hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

27-09-2024 13:49

240927-q45laaxgne 10

27-09-2024 13:46

240927-q3bltaxfqc 9

27-09-2024 11:49

240927-ny4qpa1dkm 10

27-09-2024 11:43

240927-nvsh9a1bnk 10

Analysis

max time kernel
622s
max time network
623s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 11:49

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

agilenet bootkit defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\""	wscript.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	wscript.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 6 IoCs

pid	Process
1388	butterflyondesktop.tmp
2904	ButterflyOnDesktop.exe
2888	butterflyondesktop.tmp
2604	ButterflyOnDesktop.exe
2748	ButterflyOnDesktop.exe
2268	eulascr.exe

Loads dropped DLL 17 IoCs

pid	Process
2304	butterflyondesktop.exe
1388	butterflyondesktop.tmp
1388	butterflyondesktop.tmp
1388	butterflyondesktop.tmp
1388	butterflyondesktop.tmp
1388	butterflyondesktop.tmp
1388	butterflyondesktop.tmp
1288	butterflyondesktop.exe
2888	butterflyondesktop.tmp
2888	butterflyondesktop.tmp
2888	butterflyondesktop.tmp
2888	butterflyondesktop.tmp
2888	butterflyondesktop.tmp
2888	butterflyondesktop.tmp
2888	butterflyondesktop.tmp
2888	butterflyondesktop.tmp
2268	eulascr.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/2268-3116-0x0000000000070000-0x000000000009A000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop = "C:\\Program Files (x86)\\Butterfly on Desktop\\ButterflyOnDesktop.exe"	ButterflyOnDesktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop = "C:\\Program Files (x86)\\Butterfly on Desktop\\ButterflyOnDesktop.exe"	ButterflyOnDesktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop = "C:\\Program Files (x86)\\Butterfly on Desktop\\ButterflyOnDesktop.exe"	ButterflyOnDesktop.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ClassicShell.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	C:\Program Files\mrsmajor\default.txt	wscript.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\is-8N50C.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-T0PMH.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp
File created	C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg	wscript.exe
File created	C:\Program Files\mrsmajor\DreS_X.bat	wscript.exe
File created	C:\Program Files\mrsmajor\mrsmajorlauncher.vbs	wscript.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-VOGA3.tmp	butterflyondesktop.tmp
File created	C:\Program Files\mrsmajor\def_resource\f11.mp4	wscript.exe
File created	C:\Program Files\mrsmajor\Launcher.vbs	wscript.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\is-2DHNF.tmp	butterflyondesktop.tmp
File created	C:\Program Files\mrsmajor\CPUUsage.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\def_resource\creepysound.mp3	wscript.exe
File created	C:\Program Files\mrsmajor\reStart.vbs	wscript.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\is-QF42D.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-OES0R.tmp	butterflyondesktop.tmp
File created	C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico	wscript.exe
File created	C:\Program Files\mrsmajor\MrsMjrGui.exe	wscript.exe
File created	C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat	wscript.exe
File created	C:\Program Files\mrsmajor\WinLogon.bat	wscript.exe
File created	C:\Program Files\mrsmajor\Doll_patch.xml	wscript.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\is-O14Q9.tmp	butterflyondesktop.tmp
File created	C:\Program Files\mrsmajor\def_resource\Skullcur.cur	wscript.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\is-VL033.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-I2L47.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files\mrsmajor\CPUUsage.vbs	wscript.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\is-39A3S.tmp	butterflyondesktop.tmp

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2924	wscript.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BossDaMajor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Cursors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433599637"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60b73f65d310db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8D975A11-7CC6-11EF-A58E-EA7747D117E6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000a7010b705d09c51eb38c6a308eb72ed6fb77af4c4cd9fe31bb34108255bf8e94000000000e8000000002000020000000b244c40c561d596dfb5614dfcf58c6dc676b2f7ffb20b7145c0bcb04e0c886eb90000000d8458508f59c9c62412ac354d7be23bfff2176788d86b45c92971dcf8d877022a119416ec0c77522f5d86aa78944b7f03d6740a99ae3ce9e46e5a9dba1779229d813e867c55ff062d06b48772871c1eec214b2dffe6609cc0c3b2bd4f81a209dbc9a7f31414a9859e4fb3503920860e15d0b71a48a0d906e295fb5e8aa021111db53f5b4f4c28056b44d48357cf8bdba4000000089616284be3ddc0eb2c0be9ec3128d79f05727f1702115093a18d43b652cc80171a61e4d0e5623ef7f66285a11532e8c09daad7cf06972ce73a94416ce6a0fb2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000df17b54b3e6cc0512ba7f956248e33e3d9f7fe93f678e3b354d74918d09a2fea000000000e800000000200002000000044972244e65bb272e3d0004d9d79de6454ed91b70a9e14e11bb2be9bfb66354b2000000013d57d3ecd601db9048d35bb6a686a661976ae1c9e7e5302e6170d91793c6a8640000000f5c108390c08327babbb43f3357a9cb109895580b4cb6c964339810a38a24ee69004531856e345b688bf0562c185d181aa14a4daa318ccc60b7b289a4821ba26	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1652	chrome.exe
1652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1152	iexplore.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
2904	ButterflyOnDesktop.exe
2904	ButterflyOnDesktop.exe
2604	ButterflyOnDesktop.exe
2748	ButterflyOnDesktop.exe
2748	ButterflyOnDesktop.exe
2604	ButterflyOnDesktop.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1152	iexplore.exe
1152	iexplore.exe
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2992	iexplore.exe
2992	iexplore.exe
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
1092	iexplore.exe
1092	iexplore.exe
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2876	1152	iexplore.exe	30
PID 1152 wrote to memory of 2876	1152	iexplore.exe	30
PID 1152 wrote to memory of 2876	1152	iexplore.exe	30
PID 1152 wrote to memory of 2876	1152	iexplore.exe	30
PID 1652 wrote to memory of 1700	1652	chrome.exe	34
PID 1652 wrote to memory of 1700	1652	chrome.exe	34
PID 1652 wrote to memory of 1700	1652	chrome.exe	34
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2708	1652	chrome.exe	36
PID 1652 wrote to memory of 2860	1652	chrome.exe	37
PID 1652 wrote to memory of 2860	1652	chrome.exe	37
PID 1652 wrote to memory of 2860	1652	chrome.exe	37
PID 1652 wrote to memory of 1620	1652	chrome.exe	38
PID 1652 wrote to memory of 1620	1652	chrome.exe	38
PID 1652 wrote to memory of 1620	1652	chrome.exe	38
PID 1652 wrote to memory of 1620	1652	chrome.exe	38
PID 1652 wrote to memory of 1620	1652	chrome.exe	38
PID 1652 wrote to memory of 1620	1652	chrome.exe	38
PID 1652 wrote to memory of 1620	1652	chrome.exe	38
PID 1652 wrote to memory of 1620	1652	chrome.exe	38
PID 1652 wrote to memory of 1620	1652	chrome.exe	38
PID 1652 wrote to memory of 1620	1652	chrome.exe	38
PID 1652 wrote to memory of 1620	1652	chrome.exe	38
PID 1652 wrote to memory of 1620	1652	chrome.exe	38
PID 1652 wrote to memory of 1620	1652	chrome.exe	38
PID 1652 wrote to memory of 1620	1652	chrome.exe	38
PID 1652 wrote to memory of 1620	1652	chrome.exe	38

