c7a53cef7508f2abb86996be29a075c2ea63bf09b1bb08e1b1b7a592cf074e60

max time kernel
596s
max time network
598s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10/04/2024, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

18KB
MD5

975aed651740cac29bc0fa6e3992d3cc
SHA1

42033f32c97b6be4e446c0a77690745eafc28112
SHA256

c7a53cef7508f2abb86996be29a075c2ea63bf09b1bb08e1b1b7a592cf074e60
SHA512

53a57fbf3952c5f0e08781879747d059d27a81f58c3f1a9f38c8763ba7aa8d31849e9797092c7624311b626e9aedd4937956bdefc54350ade3d480b04d1eb87d
SSDEEP

384:rTqN2DpmReVoOs41N9ylKeGM+U8HhhbG167uS2LjFrSE3+dVJCBXQL:rTqYBVoOs41ryI1M0Bhb68CFrSEMJQQL

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5076	butterflyondesktop.tmp
900	ButterflyOnDesktop.exe
424	6AdwCleaner.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto"	6AdwCleaner.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	ChilledWindows.exe
File opened (read-only)	\??\L:	ChilledWindows.exe
File opened (read-only)	\??\M:	ChilledWindows.exe
File opened (read-only)	\??\Q:	ChilledWindows.exe
File opened (read-only)	\??\U:	ChilledWindows.exe
File opened (read-only)	\??\W:	ChilledWindows.exe
File opened (read-only)	\??\B:	ChilledWindows.exe
File opened (read-only)	\??\G:	ChilledWindows.exe
File opened (read-only)	\??\H:	ChilledWindows.exe
File opened (read-only)	\??\I:	ChilledWindows.exe
File opened (read-only)	\??\R:	ChilledWindows.exe
File opened (read-only)	\??\T:	ChilledWindows.exe
File opened (read-only)	\??\Y:	ChilledWindows.exe
File opened (read-only)	\??\Z:	ChilledWindows.exe
File opened (read-only)	\??\A:	ChilledWindows.exe
File opened (read-only)	\??\P:	ChilledWindows.exe
File opened (read-only)	\??\X:	ChilledWindows.exe
File opened (read-only)	\??\E:	ChilledWindows.exe
File opened (read-only)	\??\K:	ChilledWindows.exe
File opened (read-only)	\??\N:	ChilledWindows.exe
File opened (read-only)	\??\O:	ChilledWindows.exe
File opened (read-only)	\??\S:	ChilledWindows.exe
File opened (read-only)	\??\V:	ChilledWindows.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-Q8960.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-PVEVS.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-NDKHH.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-1G2R4.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1204	4088	WerFault.exe	108

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2930051783-2551506282-3430162621-1000\{06063E38-9619-41F3-B0AA-18B35A178A01}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2930051783-2551506282-3430162621-1000\{C920564B-1647-4385-98F7-934E284B1D04}	ChilledWindows.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4220	msedge.exe
4220	msedge.exe
4644	msedge.exe
4644	msedge.exe
1876	identity_helper.exe
1876	identity_helper.exe
1992	msedge.exe
1992	msedge.exe
1988	msedge.exe
1988	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
576	msedge.exe
576	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4956	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	4956	ChilledWindows.exe
Token: 33	2788	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2788	AUDIODG.EXE
Token: SeShutdownPrivilege	4956	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	4956	ChilledWindows.exe
Token: SeShutdownPrivilege	4956	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	4956	ChilledWindows.exe
Token: SeDebugPrivilege	424	6AdwCleaner.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
900	ButterflyOnDesktop.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
424	6AdwCleaner.exe
424	6AdwCleaner.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 2900	4644	msedge.exe	78
PID 4644 wrote to memory of 2900	4644	msedge.exe	78
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 2380	4644	msedge.exe	79
PID 4644 wrote to memory of 4220	4644	msedge.exe	80
PID 4644 wrote to memory of 4220	4644	msedge.exe	80
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81
PID 4644 wrote to memory of 3540	4644	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc7b6b3cb8,0x7ffc7b6b3cc8,0x7ffc7b6b3cd8
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2564 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1808,2558724009690265636,3294676358880996386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:2420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3424

