Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 13:36
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe
Malware Config
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
Processes:
butterflyondesktop.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files\Java\jre-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe -
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
Processes:
resource yara_rule behavioral1/memory/3356-389-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
Chimera family
-
Renames multiple (3262) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule C:\Users\Admin\Downloads\Kakwa.doc office_macro_on_action -
Executes dropped EXE 4 IoCs
Processes:
butterflyondesktop.exebutterflyondesktop.tmpAgentTesla.exeHawkEye.exepid process 3112 butterflyondesktop.exe 1940 butterflyondesktop.tmp 4816 AgentTesla.exe 3356 HawkEye.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 27 IoCs
Processes:
butterflyondesktop.exedescription ioc process File opened for modification C:\Users\Public\Videos\desktop.ini butterflyondesktop.exe File opened for modification C:\Program Files (x86)\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\Documents\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Public\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Public\Music\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Public\Pictures\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\Links\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Public\Downloads\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Public\Libraries\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Public\Documents\desktop.ini butterflyondesktop.exe File opened for modification C:\Program Files\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\Music\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\Videos\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Public\Desktop\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\Searches\desktop.ini butterflyondesktop.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini butterflyondesktop.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 85 bot.whatismyipaddress.com -
Drops file in Program Files directory 64 IoCs
Processes:
butterflyondesktop.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\StoreLogo.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailBadge.scale-400.png butterflyondesktop.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt butterflyondesktop.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.jpg butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FilePowerPoint32x32.png butterflyondesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\ui-strings.js butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-200.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-60_contrast-white.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-100.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\ShareLogo_15px.png butterflyondesktop.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml butterflyondesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\ui-strings.js butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-400.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-20_altform-unplated.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-black_scale-100.png butterflyondesktop.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\ui-strings.js butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-400_contrast-black.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-125.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-16.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-150.png butterflyondesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations_retina.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Diagram.jpg butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\ui-strings.js butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png butterflyondesktop.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-180.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-20_altform-unplated_contrast-black.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-200_contrast-black.png butterflyondesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_2x.png butterflyondesktop.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-300.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20_altform-unplated.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-125.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sunglasses.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100.png butterflyondesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_backarrow_default.svg butterflyondesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\ui-strings.js butterflyondesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-125.png butterflyondesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\15.jpg butterflyondesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\virgo_mycomputer_folder_icon.svg butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png butterflyondesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-white_scale-200.png butterflyondesktop.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML butterflyondesktop.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