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6a39758,0x7fef6a39768,0x7fef6a39778
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:2
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1544 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:2
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1492 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3400 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:8
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3532 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3772 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:8
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3944 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:1
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1444 --field-trial-handle=1384,i,12684373611760058494,16327482956403788169,131072 /prefetch:8
  2⤵
  PID:3060

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1936

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
PID:2756

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2408

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2304
- C:\Users\Admin\AppData\Local\Temp\is-RPUL6.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RPUL6.tmp\butterflyondesktop.tmp" /SL5="$4027A,2719719,54272,C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1388
- - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:2904
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2992
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2852

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1288
- C:\Users\Admin\AppData\Local\Temp\is-SQ7K8.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SQ7K8.tmp\butterflyondesktop.tmp" /SL5="$1901BC,2719719,54272,C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2888
- - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:2604
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1092
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2732

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Trojan\ClassicShell.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Trojan\ClassicShell.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:1988

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:2748

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe"
1⤵
PID:1800
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\ABAA.tmp\ABAB.tmp\ABAC.vbs //Nologo
  2⤵
  - UAC bypass
  - System policy modification
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\ABAA.tmp\eulascr.exe
    "C:\Users\Admin\AppData\Local\Temp\ABAA.tmp\eulascr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2268

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\BossDaMajor.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\BossDaMajor.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1760
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\FB40.tmp\FB41.vbs
  2⤵
  - Drops file in Program Files directory
  PID:2400
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1804
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - Access Token Manipulation: Create Process with Token
    - Modifies Control Panel
    - Modifies registry class
    - System policy modification
    PID:2924
  - - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      PID:1540
  - - C:\Windows\System32\shutdown.exe
      "C:\Windows\System32\shutdown.exe" -r -t 03
      4⤵
      PID:2640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:880

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files (x86)\Butterfly on Desktop\license.txt

Filesize
1KB

MD5
f68621da9ccbe320aebb5807c6f733cb

SHA1
5cae2a9a776ce75e2d4873238ae87467f3480e0e

SHA256
0479a712a54ada76eaf0bc5f3b57c764880d1540cbe266724d35c4dcbf40e4e2

SHA512
25e0611797c0dee3eb3ad968851f69da64aa6ffc75a22dfd65f5ab0538f01d1dc39e4e7f43e722cf76cd52026c106a49b6f3c6994a9a2186b7836cc07e28fe75

Download Submit
C:\Program Files (x86)\Butterfly on Desktop\unins000.dat

Filesize
3KB

MD5
30375a74975a2f724769189f5d598b90

SHA1
af089cb9764dccba21c54adfc9f26b4550ca4c23

SHA256
1fc882373ba041b6d73f65d9a0713479b06f74e7d780be71b2884725421bf009

SHA512
9f6cac8066815be995dd80932084149684ec94e0eee0212fdee981dff049703ae4a08f713875ce8381809259b6b2d2cb13bc7dd5eed587c6e381ea1bda95c073

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Butterfly on Desktop\Butterfly on Desktop.lnk

Filesize
1KB

MD5
02638886ec56cb3b4cc295744337f214

SHA1
53a67c9b6297a8474716501100662bba09715f6a

SHA256
d5614ad24d56614155d41f15f1ce6b7750cb551f440c7d70c98196ed2e64b2e2

SHA512
2c17e99b50bd4c676eacb00cb41cf22c7000dd804ae2831fd4ef73ce8f1268a58b52fa1de8faedb794a6d2948fb583e2787a37b11f9db792cb3c6904f87289a3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Butterfly on Desktop\Uninstall Butterfly on Desktop.lnk

Filesize
1KB

MD5
a1a815b0952b03453a490d76d8de1f5c

SHA1
bfb93c1115d6ed0ca3726c79dc5fb1336c76bfdb

SHA256
05a0cd321d9e94b22a87c97ae11aca773282deb968ef03a60ced7737168ba7db

SHA512
39fbce72b73b839010d92026cec0f96e3f7e0fbba8203558ad0dcf942d932b0bab6360a0cd4a0e824a7d7f06790403fac9da77d5e411eb9aca29d426d909d871

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
02e569c704abf125714f2ddf272787d6

SHA1
9572d7008ef2d38f44a38a5619b4a98087786a8a

SHA256
2d099d96260387e2e2c8d8cb28c2c313d7b0e7d6875df958b3ecf288d20c408f

SHA512
b9636b245c5dd58d3cb8fedb0fce9e031001ef5258e129690589e9c0fab9dd66270d2bcaef53235757f4917d0a0accefcf1fb2a7058499be692e4099c4356af9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
281B

MD5
905257f7bc2aab68616198d11d70b356

SHA1
362d9bb17af427dd763894a999252954b4d9a04e

SHA256
16feaf699a6b74b86dd3207b2a04ceecba58b425f03a3a335605beb36bf517da

SHA512
96fd8892d2c7c1cfb1bc057398ba31755924c92cceac5e7d618ecae15d5e2a147e3592c9a34a6f1f286c3d909d9e99498dfecdb1e8fd9328e828fc56f6b5a614

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
b5049292f72601454b3986feec564273

SHA1
f2642cb98eff339c8de284d6ac3fbc76e9514cc1

SHA256
b79c13228a9c3e4fb194526c28c6289eeb3eca1bdb038ac9e9a002f3ec405615

SHA512
0a0f223f88e9b8b3e4eff55fc368affe9090e116b66eeeffba5bd46fc640958b30a4f8ef66e0b4418cb7d60979f8d6330256f71b992d467835a5bf8593bade68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
5ebbcc39aeb49912affc8f4e26fab2f6

SHA1
05474e0531cc1a3253ca81da560552213aefac0c

SHA256
911d5e3a783f28b6ef889606dcd7ed373cb75d6559ca00fbf34b52786f3e0dde

SHA512
5aaf611d7c0e2bbf02e80812b824318ea83ef8a0a7a127644653abdfcd4e8b80017489587c183cec3206c0af0ba6f4ddcb32eb1bb6b86a9fa28335c9d8560419

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
978B

MD5
1ccb14f3da998cbccd29755cfbc849da

SHA1
7bc7eed4f61f4c5fc227cd51fbb2b6ac253462d7

SHA256
a5174764e61e48061e35bd002059ad6b62dae1f12f4d27a785c65c62aa33fb8a

SHA512
20626cf129ad188146d63e7b3b41bc483ae08cbccce2025d26cf319425d3b3518519645e6db621c189abd21363e567e4b7ec9880f66c104e7c1d281db632af57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
0e9b07e3cc3748e43a39b39138bbf80d

