revengerat | 4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

butterflyondesktop.exe
Size

2.8MB
MD5

1535aa21451192109b86be9bcc7c4345
SHA1

1af211c686c4d4bf0239ed6620358a19691cf88c
SHA256

4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA512

1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
SSDEEP

49152:5aA7f7tlVmdqK23H2bpHI4Qs5ABV9WRHZRsgI82lcHGAaKLinXBgJ:Q+VMkX224QsWBq5SfARGRgJ

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000300000000070d-683.dat	revengerat

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
876	butterflyondesktop.tmp
2908	ButterflyOnDesktop.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
178	raw.githubusercontent.com
179	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-6RIK5.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-S8HOU.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-T0CA6.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-PBIUL.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{2710E523-997C-4263-A5BB-FCAF4B6D2DFC}	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 405154.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 808326.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 612249.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1752	msedge.exe
1752	msedge.exe
3332	msedge.exe
3332	msedge.exe
2320	identity_helper.exe
2320	identity_helper.exe
5408	msedge.exe
5408	msedge.exe
5376	msedge.exe
5376	msedge.exe
5376	msedge.exe
5376	msedge.exe
5444	msedge.exe
5444	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
876	butterflyondesktop.tmp
2908	ButterflyOnDesktop.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2908	ButterflyOnDesktop.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 876	3220	butterflyondesktop.exe	85
PID 3220 wrote to memory of 876	3220	butterflyondesktop.exe	85
PID 3220 wrote to memory of 876	3220	butterflyondesktop.exe	85
PID 876 wrote to memory of 2908	876	butterflyondesktop.tmp	92
PID 876 wrote to memory of 2908	876	butterflyondesktop.tmp	92
PID 876 wrote to memory of 2908	876	butterflyondesktop.tmp	92
PID 876 wrote to memory of 3332	876	butterflyondesktop.tmp	93
PID 876 wrote to memory of 3332	876	butterflyondesktop.tmp	93
PID 3332 wrote to memory of 1560	3332	msedge.exe	94
PID 3332 wrote to memory of 1560	3332	msedge.exe	94
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1740	3332	msedge.exe	95
PID 3332 wrote to memory of 1752	3332	msedge.exe	96
PID 3332 wrote to memory of 1752	3332	msedge.exe	96
PID 3332 wrote to memory of 4684	3332	msedge.exe	97
PID 3332 wrote to memory of 4684	3332	msedge.exe	97
PID 3332 wrote to memory of 4684	3332	msedge.exe	97
PID 3332 wrote to memory of 4684	3332	msedge.exe	97
PID 3332 wrote to memory of 4684	3332	msedge.exe	97
PID 3332 wrote to memory of 4684	3332	msedge.exe	97
PID 3332 wrote to memory of 4684	3332	msedge.exe	97
PID 3332 wrote to memory of 4684	3332	msedge.exe	97
PID 3332 wrote to memory of 4684	3332	msedge.exe	97
PID 3332 wrote to memory of 4684	3332	msedge.exe	97
PID 3332 wrote to memory of 4684	3332	msedge.exe	97
PID 3332 wrote to memory of 4684	3332	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\butterflyondesktop.exe
"C:\Users\Admin\AppData\Local\Temp\butterflyondesktop.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\is-KQ691.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KQ691.tmp\butterflyondesktop.tmp" /SL5="$602C4,2719719,54272,C:\Users\Admin\AppData\Local\Temp\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    - Enumerates system info in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe57b746f8,0x7ffe57b74708,0x7ffe57b74718
      4⤵
      PID:1560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
      4⤵
      PID:1740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
      4⤵
      PID:4684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1
      4⤵
      PID:2664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      PID:5052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
      4⤵
      PID:4100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
      4⤵
      PID:4260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
      4⤵
      PID:2808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
      4⤵
      PID:3020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
      4⤵
      PID:3888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
      4⤵
      PID:5256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5028 /prefetch:8
      4⤵
      PID:5400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3008 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:5408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5364 /prefetch:8
      4⤵
      PID:5568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
      4⤵
      PID:5576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6324 /prefetch:8
      4⤵
      PID:5692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
      4⤵
      PID:5876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
      4⤵
      PID:5976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
      4⤵
      PID:6108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
      4⤵
      PID:6116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
      4⤵
      PID:2500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
      4⤵
      PID:3860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
      4⤵
      PID:4992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
      4⤵
      PID:5500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
      4⤵
      PID:6056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
      4⤵
      PID:4712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
      4⤵
      PID:4044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1
      4⤵
      PID:5272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
      4⤵
      PID:5276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5484 /prefetch:8
      4⤵
      PID:5844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4852 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:1
      4⤵
      PID:6056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3188 /prefetch:8
      4⤵
      PID:5804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,275888455082934604,17686651119565124812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7052 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
cf71778159c7fa653c4d68ced364f999