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
PID:4088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 296
  2⤵
  - Program crash
  PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4088 -ip 4088
1⤵
PID:2412

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\is-7S01S.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7S01S.tmp\butterflyondesktop.tmp" /SL5="$803AE,2719719,54272,C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  PID:5076
- - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SendNotifyMessage
    PID:900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    PID:2412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x120,0x130,0x7ffc7b6b3cb8,0x7ffc7b6b3cc8,0x7ffc7b6b3cd8
      4⤵
      PID:4128

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004C0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\SpySheriff.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\SpySheriff.exe"
1⤵
PID:1200

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\AdwereCleaner.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\AdwereCleaner.exe"
1⤵
PID:4952
- C:\Users\Admin\AppData\Local\6AdwCleaner.exe
  "C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Users\Admin\AppData\Local\6AdwCleaner.exe

Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
96899614360333c9904499393c6e3d75

SHA1
bbfa17cf8df01c266323965735f00f0e9e04cd34

SHA256
486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c

SHA512
974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
19a8bcb40a17253313345edd2a0da1e7

SHA1
86fac74b5bbc59e910248caebd1176a48a46d72e

SHA256
b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e

SHA512
9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
aaed6a9007e42f473ffccf88ad1754ee

SHA1
ee635ad89bb6a5480a2b94f076a73c96c2a14c2b

SHA256
4100bd4c6f863532a9d3f54d58a3e7ac2b5afd169c0b5656d25affb8f866b394

SHA512
f77f2bd030d609915996daffd2220bebf97cea54fe075c6c840651aa1a16499a9eb584017a13ccaac092553c0ad7d6186afff27c0274476b972f8d6a8a5159ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
c79303e32c6a9ff6ab96fabe2c51c44f

SHA1
621ec15b257587fa0586f2ea8fa602066b349f25

SHA256
90e1caf6b1637c4c10d36aa87dfee5d2bb70d5447413e5708cea7a77140f1bc0

SHA512
c07f85aa03a3b9142f979f5989380168ffa4d5b031af26ed23857b9de4899ed562cd7c77a4cda917c6d454d5f7c62242b5b40f3cd7b519f8980d0780306d7720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
712B

MD5
95bc8af6e7172ef6ffbb2d35cc938f0c

SHA1
7f3e0a93b650a56540ffdb3d27a58199558f07e5

SHA256
5d6629ce5a97bee7d15712a1b617f6d528b429198a4a7765ae8e537a7e5be9f0

SHA512
d5a95756cfc42f4c9b30dd7ae138101c025960f1294aecfb098868b4fc9a98d5dcbaacdf365e85682bee15f66ea3bd151b21aad554e5372b1575d1d0e5929dbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
afb0a9b1ad81ea3fcce342cc85fd1892

SHA1
15f849075a24a340870e866592d9c79fbede7901

SHA256
23a61cd70df6e56a76e6a58c8fa3e0a020396534d47003b0ef6e81ed9100a90d

SHA512
37c1c5934e38f3b2054b328908c7b80c4e729cd073f73dcc43458b3209c18b7098fa1c7749f5549b295de3587182a8494d061c6dbfa9ebd4c00cfd0795e0e126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
cf3e5ef79262c835475192cbe1499894

SHA1
fea30329153527bbfb176b55584699691470339b

SHA256
08848fdb31ae516780b2b694eaa5a1a1fe3e28c266a13548636e0e4b24728853

SHA512
9775b6d9bbc3cb4eb95ca134a27ca16424ed323944990b5dc4e8753eb588a1660f0e2056f5a188c8150a616399a3d0a2c249ff53d8df46d079ff1744ba1c273a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
df83766118ceae4b54d7aa0269b6deed

SHA1
e007bcbe2240fda2ebca613d9eb3c3c064ff1e27

SHA256
1fe9172a5040a60b283faba46af9a09049ca2cf385b5700fbd2754ac2b15bfd1

SHA512
e40880c9c15ff637e3dcf66202b7b9ae711fdd297183468eb8131e370e0eb9c901b50007c2dbc422b1d71c63e374514bdc5a40c214ae8486b5f614547bc8235a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b0c20dad3046d49754b1095acb6bb837

