73b2f024eb25e6df10a8c71d654cf47256d6b9ccffba46ad04ae3aa83b76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
116KB

MD5
fb0f8b88638c1ae762ec5e3fc37b7d0d

SHA1
c8c089f49798c1f4414ed1b29020391cb4b080b2

SHA256
46aa4288078f3709a8af2fbcd7c2449a9f015c04cbbc0c593d9253ae9ad7ecf5

SHA512
506922843849635c11286736f6aee4f0619d18a209ec7246aca504d8e5a3c1e111a72f3a5521d10ccd4d6de6b13d3530fecb23f194a6b2eed604c87a53ce22ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581f99.TMP
Filesize
103KB

MD5
271ce439b639fbb6feaffe617a15c888

SHA1
e89967505b79c306cc955102382c309b31f2de86

SHA256
fcae8df3c42712b63f9947b698587ff12faa64730997e79bbafab176e6f8f676

SHA512
8ca9e6982a6d4b4fedc3db5980accf9583d7d9c3dba82647f35b6808ba61082db60d58ea827f3e45901e042001a5d4b2169a942ddddc30fa3b16501d364ddf20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PQQR9.tmp\butterflyondesktop.tmp
Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PQQR9.tmp\butterflyondesktop.tmp
Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\Downloads\butterflyondesktop.exe
Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\Downloads\butterflyondesktop.exe
Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\Downloads\butterflyondesktop.exe
Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
\??\pipe\crashpad_3128_RTATDROBNVXQPTWY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1504-144-0x00000000078A0000-0x0000000007A62000-memory.dmp

Filesize
1.8MB

Download
memory/1504-134-0x00000000051F0000-0x0000000005808000-memory.dmp

Filesize
6.1MB

Download
memory/1504-133-0x0000000000290000-0x00000000002C2000-memory.dmp

Filesize
200KB

Download
memory/1504-143-0x00000000075D0000-0x0000000007620000-memory.dmp

Filesize
320KB

Download
memory/1504-140-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/1504-137-0x0000000004CC0000-0x0000000004CFC000-memory.dmp

Filesize
240KB

Download
memory/1504-145-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

Filesize
64KB

Download
memory/1504-142-0x0000000007650000-0x00000000076C6000-memory.dmp

Filesize
472KB

Download
memory/1504-139-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/1504-138-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

Filesize
64KB

Download
memory/1504-135-0x0000000004D10000-0x0000000004E1A000-memory.dmp

Filesize
1.0MB

Download
memory/1504-146-0x0000000007FA0000-0x00000000084CC000-memory.dmp

Filesize
5.2MB

Download
memory/1504-141-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/1504-136-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3616-713-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3616-745-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4016-757-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/4016-764-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4016-755-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4016-800-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4016-719-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download