SHA1
5400bc16fa371d67410ae4d32c9dd4c9e4964328

SHA256
a32ca6bff94a356165af09aea2be6f1494407fb8bd44277f26cb1706f0549818

SHA512
8eac3e1e7dc599f75534722b73218e083fd016367c407033ea27ca8744cb7001e955940b2b276d80c7c26aea8f70d18bce6aa4c4351743fd9ebae91c6b678d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
64ec52b4dd47fbabf8538413450a116c

SHA1
01c7d99d019dd22abe7ddc600eb2344212868dbb

SHA256
724d146ce37bf891a869a38db93e57a91d1f81110cf525968e839ba815d6114a

SHA512
8293a2c2be206a71ffa9a64359a79372fbe403b8c7e9feaf1e8e2319209fe9ce6cdfebf30e9e6abbdffdd1183d882e2f90e4c8b187860684cf1c58868e00f75a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
27bbe0a9e8cbabacf7afc487429e940d

SHA1
13f44747a633b19023802c210b129d7c754ea348

SHA256
c5af8145a10806fdb441bf131854e1620216fc2e4b3f9736f5114ab654aad4ed

SHA512
a03777873e9db49cee8511c9ea4c015a89103611a090127ac22526f13699f7a65d74e929d52156b43782682072115d1773ba1e7003f3c83b16ddc625e7d11295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b190041257baf1b4728f22b7783aea48

SHA1
9a067989d3aa8683fa82d876ca50ced4277dbc44

SHA256
f4d95eb801924fa336e6591096ae0e8aca73c787dc684e796fabc8accb4cb63e

SHA512
a027360cf5174ace930c0f8c1d9f8e8150253daff9b93f42a7037b40549ce89338d085b8f0049e8c9aa283de32bbef48a8d3567fe2bc8ffb0c51c8367aeb72dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
76eef49ddaf4b1d03d8904c3a4a9b1fd

SHA1
b59719f23818bf7c4798c9cc413fe9f9305aef2a

SHA256
b9e54d150561d24b9bad3d2c4eba3055cc654fe71e59301f30b652e97bedf67d

SHA512
e29895ffae1b0a7e8c6839490a4d45609cbc9494f81f024f5d7e370540cfe28836f8ebcbba136952dca60242de715c5d61fabcdf742eb601fefb39a4d7af0822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
bcea78f53951626f2877891ab0c7ca8e

SHA1
63cb22f8a7c542beea9afedbcb44f4101d24ff31

SHA256
3760114e8120fae67f9145455c2dd6f28ae4ef12323a1e04abfd40bc51b273d7

SHA512
4c060bb8262d3ae8ef977b1ad42828a43ad3cb09b0fd6195b809d1b9d4257bf494b15deca20008a6f1448c7f17bc27549d7e3cf8cacbfa1ad2a398bb5959f24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0b8ce2e6cfade815e63212a1d1700826

SHA1
161f846946a02a74e787733b1a2458ec8d60e1ce

SHA256
26b22c3b29fcdfdc95ca6bb648f222e46f6d328152619803aadb5ccb8c2bf60c

SHA512
887bf77de84a6cadf86b82806a631ed41feec60176f3e4db4a647b92672eec9830ce67df63c6d22f983f626f6a6dd29040b958a5729cca83a9c61dd14fd8b229

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
01955f66e33500ec209bb0ca3dbee167

SHA1
38d4c072a23e31e7f9057f27ebc45572632a7d91

SHA256
239eb885a9111aaaa069ab75f6d162ce3b3c6d0ba856e76d235e710da3b90d2d

SHA512
b27f9bfec45dadff5eca6610e72249e977c98e6187e7428193b03cb2a1ffb42d927aa48a6d624b90a283c2985bc24f0515e8a4b57571b0d5917d22de46bffae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ecb5c5c938637ae3a402d9a1edd30d89

SHA1
bb465488e44f389ccbca96256596003f31703215

SHA256
63b6482d601e19193f49e9e25bd65b9cd3b2009a7f2d989a025036c88c53826d

SHA512
85d69d60a36011391a8c2fca2b2aea0737cfb161d4307c8ed91814234f60dd24985ae006b171e44b6e483738ee8bee5ffd9be9994817d799691e68a9b6505b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
34e3dd13f5f7251b1aa82c87ea8880fd

SHA1
f12a1492ce7175208f3116bd55ab193011653084

SHA256
00c96bdcedf10849b654ed16021ac3e6212e4ca880e8874ceaa2060bab894cbf

SHA512
d4d5790003e8adaa22b3c90a9a2c9fabeb048493eff18c34521757ecc7b789742439d41211a2d5133be87e001a1ad33ac0578cb74b4a47caaee013cfdd399cd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
28ccf926a77db26098fa1f7262c0a294