SHA1
bbfea97119c32453c97bc9865530befb651d6ab8

SHA256
c031328149e5b01e160b633e79344da9ad51580da8986e5db1cf3bd8f3e4803e

SHA512
a9b203b22076c72245837fdb4dad1c7fc9d0b3b4a29d476bcccc89aea1c13e8985317811f70a9a4fd4c61cc007c96cb6f6ad2ad995ac65e509032dd8df9b68e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
766eabb0c08a45c2b7940c0a51fdad1b

SHA1
2a9414be10f4b59a57130e77da7c69fa43bb5199

SHA256
6312a03eef4c3f199d0562f8044d154f3f7f5651c56fb32e583e78a216cfe494

SHA512
e120d72476ff6bca127d63808769d3ad1c43f2e24b3fe98afefe4c54fbf2ecfca3e56dc07682668b5b0d1ca4b2b5e0765b3faa3bd894463acd3b4c7fa54609cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5df04f141dae2ec6369d73a9abd426ea

SHA1
39056758d7907bd55a2f46c87637c11fbefab44e

SHA256
c15a0d82030c9cd6cc3f18660efe0cb1da69f068682d8cee6991482182cf453f

SHA512
c5b8ce8cd46fc8a666b6a26cd64d2dcf88e4703285a3f3a3e4d1be061bfd8a164a8b41a21a23ac38c6a21af3fdefdbfc2f4793df347cf603d5f16f8266f5fe80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
671b2a25f2fb6de3898dab2b11b2e05e

SHA1
dffa9055f565cb9d6cfdb148718647699b596a58

SHA256
da41066050e3a55161f2683168811d67f12aaf65fe8a68ad3ac8c3580b051303

SHA512
3d8082167e59a8ee442fc454d6d5ba6701877e6086d1018690ebc51cc85d53bcb27fb3352506b95628b6243937cf75a11b9b3b781e171457db743304c04328f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
faaf945deeaaaddec47feb53fe2d6242

SHA1
e7fe1667f41a5259809879a3dff5f6b7dd05ef96

SHA256
fcc4d7ce43731735b561dbe1f3e907713a05d59e89d8565ce2edd9f3a0406da1

SHA512
1b33df423cb9f970d5044779df67527bafce7c2e54ccca5973f4ae1b9161de0556c77bc1de681ad8cea20271d592c05de1a518f73abf00dd4ac99ee70a3ff1c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
096f1e67236a26f9b63fcdde455caf42

SHA1
0f283c83c1c9cb2e6e1173d5fa20ea9899272aa7

SHA256
7a93f10cda2f74f886ca77e15dee351e644b5d9a6ea073112079725827a5c2fe

SHA512
967dd2a6906453090cf5355883d3a2808d75ec5f1a7e1755c458bdfd3f7bb5768a5f0aded049848cb911dccf75398019b2971d71c1bb4556576855e2284fe715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd5fb35330270610f5b48a8df1e291e6

SHA1
8d0969217771dbe0d2d0c0934401db18bb74d321

SHA256
310cd1786e9466fafaddd0642de4614eef6bb2a849ceac4372f94011cbff4e44

SHA512
8fee53a74ec2f21b0c723c507cf34a4a8b471092e2b436d8591d8e932db6da0fc1d4f5093c4dc3353cf37df5a5d18c84a72639135cccede2b9312e42905f50da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6453189715db2a1e04e1e0efe18b4eb

SHA1
952ba33e79f8afc19f5453fdab2ba1d94e1605f5

SHA256
cf1fdfc99998ded07743868b178b32d0292b4a3649b78c88620276c003440194

SHA512
2cfaaeb13b21e78568fdcae292f9870df7fb7d6fd0d2dcb45c7f42bbb3328e0456354b67d562fbb3d197114cf9c20a8c4beb8018168d2907960b6fda2115a5e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34eacacaf51d53dcac67d61ae8d400e2

SHA1
f983926d2ea99b1e2f409e7843995eedb8ed9390

SHA256
e35830f34576e54d6e34c3c3f50f6d1a87838d2c93cb1de7b21be6fcb13d5420

SHA512
b3288c149f30df67152cb657635cea838babce4c3ce868343b620923a5d854718be95bf1e8fb2fb7811026a28501c38d9c6241c0f80ee0d7ee339a35b433e7bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dca11d1562749546fbb1a29cbfd09c7

SHA1
0981a6c2ade2cc32b022c40795dff5ee0986770b

SHA256
70b1c606ddf3ef319932e87501f1ab90eaff6528e76bf5effa2093b058962ca0

SHA512
9edb516066930a1f4b8bf3b0312d2ae60656c0a42937bb9658ade561e228aeaef59e24b2a1aeffeb84674cd4dd695cada096bdc0a4fb5caa20ea89cc4a374ada

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dce269ea6e5bce642570c1de662bc972

SHA1
861034fc083567f4937a8b26657eb63e9a84e927

SHA256
b34e9f6d66b3f90372931c5d629d222335c97c3b4e861f09909cb87bc77ebeeb

SHA512
91e332e1c9bb81b06e4c5773976fd3d7e68b74789c002cfde16e22b0e97a18b207edb1a4101a1acfd9fd100ddc0001658bf63eae27d0c50b7908e3a6b733ac25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b917e4592543a89b726e8151bc18058f

SHA1
c17817e44d3da31bfcc1e1ccbeae7259caa6e79a

SHA256
8a19f51a0d4763e063e40d159737ffc1caab774a7606f36815c2581093853928

SHA512
efdded3ee54fb7cb32e36ca151acca66173f29c3b2803897b3e7b32c71a6787cb78e6c7580c5825c3267213a9928b73efdb4139fc7a88940e7c114efc017982f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0520ea3283204832ee61209dc44b9e58

SHA1
106710908e036350e03347e4de3f810b3ef15e47

SHA256
db678d8d63a41588a72c1bad39dd107aa446259050e4e3e6f8ecb37dd41c2b7f

SHA512
5573a23177cadd1f007176c697290b81e91fb26f29c85bbb76a418084b9253710aa9dd09497135cda44a941e7c612f3ab3edc4ef1a0b95b94a3189fd7a174f59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50714ab280e17201942e1a66a2706861

SHA1
9c26a2ec7646c6d3c1afa0eeb6962f0bf5050b23

SHA256
d4e87f5dd033ac1ee6cc1e424610ced3d6c16acedbc0463f3f0647133da268b9

SHA512
8908241fc3164723bc0ff9d403d76fda84ed88c1c31797f7bf2ad726a01745f937d04ecb0bab0d49f7b432d4ab36e24e35b41f13cfb35ae3ca12fd8742f18480

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
403bf42889ddd582209bddb06308e14f

SHA1
1f63486318b3566d3348cfb536cd09847b7f3007

SHA256
cac8076003f97215c1f857d4ed97e7d55f7bd917afa233eb14701117ff4165a2

SHA512
1c8debfbdef4ec1dc5449de0557075010719b4800aa202e318e62d14f34c3297b2ffee6003a857e089e15c3b243bb977e644dc1780d318cd8c63b1bc1e89976f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df65673ae99a273f2891f65d3ea4acb1