HawkEye.exeIEXPLORE.EXEbutterflyondesktop.exebutterflyondesktop.tmpAgentTesla.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HawkEye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentTesla.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EF872131-9E9F-11EF-BEF1-CEB9D96D8528} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
NTFS ADS 3 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 682682.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 268217.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 641381.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepid process 3956 msedge.exe 3956 msedge.exe 3136 msedge.exe 3136 msedge.exe 3960 identity_helper.exe 3960 identity_helper.exe 3116 msedge.exe 3116 msedge.exe 4564 msedge.exe 4564 msedge.exe 1688 msedge.exe 1688 msedge.exe 1060 msedge.exe 1060 msedge.exe 4620 msedge.exe 4620 msedge.exe 4620 msedge.exe 4620 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
HawkEye.exedescription pid process Token: SeDebugPrivilege 3356 HawkEye.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exebutterflyondesktop.tmppid process 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 1940 butterflyondesktop.tmp -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe 3136 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AgentTesla.exeiexplore.exeIEXPLORE.EXEpid process 4816 AgentTesla.exe 4304 iexplore.exe 4304 iexplore.exe 1344 IEXPLORE.EXE 1344 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3136 wrote to memory of 3332 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 3332 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 4160 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 3956 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 3956 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe PID 3136 wrote to memory of 1164 3136 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc061546f8,0x7ffc06154708,0x7ffc061547182⤵PID:3332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:22⤵PID:4160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3956 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵PID:1164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:1776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:1492
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4000 /prefetch:82⤵PID:4044
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4000 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3960 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:12⤵PID:4348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:12⤵PID:5040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:3496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:4596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5444 /prefetch:82⤵PID:2892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵PID:4792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6140 /prefetch:82⤵PID:916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3116 -
C:\Users\Admin\Downloads\butterflyondesktop.exe"C:\Users\Admin\Downloads\butterflyondesktop.exe"2⤵
- Chimera
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\is-PTHDG.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-PTHDG.tmp\butterflyondesktop.tmp" /SL5="$D01FA,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1940 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4304 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4304 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1344 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵PID:3664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6416 /prefetch:82⤵PID:4504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564 -
C:\Users\Admin\Downloads\AgentTesla.exe"C:\Users\Admin\Downloads\AgentTesla.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4816 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:12⤵PID:1212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6520 /prefetch:82⤵PID:5056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688 -
C:\Users\Admin\Downloads\HawkEye.exe"C:\Users\Admin\Downloads\HawkEye.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3356 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:12⤵PID:1396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15670594418807884177,17637666213828313960,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3364 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4620
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3552
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1684
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b2195369934b38f2017298c5b6e391e4
SHA18b1e6c167a6246f40e143096c2460597cc988de4
SHA2568e3814140700abfc79012be3d0b86c180195ddb1df37e7d9e3f0f600d925c0fe
SHA512fd5bd960b9741b76904660b941d165d30cbab3aef95195d6423925176be43e732b257ccba6f5e44af55dfaf4cd3998f5ca0bd911d0c53a7f1286b138e19cb479
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5e095a80e9c46e31c8fb37d15e743eba3