SHA1
ae239e82642c2b303dc9bc9919cd3a016998e1e4

SHA256
6e81f942e9b9a7a205ef26345062b16867bc7c102db145db4221e2412a9685cb

SHA512
fa742e7f0f1a5c8ed3c660444d4518acbaafe4ff7ed4eda9f6d283f7bf62b77434986e5c61b4374f804cd9896bba46d83a561e1a16bcc78ba0997c4881a4d65d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
10ad1b2b0a44f312ab05fafa8ddb3299

SHA1
f6a4a77b847615d7919e9fa1fa78760a90940f93

SHA256
cd15933a3e6cc0fe212f44c0cff532ad28ad29ef884125240680d01983e0dc99

SHA512
9d342f0e269fbe8e3b189e3e1755544b39ef2da4ba1ad1a56918b82a7c452423d9d955294f3c975943b9e1d47a510c170ff36b4a7e39324fb0b3111c1dd9e075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
702B

MD5
bc94c63f484760e96fa83b9ccbb66ca0

SHA1
e880c4285aa647d062c5f4800a783f8cd3d0fa6b

SHA256
7794c30be36ebd27da6e43c580647eb16a37f46693ccb7c625ace57f182d4ed3

SHA512
fe2b4fe92c8386f38a24b5e32c22122dd2da7ab372a837e7233d41673c50e5409ed27130dcc2212fff0da74029b6370a6bb9475de1109dfb46a121d50bdf156e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5b35b64011c2d4623e721dbc4feabbcf

SHA1
944d073c90c8a7719c7d19e3eb54f1bbb0020026

SHA256
731ae17d16b09ca4474d0a805caafc845a60646c9032ee3745cb79908a2a76ed

SHA512
de6ab61e691baeb351d913686825f2ab19e1bc58c4bdad36f046fd87bbb47ed9473da65c2b195fe81c74a66416392693f2f47f00a04f712aee7e854ccb9bb323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5815a6.TMP

Filesize
535B

MD5
6e6d7e3d53db95cd886c153d393dc218

SHA1
8e702914e87d4fcf1feecccddf2adeb8868f0ea6

SHA256
e03c119d1e432f10e733f9018f47cc58ca5cf0fd0d663ca45ef7845a98431ec2

SHA512
05e8482da39ad2a73d483affd7b020c5b485362af89feb82c21995287cae0474a3f5b27c5caa51f962284d23604157f1439806c0e28237c5fe7aa2e35cb2b00f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dfa4f5653a1937776f462456ac311b05

SHA1
dffe9271b94130ef1e708c2b139958c2fb8efa6c

SHA256
335815642106538c3cdbdee397ebf48de8d756d9d122e1b2a564bc442085a4ae

SHA512
9fb6efbac065555f4dffc2c01a93fb6fea47d4c3f8447d176f9a0a337e40d9ea84f44ed6ae28cf89948ed299b0b7f026b7687b5e180d5757482421092d0f56fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KQ691.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
5ec898a3091bac260c794b9a4c778224

SHA1
e57e13c6dfcbdd9ccdbc823488e71b06b46a968a

SHA256
5a751f21009f31015ed979b98343a60a90cd6687e48e556d5e8741e9353d9238

SHA512
1150e677f3d8fe2b27cc4a793f83895f094d9973c78c57ffe273887d8ce03a265510e113363f8d214f1bc025067766edfa3f8fe901e08ab0f6be20a9f76cd0f5

Download Submit
C:\Users\Admin\Desktop\Butterfly on Desktop.lnk

Filesize
1KB

MD5
ab2ae0ab0509ea1f3fb8046c730f3911

SHA1
8d0744b4d9e7fe1b55e0b5cca36490c28764743c

SHA256
fae7185f6ef0df0a30c03133dcd4566daa76640503b0708175b013c1771d11e4

SHA512
f66daa616c56168e706ebf987a35361d48b8218f447acc0d1e576e35bf7b3b2df7a0ab66fdf1bb089ee677c40b30c77ead064315879a6b4024898adbef4e1988

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 612249.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 808326.crdownload

Filesize
200KB

MD5
c72200c8fabfbe95b8b2e1e2e2017fa9

SHA1
a95256bf0868850a4cc7b1ab85d3cb9b08f051da

SHA256
14a9b27089344667c9b444c0c8cf5d4b84c1482e80bbc4c7e6a3015154522824

SHA512
eec9027cbbc24fe36b148f9b71f7ca38048e4619e59cf577ba9a86513ddf20f81cb9d625ee6e378c2da422d95ed8b4a51a7c08ebf36f1738839cad8b1de48451

Download Submit
memory/876-44-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/876-7-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/876-34-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/876-35-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2908-602-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2908-39-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2908-577-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2908-556-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2908-585-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2908-241-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2908-487-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2908-675-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2908-178-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2908-635-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2908-636-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2908-179-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2908-664-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2908-678-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2908-674-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3220-45-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3220-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3220-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3220-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download