SHA1
574788d5bfec5be8c9af6089f0eca5c8ae36e0f3

SHA256
1c3a0807e50c5765b5bcad722366d71042dc1d60ae46b158f1bbc783d04719b6

SHA512
fce841fa8fe0fe98f24e02e2da21db0cf4b91b2b756094096c9e38a94c6be23cea18a841fb04896e2f3d308fce0604574b6d9676402c14de4c984076179af59b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cb934d1922066ef6f5914e2174327d5

SHA1
3b6a087db060a3b5f947a246495241bae103ef6f

SHA256
0d28cf2bbef077f17a8bd66ffd14d4f4b74db2d4000212b08bf46981e83795c8

SHA512
7b4e040551e7d54b24d2c4f7a3b6424805f8d4fd0e640b28f8425fd73cd0c980c11d580eff4da517558cd24961ae769509536b8aa62c109895284b86f25506e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2408000d4f3148dea3c33b28787d2614

SHA1
895503c2efc94fa744c98da0cef8311c8d9fa936

SHA256
924e7be85982132983836bab12d0e2403f4236642fd410ca49457783c382a2c8

SHA512
2a8abd7f39b24c707d7398eaf8af3242a01efcc67f0464932ec487a16ebd606d8873118c38275464399314a8d1f9007c3add551846bbcea3994686f119a294d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b65c15e7adf1e1a0ca46b2f68864495

SHA1
3770d5f6e8281f0c889baf6cf304a1520338cafb

SHA256
739fb92d85606687d34d599b915535837e2bf4be734ade255cb03c91d9130b65

SHA512
87071449dff634cf3427fac55c1e46c497c83daeb090f916b29ea63e6231d5a71d015982e60c0a3e0bc7101dfdcd3a4d6d94142092572046d9c50d39bfa69550

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04ac0b59ea1981be6b23823fbb89b071

SHA1
8850985f9ec299b5b77d76b142725fdc2721c5b8

SHA256
4a6485b3988a3001dde3d7c37ea60f70e3f9917de6d50c8c67935b8b37f7b866

SHA512
4aef36887141bcc5edb234147f61b1e3a8b64868fb10dc4eabc4aeff8af864e9fac641b8342fc538b09d4705d2799b9732bec4c0efd89f9f5fec450c14ba96d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10c48bad5ccbdd1222125384349c53e6

SHA1
3db1243cd8fca5cc51c8a174616835c2cffa7d79

SHA256
aa2888b0046816f76ecbe5f2075cbf5110dbc0ddf8bd6443a33fded9733c0113

SHA512
d132949efe4cd5bcebb6afd68340d9a13d3579e0563b8075fc9f3addb09d370e4ac8f5f4481065515931116f6a6e0b08827e051a5ab5a0c7fbbd103793260b9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c100d8abc52a982a810b552ededf421a

SHA1
dfc9f1b14978d47b38dd9579b0d77c572114393e

SHA256
57841d4e81df0709ae4441aeab0fdd7e2ea7b3942b630204a0732a2818b647e5

SHA512
062988644f0e5b3c9228bd749bfae79bbddf779c797d34de0b5ec84d1cea77ef6a52b59489412a3841b67b0da90fcfaa39121e3efc70f5be9b372f8a46f16750

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2bdaa1aecaa013b4a5473850d359e44

SHA1
a2abe86b1e761565103ded4a98a65fe6012b1ad3

SHA256
e1b68819e0b61958f7b868c05d59f3875f0e24991fd0905bfa38ac227361cc45

SHA512
7e27e1d34ed11ae1bddcbd59690348161ee636e741be54d049a35ec67eb2c839f7bf14d6646673111a86f065385d601263186bf63fb9d10915cc1af64cccd807

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35326439dd4b692a2f91b3f1ce344c6e

SHA1
8b9d526bbc33f55f33c67538c345e9db264afe00

SHA256
d03c14ababf1212cc8e796ddc1135bc09691ce94bc05bb9473c43b2980cfeb87

SHA512
c3e710dfa3da9c16622a0c14a00ad21fc95b742d27d002c38176c9d982c507f0ee719b22d22566f619ccecee268aaccd37e2c54202a6ced8ba9cd39fee1a7398

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1c886a03acd6205cd427454ce574aca

SHA1
83d7324b3b245d7a5a76c9ac6f545a1f5916ef78

SHA256
e7185391a6804efaae97bce8b11ab05c599e2df2ce1af8440466fa8a904f94ca

SHA512
c972f28c36a540be2d470ee9460e2f50e8d2d99d895dbc090a008c7f42dcefc6304f783e85b695745ac52c020aa010b4e343fa4f58e827bddb3b59170d9321cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66f3da9359ef68717b7a5aa28955f891

SHA1
2b4105a7629a92c81a2db5ef27cc22a666882b0c

SHA256
fb9fadb4251e62123ad71651d437906362e05d65ce90a86ea16b7e913d1c1fe3

SHA512
95c6aac2c14d8a9df66e48df361b131c677d25dd4222fc7706fc164efc22668f9823987fba128a51b998019af8f5c7176b3316fd3ae9d4923276e2915f17500e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13111564c9e34b4241499b7cb87d53c3

SHA1
d7109afb71288901423ada6424dc79301bcc0a6f

SHA256
f09fd6febe6d44acd2a8be8467585bf7f7ec71248924d093237a9fca9bd6978e

SHA512
6af10a371f0eb8545293788024c161db8ddbafdf9c49c52fd45f26cf567d001cd50c8a45a8b5011270ffbda19396ffc5e578e0734192d340032c1beca1fff716

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e2d124e83b69aeb2c5df059760955da

SHA1
165e0c5f628e460972ec5c9246cb80703457948f

SHA256
693db1a8935f01e7a0bca57c62bdc3a60476b2c4defef32d0339c3a0a146dba3

SHA512
844c50479c0ead93a928107cce2336b6640f12ecaff56df114963b0efaa54e3f893be3afa324296fd54d5a07b2677b30665d3d3560e9f9d1f9fd67bfb709e48c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abac2b1252e6e5dca2afad177e3a3c55

SHA1
77facf265b781fbfd609a80665e54b30ab6c425f

SHA256
46aa8b7728fe155ac8506a30b41845f28320956ab76094180b8257fac567b547

SHA512
b7a879d69d01230dfadb914bceae2c21a489d5507389e424659b7e24f40d71e6eb9db3205ae78115e6487a6934ba12fd175bddbff4cacec0b55b05bbb8ab1dd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a81f0305e0a9edb36eeaa1e8fafdda9

SHA1
8585cea5cd444c8245097d683c936d9c07fea2e7

SHA256
51b901c7daa0658be927e99c6ba87bc80a3e8a4f04b82e0d2466ce998364f7c8

SHA512
bfde450ad1fb7257ea1c8c9dd25d5e60cabb619eb382c8eef7dc56a77baf242f302ed381c8ddea7b13171c416feb7510e4ec276c95aa9232d807a852e4ad134a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79e55c22549d9ef2f6b9726fbdc6f3d6

SHA1
1b61d6106b78b556d4a91ecec1f5fcb750098a4f

SHA256
3ece9f6e84b7c5f2d4d417b3f9ae1455b3b6953c1c1d1eafca71f681a3095ab2

SHA512
2553e317b889bf8fc086733e63a5cb8441caaeef4c8595db9a3bfdc7131acb1cbeaff1807d193416e01154e40429a96773e45b05a847fa53f2c34d5bf07d96f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00b1d31d42b88549310862cc1f45a813