SHA19dddc71e3730b800f8bb11f7d391ddbc4ae09471
SHA256437e88134dd1e75451aaa668af53427a92ee6c0c82f50c0df8cd18d53f24fa6b
SHA51249e5d7427332b2178899a108df4b46f783bc236d5c59cc58150debd24d4793829ccc21309ff768e4cae13d1e2df3f6e9e1179a7fc168a56898d09a16b8a15143
-
Filesize
579B
MD5a7d1701142cca705f833d70023ef4e1e
SHA11b76853132abfcddb4fefac42bf9df5d013c9815
SHA2566c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7
SHA512806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0
-
Filesize
5KB
MD585417b40c5151d4515ff24f6794df571
SHA1773bb55ace498d2ce2ba78e0d4d2cb9f3ddccc7b
SHA25643000692efc34091c91129576709622e0f31ba95453d0f8715c804720aa3a012
SHA5120141f9fd2712a6ecce2bc492fb450673c9cb962043e660e90f693a2fc74d0f9cfbf88749a6071f8d089e009b4d6c133bfd3a36202f51b761fe554e75c515a08d
-
Filesize
6KB
MD56f07e7bd94a029354acc9a52da9354e3
SHA1927a23d5e9211e845aa3e77714be95d5150c721a
SHA256ed3a675824ebb6285e9ba788b1bb231dbc7bfb0d1f9583c8b48d60f9364aed4b
SHA51215831225c13f73fb6688e8c11341e4d1d4289b106acae78a7e70f694ae3bf912fab36fb48c331c2bb88b6f10bd0ee1735137ed4ad0bad42ca3c41c42da616897
-
Filesize
6KB
MD5a626ecc158655fb3dea4fb9be8e5b4d6
SHA1b4c7ebd40ecb1b1ef1849f353582da723cef00be
SHA25625d9fd53877ef39ed8dad88f12f018e7868c8cd79a55a789ab5de08e1128c15b
SHA512f11451f5f55eeb5cf37fba77efa3453f8c0253782b9a44a73f124a5362ae21d6178d2801407387d5eeee69c36e9e140b86bb0398d3054b6e9c1b095eff965fe9
-
Filesize
6KB
MD54393051b73d8236f7f117230fda66ff0
SHA10602563c560e5bf6cd953ac0958599edae075495
SHA256d8e22ca5eef573ad9fe0c0372321915963c027ec01832ce11056464860fb4f1a
SHA5121d6ff943fa27c965551cf988e5a406215c79ddcae79b5fa2b98de20431d3717870a5ad6e458e7bf41ffc759d42b4d3e5f5728f119a66b5b9b03dc57ae8d1510d
-
Filesize
1KB
MD5b493f5a007359068065014cef337a709
SHA1af03a1442fa4bbde3440968b98bd35a633bf92c0
SHA256e99a8265d149201dc18979cc15809fc696304b7c8d3db0e005b732c42057041f
SHA512bc06618bb2e98d559687abc18a8215bd3f0e8c686d4ebd7381b0b73304733df3ad63fef82c2887068a840ccf2efcdb16ff3c833a1e6dacc211cab105f65f2b10
-
Filesize
1KB
MD52180d9b5a18c8a10033ced10a8ae861e
SHA1c338a41b5afeb14dd85317c64a4784dd9fe931ec
SHA25612be1eb0e3ecb8423537cf1c277ea365555753168e4ead598e8da749829a6748
SHA51220388e64f621b6b21d38b29b2865b69d4989e7887cf673b809047e974f31084ec697418215e1eb24d52214ee0ba40466e2de4f82b630a0a1bfe642f840d322b2
-
Filesize
1KB
MD555a550583a92898fd3faf20bde7f450a
SHA12c8de24b540265945c7f15afc638bbfe745aca55
SHA2561be9b51b6ca7b307858068e4ceb7571c0e271a891fc92c0812b4cee9ec91fb7b
SHA512371b2e1dd20f944ae4c2a638c871d0b42c93733ec7b2dbbdcc487470ed63ec7b771818ca1114615339193acae0c327c3b3733f23506954dfab8bfe6552a8a2f6
-
Filesize
1KB
MD5ab047f46461c9e0193d5d342859560f4
SHA161cae4d4012aa61410e28b07fdf13c86bb9812e6
SHA2561147dd7c0fe65dfb30f5a66bf15751be74918eefa6ceebf6f78e8d5d7f9dbc89
SHA512a8009c0fb7a8e04549192e04bcce971e272163e8112f834d07e108bbd4c547703052a6437dd999f7a9d89527309486546a2bc6c6778dd528c8f8a57bc7d2c8c3
-
Filesize
874B
MD54cac5ba0da6afe93c0eda7f18bef9069
SHA18eff9f9b62134bf8dcee1042e60e505f0b9e390f
SHA256b541e541c7fa817fbd59cead54eaad64005a0667e51e0aded03896c9eace9b2f
SHA512103b3c70d492e5341bace921b53d807e28c56d57673a6c7bb2bed77a647b44c3c0c438e1732757604eefaa837c04089de38c5ac120979568d2fd5c31000696e6
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD59a5f1c08becf6ac0f9f93d7f22acdb08
SHA1c9bdbcabf2812c3e8b2db8daa58171a2b35ac819
SHA2560cff696e4d6fabdfa16ec9927d8e04f8febd064f0f35b5605ee4ac2fc3a65e05
SHA512d39d37baea936877bf3f400c79118c47db86aba16ea671972c240a5366ee02238d5ea5e51dc247adaa4661bcf140e8712a7a55b7c6de5cc62254071b75312326
-
Filesize
11KB
MD59e644e8abc09b80e757e9918c79c3229
SHA1d97f8d5cd5d29dc2ea296d67e1a196fc6fec88b6
SHA256a3b7ef1b0c169a62fe3d1858c23ed890dd34ae96814bae61e3a1fe2716b0df3b
SHA512f4a91acc08488b1b9ac95a9c26606fe080c4e4d89f34c1a0f215ac635caa7bbad092fbe07184d9f0c0232fa1b81ebcb1a63816121c4398990700cea471a7afbb
-
Filesize
11KB
MD59bfb35a7ac2a907bf03866a60abcc6d1
SHA1391eac71351f2a766f4951d2bba3353c66b0d202
SHA25682607bf75a4263f10f567ac6c9e3b5998ae3509eefd58cc9dc05a2cbfa107279
SHA512512c158960ebcd107ea5aeb6f4b648ff15b1143dae67cb16d61c2f540ceaec914537badbc92aaf538c7fdd7ec4e5196db94c0274d8ab011ee7057c18d94bc39c
-
Filesize
688KB
MD5c765336f0dcf4efdcc2101eed67cd30c
SHA1fa0279f59738c5aa3b6b20106e109ccd77f895a7
SHA256c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28
SHA51206a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891
-
Filesize
72KB
MD59a039302b3f3109607dfa7c12cfbd886
SHA19056556d0d63734e0c851ab549b05ccd28cf4abf
SHA25631ca294ddd253e4258a948cf4d4b7aaaa3e0aa1457556e0e62ee53c22b4eb6f0
SHA5128a174536b266b017962406076fe54ec3f4b625517b522875f233cd0415d5d7642a1f8ff980fb42d14dab1f623e3f91a735adefa2b9276d1622fa48e76952d83c
-
Filesize
2.8MB
MD5cce284cab135d9c0a2a64a7caec09107
SHA1e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA25618aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
-
Filesize
232KB
MD560fabd1a2509b59831876d5e2aa71a6b
SHA18b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA2561dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA5123e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
-
Filesize
2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e