SHA1
8b137bed96f593be01690fb2c55d4a989c89e0a1

SHA256
f680661e69dec4f577b3bbbb5d5eac55212d39f1e350ef26319235120666af2c

SHA512
95dc514af51c6ecc1a87ebd88f9ed5bda415f551683540f87e0bf7ae1ba91c813e1540b81da6064fb629c95d8387f0bbd2981cc25a959db06f706e0a0f729924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
126d28ac22b90f2e084b2027f2db8027

SHA1
1754d361faeec6c4d77c1dd97a29abb181332326

SHA256
7c6d3fb5a2d3023162e251d79ef92edae7c32dade642d5d7a114c4d0bb3f2aed

SHA512
13f885681909b46b7c3677c42cc3842fea9e93eff8cf296c323ab14fd000c7e0856fdff6d90c3bc1b72bbd1a94c0259704b71c261b0c4f9881868a35038ecc96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f4bb4153353edbb15a482128a8cd48e1

SHA1
d09d80d0b5daceb58c93d44e07f940d3064a79d4

SHA256
1acbe964585f78fdbf4a397898ec0c8cb246e02a652e75c4114f6ec24414e1ec

SHA512
8bdaa770e361e0076a30e990b28092ec3b2982a328040275d79ec1d59e761e1fcb4acc00a0337576bd9069f160027f45933675b861c2919691a21913dbe508b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1e2ee6a12ca07cbc97ebe9f4e826f850

SHA1
3fe3000df43755874130e8e83aa974fc3fa3f737

SHA256
92a18848b96d617fba08cd006925efb951ab5f8fd879f6c29a98e434ede19313

SHA512
aea264f0232a0642847d364167fafd484c3d50284940474c37229618bb66c788ad984946fb1993888cdd8f8ce5faadd7863e4465358e9be92169965e0b4cb62f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5a1a289843a53c2892c4bac01548baa0

SHA1
d7e29d55386f2bd86978395b8cd113c85f7ba4e9

SHA256
10194a19032524cfdf2e5b37ee3152300b193dc82d0596c8558d53eaeb7e6400

SHA512
6db9ab51709948ae78d4934b924cc6a0c361936b158f72719614acf70813167715b0c316a6a8dcd4a22bc17dd92abfe168432cb4a54987e6962cf3f28b450cf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b9e46b9763830a8764f8c764cb3a18f0

SHA1
f7fd60395b2c2c4c5e95c09d424f12eeef8fe1ae

SHA256
f7011345cfaf39b496dd978a8ab05aabcd9f37fd9dc574ff10693bcd66dc07fe

SHA512
8ed9d5bfaf4fbe06005df8bdeb8ed1a04a2c7e15adc33de6052bdb7a635d9b8f0ab359fad157cb67edbf0a8b421395f7d0155e4b7cc623914fde988995b6425e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
df26ae4c0e49d5e7ca628214b9edad78

SHA1
030a01c22797d0e6376672866386372a523bef29

SHA256
4d2e6abae32cf8080194e11c0f0986ebecb59039419d794c6858bf6c3928d8d4

SHA512
e84f0f7611ad6bf75dcb173ba7ef742e10062e3ada684899aae171cf2bf3370557190423a1a5df5490bfe908a22996ea835c981ddfcc89435d3fc67671b6cc77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e5b1d18fa78bb02f5969f194467bed50

SHA1
eb02cc8c2eabd3f19e901bf66c6dfb6f711e6126

SHA256
d71017278bab3a2cdeba089e152f70f783ab518890446173fd9afbc4d53f8346

SHA512
9f5a4030ca8e0bd84a0164e564913cff903b2aee25e7d5f30c903037bb585c679310b8ae78427a5738008a955050c4ba6142c3f6fa07899b02d28ee961510f3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b22266fa598fba8b45ca016136c6e9ee