SHA1
f4e8628a31fe2c305e3158c759c4c8714636306e

SHA256
fe07a0177a6d649c75051e9cc8e4e9178d6a674bfd5941b096f45290d2349874

SHA512
7c6cbd55adadc326c820c72914a3fdf8fadf017fb7fe5e79fd53880785b93ab0aaae235dd534ac39f1af5a1e1dcb29844656d1af50b246bf4fab6ae92853d814

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5780b4b04c7f29fa37a45ae6b0c691c4

SHA1
86fee066881f1cfc6a673193cf2b42ff10e96729

SHA256
631b664b6307666fb8eb24ceb451d0bc8c0044809adbf73bebc40b96110537f0

SHA512
5102ae2a7c0819f01c5d7d52350a9b853f875f013cae3bcef336c17d619727c25b06a4cdcbd2c9067b146a02eea51d59800c6b4b67c5a33421e02c015c35e306

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4693891f94864474a42cc8b968af3dad

SHA1
6ca8463eee0fe2578f4eed209598a69717a7b28e

SHA256
976baf7f00aecde1418240c13bafe4b7521486308835a3d9e28ea5f656b3287b

SHA512
a98587af62004930d41d12db20aa7bf011df40aed118a0477598b6a8901219e4cf1261135e205f1619515736b35322e5c5288462519973cbb44de8201c957ba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32d8153f3a68a5e852285b9839c1b3fd

SHA1
2e5af42b5f9036b0e685f4fc3770667c4905f1e2

SHA256
f58ba713a874457750cbe6615c51b0dedcc4e5d7f631a5d8fdc82d1c346fe0dc

SHA512
f6c642e4e797ea355251ad97f0d8898141a3ff39bdbda9760d585e175060d1a18eaeb16f7d93e711c3f4cbf4c9bee60a989c0932f953232721839458af5d967c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee062c5f73799bb6d7c2e1cc2865799d

SHA1
05842263f8db695d86aa2fc46358a4d1b662145d

SHA256
fe5cb90a61b4e692efad62ea544336daebb56a5896aea87fe239fb5ed0ca8b18

SHA512
6ec024d42b9a686113b66dee3c21a6d9c48dd72d935f9e026abc00c1f66992cb680fa070df9e2f231a21c30a104a8bf3c9627b09d569faf7032748fe7bf49603

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bab65d14b6fd40ee3a826cd088f4c9ae

SHA1
c3df7532bb3b02c4c85041b2482f56e50b659bdc

SHA256
bf9f36b75bb2445a939f9c91bf4348ea124a1385c81be07abe04f67bce7b67c8

SHA512
b06dd4b0bb4b8609e3f9e507e99176de19db7e90d9bb6b9f161509ebc90ec6b77ef122d7c43b2fea39702a3fb562f872d01dff9654302b39a3f5a174c55d0b64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60568a6511b3cb3f242a80786c5432cd

SHA1
39880a4d0b440069f936a0d602433738277eae09

SHA256
b8186919d50558a6f3dc48f5848858965aacffc46f70e5a71aef1af689b911da

SHA512
d34c16dc59fda8496fdb73a9e7df165aef03e7e41ce49982b64b83045d7c3848abe6f6e69a027b3a4814147d852651cfef64ffc858487a3c7341625f0a199c3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20f019b3d3df02dc4c198c24e3235b34

SHA1
7908a9d08c59951d558889920073b612e529fba8

SHA256
8a04afd27fb100000319ed0f79e391e3233b65dd8a5989c0da8dc28fafd5cf45

SHA512
a5d83d4407bfa5f446e70d84aa02a2286a7de050790fe8105fbae1501b58845485c7b06dd4b5ec3e7e72e7dc3afba520823b7fc9a92cba489424ce7060a97850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ef367984f6f45524a5885d1bd89e22c

SHA1
2a6c4da45e6afa98027e96b3644057b79419add4

SHA256
05b275b421b1b1ea24f34af95c6574ee6a24668258341d95a5312ca0d8c65719

SHA512
cfa517e0448a00702fdee94c61db1c13a0cee19309e7eb3388e1f76868a5d5d3bfd42ed14590086d80abdb47f06050c6ee77e07438fc082992538a5c8c869fe8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4820085dc80db7bd2a4b4d9a32dd6227

SHA1
67170ce6fa1cf837caf6ef0726625eb5bc7c8509

SHA256
83629934aa960d7b9bbe5a76f0d9877061b1a22a583e73c26c6351b6f4f9627d

SHA512
64e86d096414a9eed077fea67b854893f5712594f1bd73100e0347efa6b2657778d067b27a7205d7ff39c119d2581980b42276fd53d5d737a172e40af164bfbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
928be5859f7e5145279fa7182ae566f9

SHA1
1d3bc9477e79a730e2b6f63d54aa95ba5daffccd

SHA256
fafea433ccb4fe40af3a5b8d5525194ac48732998f587e6b859b42263182df01

SHA512
78dc88410e979a79a064469ae30ad2051094ec46dd4bc3305d14b80e37c8cf4717975b5cc85410b29bfe201ff97a6502edd1fe40c169d557ac8eee516c99bb5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5141abb7f522febda32cfa96ec5c386a

SHA1
947e69dfda74a011acf7616bfc4673f9055a4183

SHA256
2cab61dfe1bb4254c9f3580a7b477dbfb02913ba5b21da7b4097f755c39a2fba

SHA512
a8710d3b90c022d378db4df10da5283ca5cb0549df949582bf72438932f0713caea4f766d5576730fe85cefd4a9c7833dd3c94b6aff40e22bfc9657289018545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
286e2bf993038549064666ab721f4232

SHA1
d6b4600e7d244c1e8857d2fe8c1ed3be60cb5355

SHA256
4454026f498a292af8029e66d5bffb7ad35d2fa04d005fd0f4461580b7049412

SHA512
1a6b31914b8a6910cf19987bd55abe39477e9eae89c792abb9792d85265226fc35cc1c54a807249e2e6ec98bf1a0a92e6d78fe8f363b9d825032316cfa251736

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f8bf55be6c508178d0c47c318ecad95

SHA1
b07aad071da134a6baadb1996428455d43d61a7a

SHA256
b1ca3d802ba04349f28575825576a515ebde21f8aec569db0694997f4435f69f

SHA512
b78bf1b68697224dbc460680db0ee3ccef2a7137ec82b0c754f0ae89e8012fc9d6ae6c2dd0dfd5017e79b5607aa6fa2d480a81601792f5b3a1faa07384c5a188

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d623eaa0fbe13c2fbd7193d489dd82b

SHA1
4906c474a7bba26818f377d218479bad1b9a0804

SHA256
de2ff3ad81be1d410a40ba7c2c0ea2e1c2841d0a7abecc237ab6d42f04d40a52

SHA512
eefb11af7c6116650b101c53e2e11ffd48061888546aecbb08a0f4add481cb4fa3b0b15d1298df5a023efecd53f528cef1db7dbc7bf2e62405b8699af7c509d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
586dc49099e94508b9a08d6eb64bca8b