SHA1
938f8766b66c1e5d6d26f2594be4980a899da773

SHA256
f2e54fbd16c2327d9d27492b5eb4de848b7276f31cb10ca0bade7bbd62ff031e

SHA512
fe13c6785e3bff07363d89b519f8d058b7a84908e4baa048483534dfa5e34b85fd55cafdff267c442f6f6774de38a802ff67f45e5531f6e335fdb8d9332245d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6f0f8f8fc49bf5daecf2d4c9d1f55a2e

SHA1
b0803852c16f735fc98d90abaeb785d43220be69

SHA256
499883db026bf13b885b73d0e4e8f1f34c909169b4a50dee6feae25ecb092996

SHA512
7055cd3d62477a529df83422d3fd1b35c391f2dca1e7b7313fb070e5ed33ab38afe396a83b4641e23bbd4b422a6c488781cf83ead3905ebea76e9df95c84276e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7fab106c637fa619728cb85bd7f84f78

SHA1
f6f82aa385087d95b1a4b7012ed55fed2be9ba4e

SHA256
c9c3ea273603fc6a8487f12b0f746c67eefb22556635f2ef58a9a136913f058a

SHA512
65c972b225aa5fa7667cbc80f5760bbb17fb25f8a8bcadb3c144fa41d2494e94da3562c5964eb23d5ccae2e7d331326d535dc5e1c22539b8bd4bf441f76b8832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
12a1c3e9fff2d882e556b3882919e625

SHA1
f6225a0c287600f60beaaf62ff837924297e78c4

SHA256
47ed3f65b0c7f50172c411ce1e40cff39b4f474660e5d0f46b1355128fdc0c56

SHA512
d880da42516577b47949fb2eecf7a0580e0d720467f1740f54fbd2ed302afe422d538737042a3b4bcd0865e7e6f4e179eb8650ff9ed95547178572fa4cae68fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c6b6.TMP

Filesize
538B

MD5
ef5810c5896eb7a9d8ca657599641cd7

SHA1
bd2fc438ec33b89dd8deec0314be1c5e0bf3097f

SHA256
a4cda573292dca7e66c81174e862864db4692b055a863c09d4567b7a8b599a9d

SHA512
fcd83854699a3a57c7aa39a341f3ccc300f12d2e91f48508356c8d25f5c3e3e24c5dfbd66202705a23e222f93f0b301495b395df50fe7e571f85d17908fbe2fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5b438ff10e4e6a60dac75009a4944e85

SHA1
f5483aac8742ad34f5427eaa8608bcb48435574a

SHA256
85b13dc5b8d29204ecf4c8f71902b40cb17a92ff8a0646677743f352fce666b0

SHA512
4f91bb7a29b53a6cb6369cce2accda5a7d5b78aef1d498e6cbb32612ee2d1a27e9dff00f85e09c4c9001834c005951496c26681bc435afe3f605f913f460064e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c6a1eb8c7ed754bd7e56df4f1aa8c8f3

SHA1
5b340cd486ff43808f36fa3409ce9cf07ec99509

SHA256
26c452d21b08d532e73d5b46607722b071aea39d37cbf0ea7859b3076152b9ca

SHA512
f0ec7ec8859f2fcb66191cd4e3ec85d194e05ab3f244f044f3ab4651c4b5bd728fb8819335c41c5581c5f3591e1ade42f6af86400e94dabb1708ad9af2396c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
89ba9da219037229ecb8c994c47ef8b5

SHA1
4338a8fd91bdd32824d0836aae450b94529c6643

SHA256
f0d230636ee0d76880cb6d0cf360cf096a4d26af10c03ebf60faf35137f21a03

SHA512
21b8f6c7c8cf2b49b60c2057a95a8278276e416810e10881bf2df3a63a90640e5d99fa5940699ab8d25aa13c04fa4334ef58406ece33a4b313a7d55733957cdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
1a3d8e9188da4b7ded0958e2d3920871

SHA1
48dfad2acc16c97fb5ff2d2f814e320c6c7e448b

SHA256
114ac57f3e1a3fa374a67fe5d1407ad1a570847f4ee13e12544e6af2e4c2ce24

SHA512
790eedfbc38697d47caf5ccb45cdda93a78bb6b0859fb70f6796ac42201dc977cf4a1af4b30e51c11f19ee544dc536717cc3a135d17c25b7df5812438f39c390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7S01S.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
667a1cc401553e63f630d70664c6c412