SHA1
01b85e0d0fd6c5220112e70981016a164df2ee52

SHA256
94b920ec444c758b8e44dba76ceec2b450573739497498287917e4fe5357266c

SHA512
0f5037e19f86fec2fdb6d9ad07330677798099ad8aa43139acd02076f0b80df79b2aafcbad7517c2b97f3e43af92fedd5f2d7a421c6501c56979355c96a805a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7be50b593efa9283c3e4f0a05136122f

SHA1
22507353fe8c2339779a2aaa3e5b640395e5780e

SHA256
b41683a9f92618db75d8e786e6d512661b23674a174f9044ea8c1f8907559c34

SHA512
81fbe9aa57305bc0d76eb9fcaac8386a9113f84f6856850da93a0f6485b93cd11353b78ee772d0edd4139531f877406441c60eb16834dee8cd100d89ce86d10a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8faf1ac0218f507cade5e54431fb48f2

SHA1
a8bac26f122358e8d9599adc30bfcb17b1a40bb1

SHA256
b1c416bd84accc5bc71d496823a66f80c132d0af263d1ba53e01c69e185a876a

SHA512
55bb5a914523ec9397c9a41ae7a18d9c39b48b8a7a6cfd615d2514f6d6bc6cf376dc333d2488a59f804d0591d552e8d03728512edf32dda7e5494dd391b25073

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d75a4e8f43f23d0b8111d7245157fff0

SHA1
acb8425f96e69137dbc2743a7356e44dc540ebf9

SHA256
edf0b4953871f30f6798d01b82d12a43f61e5e9afaf1f16c9aac38e6d4a8d8b6

SHA512
f03e26932e7a743f16b1ff1d42db886d806817dbc8fd967aefc888ebdad67753e7a8e3f797fc6cdc2d4c17b0968b3b3729d581bf57be3e3d1ef5e8536b3da562

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
480B

MD5
10aa85a6f7e7f06b61c4c3888ce86b10

SHA1
91c175ad6a7bf25e801caa2a09ade25a243ea696

SHA256
33e4506d3a600b27f64e1be4642b581dd24cc5f2a8201d28314f497580c9b2bb

SHA512
13ac00c4f9b25b73dcc41fa175c376a4c57ae5268a19d37d96a12a63455e10085cc417287761edd88fe788774612c5c9ce555b3fc4bedd709591b52c1349d51d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
9abc79ae71566f22228e4cf1c8132b53

SHA1
7e9163258938d6aa029b528d770149cf8f7bae43

SHA256
ebcf62f16deeb07d54e92632bb8626d17eb2b864b19372bf7dcf7cc3b4482ebe

SHA512
df2ff04a06745af76759676e36a5aca0e6e4cd4b87d294339bbd60d331f05bfe6efed083e54d738b519a04f4d7140681ea28e75b44c53f499bfafb7606dc883d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
fe6a1867fd6055d0b45d37afba0dc646

SHA1
3935a775305cfb9e7f3f66884c78f40b13f118e9

SHA256
5cfa7ed5e72371812f12531bcc1dd1bcc405c8a9e705cb003defba26dceea54c

SHA512
db913d8211f7cc1c40824f1c48d23f9a47278e86de424be11a573d1b3ed7ed5af5582fb6bec2418a26aacb0ab1799f4d552e1033dfe4c911962ee111d28545db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
a8b66a6b48fe97cd45fd0c8987d23b87

SHA1
b48d2b0c67ed5d805dbd169afb7b98b6d4c8b88e

SHA256
9b0aec336aa42a2b8dd95ebf9fedf303b1402d7cfb0a46f541dcaa88ed4a819c

SHA512
d60234fbe0cc86be72240b6bfa17c0392d59bd6b141c634553e49fda28463babf1f0a16e794b044ae09ce348ec2d5db8f0a50a5ab2ae3347cadda79eb2234c30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1017B

MD5
93b446e7408a75d8fb61476a36a4ad02

SHA1
719a3922e49e212d58516c2026c5750fb79a69a2

SHA256
69156b6d63ec2d54208fc8c5af058b0d2ff29b77ea258e8b3e611a074c76eb2e

SHA512
6055245e270706ca18e69b19ec0d2b9c4afe89bd1a9ae967618d62f9b21d227d6baca218d03168e96ee44305e2510a25254ae753aae2377c53025e485eaa6658

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
70eb36ca2dd0a4820606ba5d0e98874c

SHA1
83e6ebef91071d0b855c1e51187e8b2ef7b7a300

SHA256
9f729acfe03a8e939a7699f9c48c5331045f1727d21455ab9f19bc4c9494dd16

SHA512
389db36e51f833a3926c048013a887a454ff614887d63159d6af5e86c6a085797007e173b6b48e9c3939307072c44cb40afc36fb2a36c2adeff3938cf200f2f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e8bb5b9abafd86c1a8a1ef822b79a6d2

SHA1
075929260365041849632c593ca66938b3ac811d

SHA256
40d9a009bb98c4ffb33379f8f29d19ae9560058b0d309653a8566981dcb7edf2

SHA512
d4b20f2c7008b2306800be533409eeea6827c7c962c3f1426f6b47a85055484faf7cda74142232feb51d6aa7164a2088035920e8f2a5bf2197e713083695f4a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4cebcff5a345732061efe3cafbbca6f8

SHA1
5021cf8884cfaa8c4162aaf0ed3c0fe16bd34f35

SHA256
0e1e83e37aff6c8f5249ac2836031f795f1668328b7844a2a0d3d2e22bd8c0ef

SHA512
906d6309393cf3cd3845bd15bbe2c2bf557712b2766df20b8b00272a134cde16a043f2bb7a339f000d330b3fcdf112c3425e6f751c3cbfcb8999491ec6b4a71b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c1b1d4bc2bca11668726413de84b0f32

SHA1
f65280ce4c450993a8a429c898d559139123210a

SHA256
3daf10a9f1462e77d6f3cf4f30a49947f2331684a8c405e7166947b7da819808

SHA512
d34c3ab88539a775b684507870d6e004805ca6f905196d9f20ea4056ec75937c1547809b650ad14d4f808de5e9e18c1c47ffc3114e5dbd64ead3e0ab4c3154db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
de571569d5753bcdddc69153e17a5c63

SHA1
74ae8fd8245755b1e81594500592d9a24941feb9

SHA256
ec065b7b0ba954cbfcf85bf7d00294d27033d332c8479cc7233f99636bbaf7bd

SHA512
ef869e88166208f0467467275eab0bc427de824b89b4443b7944e6a7af1354400e77ed85f88e62848a031239ce37c3827f9d473d6df222c22a0dbf10476140b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
342KB

MD5
b19650c099b4bd3c55cf8768a178bc78

SHA1
e1133b141692f45e10735d812ce8b02b7c4a03a6

SHA256
f865cad9678aad9fd242aa3c02e12bcd9c1adee33cbe62148bf11d162b403e2b

SHA512
9c63fc689936bca144a2c0985586c99a641a1786c8c225767491318f08937e4cf5ce835ac638676c029ff91f7457b65c9cbdb7d3bab54b3a869e13f6ddd9e4c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
342KB