SHA1
19f97e4c81313547877316ded396c4dfd998f3b5

SHA256
b1abe176ca8c2648b4d6b64ef32dd8b28ee05dc9e33a076ce8b11ce74e85e29f

SHA512
26769a3da06d0492e14f6ca95c7a09feb44185237d57fd4cb1359d3757581b15499948b8d408aa533db474ce167a16e8a9e2e8692fdc607de9ac5e13d8a25c33

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\chilledwindows.mp4

Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
memory/424-820-0x000000001B950000-0x000000001B960000-memory.dmp

Filesize
64KB

Download
memory/424-816-0x000000001B950000-0x000000001B960000-memory.dmp

Filesize
64KB

Download
memory/424-814-0x000000001B950000-0x000000001B960000-memory.dmp

Filesize
64KB

Download
memory/424-812-0x00007FFC67730000-0x00007FFC681F2000-memory.dmp

Filesize
10.8MB

Download
memory/424-811-0x0000000000C60000-0x0000000000C8E000-memory.dmp

Filesize
184KB

Download
memory/424-823-0x000000001B950000-0x000000001B960000-memory.dmp

Filesize
64KB

Download
memory/424-815-0x000000001B950000-0x000000001B960000-memory.dmp

Filesize
64KB

Download
memory/424-824-0x000000001B950000-0x000000001B960000-memory.dmp

Filesize
64KB

Download
memory/424-813-0x000000001B950000-0x000000001B960000-memory.dmp

Filesize
64KB

Download
memory/424-819-0x00007FFC67730000-0x00007FFC681F2000-memory.dmp

Filesize
10.8MB

Download
memory/424-821-0x000000001B950000-0x000000001B960000-memory.dmp

Filesize
64KB

Download
memory/900-699-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-778-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-671-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-818-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-817-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-661-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/900-660-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-609-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-799-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-736-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-822-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-511-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/900-756-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-797-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-796-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-759-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-794-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-793-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-762-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-792-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-777-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-700-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-779-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-780-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-781-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-782-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-783-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-784-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-785-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-786-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-787-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-791-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/900-790-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1200-789-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1200-788-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1200-798-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3424-473-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3424-475-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3424-486-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3424-517-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4088-471-0x00000000028F0000-0x0000000002B75000-memory.dmp

Filesize
2.5MB

Download
memory/4088-472-0x0000000002B80000-0x0000000002E0D000-memory.dmp

Filesize
2.6MB

Download
memory/4956-717-0x000000001C280000-0x000000001C2B8000-memory.dmp

Filesize
224KB

Download
memory/4956-776-0x00007FFC668B0000-0x00007FFC67372000-memory.dmp

Filesize
10.8MB

Download
memory/4956-761-0x000000001BB50000-0x000000001BB60000-memory.dmp

Filesize
64KB

Download
memory/4956-760-0x000000001BB50000-0x000000001BB60000-memory.dmp

Filesize
64KB

Download
memory/4956-758-0x000000001BB50000-0x000000001BB60000-memory.dmp

Filesize
64KB

Download
memory/4956-757-0x00007FFC668B0000-0x00007FFC67372000-memory.dmp

Filesize
10.8MB

Download
memory/4956-718-0x000000001C250000-0x000000001C25E000-memory.dmp

Filesize
56KB

Download
memory/4956-716-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

Filesize
32KB

Download
memory/4956-714-0x000000001BB50000-0x000000001BB60000-memory.dmp

Filesize
64KB

Download
memory/4956-703-0x000000001BB50000-0x000000001BB60000-memory.dmp

Filesize
64KB

Download
memory/4956-702-0x00007FFC668B0000-0x00007FFC67372000-memory.dmp

Filesize
10.8MB

Download
memory/4956-701-0x0000000000780000-0x0000000000BE4000-memory.dmp

Filesize
4.4MB

Download
memory/5076-515-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5076-487-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5076-480-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download