MD5
ee261951f343ee9f85f88c37074d3f1e

SHA1
ca553f48ad1f07bca3d9ea3e5bd2073a43a934e8

SHA256
6cd78ff029a6a8d9b170803f973cf03bee0fb18604bfb83e574314ba57379630

SHA512
1d6e0d135b8d532b583b0e62ead05e40397e21e610ea3ae46f9d7579bb3c456e94610609fe7423bdb976321883a392c18d1b6db209fdf07c66c0dfe36e9fccd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ec401081-9001-42fc-95ea-3e471a615dd0.tmp

Filesize
342KB

MD5
a5888feabca65d6a4568f46f318ab44f

SHA1
aaea14317525b38f5eaee7b8b26b912e79ce9145

SHA256
f195ba2afb388f873b8a4cc932ee6b8a1c4872c1f94c85bedfd64bc0f202ee91

SHA512
7f747561412da74bdd0b73332699175fa77231fb490cc8a087bb2a9b3204db807b98581b7d4cd0b74bef4f560fad44f476e0693edbcc119b5b7e034af3fd0758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8D975A11-7CC6-11EF-A58E-EA7747D117E6}.dat

Filesize
5KB

MD5
a6961442f0043a778dc940ee4acad8f0

SHA1
bd46075b9db37a29fe0ee46d2b115d0b775ec1ac

SHA256
a801c42338ce69e5973dd0258b16fe1f749ec17fdf5925a90c95c2649bced555

SHA512
1b4aeb4701cbdd5d58e4c6709c8c5d02652ca71577f1b03c262a6a690827d3f3f56ba11c2b122dcd4768fe9f91e0c04267de5c05a44c549120376e9ea2f9fe88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{88768850-69B4-11EF-BB1F-62CB582C238C}.dat

Filesize
5KB

MD5
9161ee56ee48aa7e43a72c594c0fb1a4

SHA1
e4314f79137c3ce387fa1d6b768a2c9bff69b2f6

SHA256
f63e2ff3f7e7f30aae69847800ee86829790f2eff378d350d29c12e306557a8f

SHA512
943e88c25a905c84827ad614e8877dfd26ddb4d59af42d00eeb5e619eca0dc580979519088a79b27e187ee59393c6e4d1f43be4415847ed86ce86889c6979596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{B123E840-7CC6-11EF-A58E-EA7747D117E6}.dat

Filesize
7KB

MD5
adb9ec20da8c142a4bf98d31c33c65ca

SHA1
1f64035d48ecd51b577535bfcac3c0a4f1013967

SHA256
842b684d012bf1da8cf9e75ec235a7fd83e01156f41a1e0684504b1fb3254859

SHA512
3a2df4a6af781892aa8e7b4a67f955a6db98fdc8365c69f30c1f11ccb2fc6d14bf2ca6043234191ab5bc48e3444df561358bc74871eb86f663e97c81e3b6d110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
1KB

MD5
8d2d9d878a26129b2e8fdc53f8a8534f

SHA1
4ccd69c00e399533786789512e10def01c24ea64

SHA256
9bd92e5f32294274ead3747076ca04b28569b47e4631d2f96bad3726f0ad40d3

SHA512
afef8f713f4a718a3c55e81839aff4c6b062f02568598dea2b67326c04f626ffc60c885401479605a66c55e93fee39ed35077e3b69695df49fa68abce737d723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
3KB

MD5
d5bb0d51113b05a96cb9a0ec0447c613

SHA1
af2e19739e6589b3908dded728ffbdbdd248c999

SHA256
8b467cb0931341d0ceca18e1f20402000edf2658fd301c5ac7ae57e816ee969a

SHA512
e34cd940884e069d8394bf6c6cbaa8c5cad9321f354105370e770912cbb81df45feaab298f4237959e2f7ededc321d61b81c542e08b09aa321e253ad06be0f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
1KB

MD5
2e59eb8dcda8f1b5286b2d1cc63e2f2b

SHA1
7e7321e95cf34dc92e0b1b982097bc88ded22972

SHA256
cc988fba2e0f68c60716e4869f21e69b1f4136779d4775c13e814b47ac5d1874

SHA512
5033e62f7c50e0ed9450014bde9c2521cf02c6e9e4f1c47e4c976e8d86e1d22aa373bd9f5c53c6d05e83cc6d17942af8d0540f5f12a01e564f1ec4799cbb8ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\vendors-node_modules_primer_react_lib-esm_ActionMenu_ActionMenu_js-1feceec002ca[1].js

Filesize
6KB

MD5
d04bee65f8ad1dac1faccf045a3ddef1

SHA1
c6694fdfff42a59f613e6d2cb9c05c92b518fd2b

SHA256
33ff2d2e9a8c8f3e09622c8e587908f64450478de25f4a57f459fe1e8790eed7

SHA512
1feceec002cac76375c033c6e694618d8e3a64e67b57037be104048b0832d2d94a0608bdede21de17042d1855056f020b80544becbd973a5ccab6c823a4125f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\vendors-node_modules_primer_react_lib-esm_AnchoredOverlay_AnchoredOverlay_js-86d89e63ab43[1].js

Filesize
7KB

MD5
7d8f64134fab2b2311f49170600d50aa

SHA1
bc9739c37cf1efbcab6d1b1958f03ba9a54b092f

SHA256
035e63bc93ddef8f887482b15df63c6d3a096eed488c119163f0a744d8ce01d0

SHA512
86d89e63ab43dcd29774782cc9caa019f90f1207bd99a6557efde81bdf21d0afce8cca60372d78f7c77460f280a9b0da87484870dba76ecc96122754b65c14ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\favicon[1].png

Filesize
958B

MD5
346e09471362f2907510a31812129cd2

SHA1
323b99430dd424604ae57a19a91f25376e209759

SHA256
74cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08

SHA512
a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\favicon[1].ico

Filesize
1KB

MD5
972196f80fc453debb271c6bfdf1d1be

SHA1
01965ba3f3c61a9a23d261bc69f7ef5abe0b2dc3

SHA256
769684bc8078079c7c13898e1cccce6bc8ddec801bafde8a6aec2331c532f778

SHA512
cb74de07067d43477bd62ab7875e83da00fad5ac1f9f08b8b30f5ebb14b1da720e0af5867b6e4ab2a02acd93f4134e26d9f1a56c896da071fc23a4241dc767f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\react-lib-7b7b5264f6c1[1].js

Filesize
209KB

MD5
c0772c4a7a3f6a29256a69e8feca82d8

SHA1
75ff0ed2d25d36f7c6e933030e691228e37c5264

SHA256
4736f0203a41862c10e5b93529b15897813bca088a8dc952250ba7c19b6901d9

SHA512
7b7b5264f6c11eb55aca6b7788e67f89f5638a53c75589dfebdb7e08f6fcad5b2555a90eeff60da4578ee429cbbdf1d886f55a30355d9386d7006241e65ee632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_primer_react_lib-esm_Fea-39267a-9ffd541aafbc[1].js

Filesize
763KB

MD5
cb6851ddc7807226c028096f321d5aee

SHA1
a2ca26b37308fe17c9279824eda37d8c942185fd

SHA256
74d62c6fe0e027a4566c93c5279d0d6ec09c5c1df59d2a07efa61f7867300873

SHA512
9ffd541aafbc62319a2d45e6e30a41206d9d99470184d6c1cd37c2bba5526c763d1a09adf445a4ad9674df84969220742b14082598cd3100109b10d4974ad2a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\vendors-node_modules_primer_react_lib-esm_ActionList_index_js-540a2acf621f[1].js

Filesize
24KB

MD5
fb5cfc622da6feba7c65a4f0df738269

SHA1
a381949316096877f288a74d01b7ceb8fd889f26

SHA256
7149e1c1afd7e5fbed473f8dec9fe06e743ca64a0d512c80a7eb8a2e60a1d695

SHA512
540a2acf621f3975f107919de09873c40ec62b3b5eb74d11a425ef897e213cbf29c7fdb1aba4ec2df77af4418a50dc62df5bf1248a3af7722fffcbd55a9c8830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\vendors-node_modules_primer_react_lib-esm_Button_Button_js-f36ad879d477[1].js

Filesize
26KB

MD5
5816c9674bf39dc86b51744393bd575e

SHA1
3cc4a78a8e74d5d91427de149d626f9fcc8d305f

SHA256
6c070bf861c49e60e8ed381a33bdb17784d26bc93318c51f82849ad889dd077e

SHA512
f36ad879d477bd89096b9eb11036ec73935e71feb946b62a415f91c70722362e37b2b5713dabfa3388fecff9d026c1c24fbb6fcc80d1ace2426397d333625706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\vendors-node_modules_primer_react_lib-esm_TooltipV2_Tooltip_js-e39b44f27fbb[1].js

Filesize
14KB

MD5
5ab91ff0209ebf4ae127c095de3980bc

SHA1
3a13c6ec647d048f7b1d00172b8d87947ac552c2

SHA256
2aad337a08721dd0c42c27b12932d96fd6ca9fb56305ef3a45311075f9885611

SHA512
e39b44f27fbb6b07e38cf64050823879b23b284a9abac9196f85b5bea35eb6b0f9c7a357efde858cd9b72a673d5dc0597419b243b4901272f6219794a27f6e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\ui_packages_react-core_create-browser-history_ts-ui_packages_react-core_AppContextProvider_ts-ffb979-d52ed27ec9e0[1].js

Filesize
8KB

MD5
75a6543bc52e70a25cf2ec4c1f7a8261

SHA1
66dde1cf4fc62ab21e9c620846ec2433410ce142

SHA256
07e71c1717367313a417af87ad0c66732ac93a3506548750dcd8c68a71d96e7f

SHA512
d52ed27ec9e0b2001fc8798eb311d14ed028fa80c343002cc08696b0f89a162b1bc8269641bf61384369fa01cfdb617e8ceca3fc6a234deb231486629434b00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCC17.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCC78.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA656DD73EE5C6471.TMP

Filesize
28KB

MD5
dcc3d9dcb4a20c4d8acc3ca01f422dfe

SHA1
f60eda7953bf54987c85d14918dda72cf2d92c98

SHA256
f72cefbfde064965c5aa8bbfacd6b4d072ff8f2b754841abd58a5b4021f57ee8

SHA512
2203b74992c8855171cf2d0a2c8fefa068aea650d26d36442b55d9b195272c8f74069e0557ad52eb9c5dca0f370c0303c7993cf4f622e50dced7dbc5c2270b59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
4KB

MD5
b16c1ba5d684adfe73347c906db9c00b

SHA1
62e4c5537c8c20850ef3b82dc95929c1507c7c7f

SHA256
ab637464549319e563f31aeeede427500d62baacb3063dffa698a7ba89293c42

SHA512
c5df25e495744653988846ec71f3f2247bad212290be569264ba67a7e502e8526c408778c51366c560caf38abc878646beb613ff0c57f1f5e1382d1ee6f98e3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms~RFf801777.TMP

Filesize
1KB

MD5
e19590f3961f7c30f7c687920394ab71

SHA1
4641f3889134f1ea904dd869a3243a3f00e281d4

SHA256
b9cac5b6b17edd5ac13c11733083bdd8b5060788311dea5e215c15e0d79cdc63

SHA512
9c3f9ff93bd071fd63b480c5dc5913439c755de5ba3c1cbbdf103d72d1ec14367270c94577d82875058f0250a8a45769f511332cc818af9dfa16dd5dd427681b

Download Submit
C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 5.txt

Filesize
27B

MD5
e20f623b1d5a781f86b51347260d68a5

SHA1
7e06a43ba81d27b017eb1d5dcc62124a9579f96e

SHA256
afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179

SHA512
2e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b

Download Submit
\Program Files (x86)\Butterfly on Desktop\unins000.exe

Filesize
698KB

MD5
1fee4db19d9f5af7834ec556311e69dd

SHA1
ff779b9a3515b5a85ab27198939c58c0ad08da70

SHA256
3d550c908d5a8de143c5cd5f4fe431528cd5fa20b77f4605a9b8ca063e83fc36

SHA512
306652c0c4739fce284e9740397e4c8924cd31b6e294c18dd42536d6e00ad8d4c93d9642fe2408f54273d046f04f154f25948936930dd9c81255f3726f31ee65

Download Submit
\Users\Admin\AppData\Local\Temp\is-98EOJ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RPUL6.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
memory/1288-3001-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1288-2986-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1288-3054-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1388-2358-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1388-2400-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1388-2380-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1540-3228-0x0000000003BF0000-0x0000000003BFA000-memory.dmp

Filesize
40KB

Download
memory/1540-3230-0x0000000003BF0000-0x0000000003BFA000-memory.dmp

Filesize
40KB

Download
memory/1540-3226-0x0000000003BF0000-0x0000000003BFA000-memory.dmp

Filesize
40KB

Download
memory/1540-3227-0x0000000003BF0000-0x0000000003BFA000-memory.dmp

Filesize
40KB

Download
memory/1540-3229-0x0000000003BF0000-0x0000000003BFA000-memory.dmp

Filesize
40KB

Download
memory/1988-3105-0x0000000000400000-0x0000000000AD8000-memory.dmp

Filesize
6.8MB

Download
memory/2268-3122-0x000007FEF6400000-0x000007FEF652C000-memory.dmp

Filesize
1.2MB

Download
memory/2268-3116-0x0000000000070000-0x000000000009A000-memory.dmp

Filesize
168KB

Download
memory/2304-2401-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2304-2342-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2304-2344-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2304-2357-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2604-3103-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2604-3100-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2604-3104-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2604-3101-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2604-3106-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2604-3102-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2748-3126-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2748-3110-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2748-3243-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2748-3231-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2748-3124-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2748-3108-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2888-3005-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2888-3002-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2888-3029-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2888-3053-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2904-3007-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2904-2984-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2904-2983-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2904-2964-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2904-2963-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads