chimera | 6514b345465786d232a61f8aca8e3b60e2bf8a3e45f237086e55caac0c19cb4d

max time kernel
477s
max time network
477s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-01-2025 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1d93e8597dd860cf81cd913c4b997818.html
Size

25KB
MD5

1d93e8597dd860cf81cd913c4b997818
SHA1

a7dacf6a32b194720a87130a16f2222c44f036eb
SHA256

6514b345465786d232a61f8aca8e3b60e2bf8a3e45f237086e55caac0c19cb4d
SHA512

c35592acafe20b18914ba7ee31201faa7534136df292d7c14436fb3bcbdd5f07b96b3b63897509068b8263ec4e12f55e192de027996dac8e63e08712fb891e98
SSDEEP

384:PqlIcCtF4JVGTHyk9v1o99t5W9ISFaTGHx6QckT/gbpLOXguLZ:sZtSF5zg9ExLZ

Score

10^/10

chimera discovery persistence ransomware upx

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/2456-660-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Renames multiple (3294) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
4412	butterflyondesktop.tmp
644	ButterflyOnDesktop.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 25 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	AgentTesla.exe
File opened for modification	C:\Program Files\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	AgentTesla.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	AgentTesla.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
145	bot.whatismyipaddress.com

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4792-8592-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/4792-8594-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\SmallLogo.png	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Pester.help.txt	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\ui-strings.js	AgentTesla.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt	AgentTesla.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar	AgentTesla.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\common.js	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ko_get.svg	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\ui-strings.js	AgentTesla.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\improved-office-to-pdf.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adc_logo.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\ui-strings.js	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\ui-strings.js	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.White.png	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\nl_get.svg	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fil_get.svg	AgentTesla.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	AgentTesla.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	AgentTesla.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\ui-strings.js	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\ui-strings.js	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\move.svg	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check_2x.png	AgentTesla.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\cs_get.svg	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_hover_2x.png	AgentTesla.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\de_get.svg	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png	AgentTesla.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\ui-strings.js	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\ui-strings.js	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\close.svg	AgentTesla.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif	AgentTesla.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	AgentTesla.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\ui-strings.js	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\selector.js	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\af_get.svg	AgentTesla.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	AgentTesla.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png	AgentTesla.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png	AgentTesla.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArcticBomb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alerta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ff31ec61432f7a41bd8a8a4775deff8600000000020000000000106600000001000020000000f93e4109467651a504873d63734f7ebca234aad85a1d53df54ffdc1803a76709000000000e80000000020000200000000780e59e91f227f24af7ca913ede4e6ee59ad1514d072ce822de601182e402e020000000eab58f8e980af9ee8fc09e424cb3d625ac8895d11b63c75d348cb8d4d3e9b8b1400000000c8a400b058ce0d75b847998049289d48a5bdf4129b72492362db934d4ee75864161e9afe24e8f0b9bada09bf31101acf2d276c5a986ae427c51991251139ed9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443552568"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CF36AB49-D1CF-11EF-A8C8-425278E7EED7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9009eda4dc65db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 709df1a4dc65db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ff31ec61432f7a41bd8a8a4775deff8600000000020000000000106600000001000020000000c7a3fac18f5c46a0477b45ecf02c3b6483217cf2146094e3ecfbc437fba92d9d000000000e8000000002000020000000004dac76853e759952199f40009fa1d465088fe2d64be0b83a4d8280f657ae9e200000007c61aed5df67efbb718dcb1cf419ec8c69a27b35473bd834f399d72dae9ae709400000004a0b276ea91cd02ee23da249ec6809034f2c8f7cb6443df1cdbf07bfc72ae1a3bada54c91568d7494ab7251806f6c5f780cdd51015a2b6fd9d2c5ce059d56e0d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
4888	msedge.exe
4888	msedge.exe
540	identity_helper.exe
540	identity_helper.exe
1716	msedge.exe
1716	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe
3420	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	HawkEye.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
644	ButterflyOnDesktop.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3424	AgentTesla.exe
4348	OpenWith.exe
3428	iexplore.exe
3428	iexplore.exe
3428	iexplore.exe
4336	IEXPLORE.EXE
4336	IEXPLORE.EXE
4336	IEXPLORE.EXE
4216	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 2708	4888	msedge.exe	80
PID 4888 wrote to memory of 2708	4888	msedge.exe	80
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 2704	4888	msedge.exe	81
PID 4888 wrote to memory of 4868	4888	msedge.exe	82
PID 4888 wrote to memory of 4868	4888	msedge.exe	82
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83
PID 4888 wrote to memory of 1780	4888	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d93e8597dd860cf81cd913c4b997818.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc40c746f8,0x7ffc40c74708,0x7ffc40c74718
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  PID:1376
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x260,0x264,0x268,0x23c,0x26c,0x7ff610295460,0x7ff610295470,0x7ff610295480
    3⤵
    PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5596 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,900398126353313532,15267689083058332821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:3940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4252

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4488

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3424
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3428
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3428 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4336

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3272
- C:\Users\Admin\AppData\Local\Temp\is-T0M0E.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-T0M0E.tmp\butterflyondesktop.tmp" /SL5="$30324,2719719,54272,C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4412
- - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    PID:1960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x150,0x154,0x158,0x124,0x15c,0x7ffc40c746f8,0x7ffc40c74708,0x7ffc40c74718
      4⤵
      PID:2060

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4208

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4792

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files (x86)\Butterfly on Desktop\license.txt

Filesize
2KB

MD5
a333a7a052165646c40bd20a2c4eac3e

SHA1
79bc2f2552fb21f7fa16601c4789d568eb10019a

SHA256
0ad1650f36592b4104a4f9bea809bcf149ead9a481df0d0f1634534371cf2f54

SHA512
371f6a2f5371818fe75b0366f271e21c12a5fc217be906098fd93745c8ea58a68aed7ccc602f54e560a700dc81c3d76b449afa7a5778cc3a4fbe6b92bc30ba2d

Download Submit
C:\Program Files (x86)\Butterfly on Desktop\unins000.dat

Filesize
4KB

MD5
1843a45214be65fcb1b8b4d6fa8a1f28

SHA1
ef2fd1e43ed9b9a7ac9fc1579105f9fe51bd0eb5

SHA256
29d58d0b2d763296b3942bd93943422b3e538897dcffcc4e761cefc679348c0e

SHA512
8173345cfb5ac188292a3bc05e56ae0d8b3842a531bc3a666a4860040b7dd143e0cc96ff1f125cda3f9fdd5002234937610d2c24a95e67db4abeb35c0c316c41

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
27dbf37fce39e89919b8186efdc7c3e4

SHA1
9c92fec3ab33be3aa806aedb3c04805e6c9df09e

SHA256
f393ec361bb0725d8840037358e5aae5487ec73a1b7dcbbc6c16ed470e12a116

SHA512
8ca4955b0b6fa357ada8b058b7ff9a41e31901df6d2a57192767296cac768bd6ee6878bc217e8d532ddb5edca653e6883adb0708ec34dda5bbecb722bc402637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
254fc2a9d1a15f391d493bff79f66f08

SHA1
6165d5a9de512bb33a82d99d141a2562aa1aabfb

SHA256
2bf9282b87bdef746d298cff0734b9a82cd9c24656cb167b24a84c30fb6a1fd0

SHA512
484a1c99ee3c3d1ebf0af5ec9e73c9a2ca3cf8918f0ba2a4b543b75fa587ec6b432866b74bcd6b5cdd9372532c882da438d44653bd5bccdbc94ebc27852ff9e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5408de1548eb3231accfb9f086f2b9db

SHA1
f2d8c7e9f3e26cd49ee0a7a4fecd70b2bf2b7e8a

SHA256
3052d0885e0ef0d71562958b851db519cfed36fd8e667b57a65374ee1a13a670

SHA512
783254d067de3ac40df618665be7f76a6a8acb7e63b875bffc3c0c73b68d138c8a98c437e6267a1eb33f04be976a14b081a528598b1e517cdd9ad2293501acc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6e737e2bdd88e612b154988c766840

SHA1
8f958e9b305298bb9885906729268badd6fc6e7b

SHA256
436526d1765c814e2e83859bab221115960840c3d4148397b50f33b1303312e2

SHA512
cb2c27b62726cf0b51ce1fd2449ae5160ae533d61af1014e4e829b24fd7e04c578f5c7c14535bfcd2d6302c120c2eb3ab1f5a4547fc31c86256a39bd8b4135b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8c830ee7d399091719e12cb417b75659

SHA1
3cef2e2dd89d29d078353bfcdd870de9256cf0cc

SHA256
26403b5e4bb905a32561f2662b2eda24b4a785c5385a7e7de84bc55fe9b9c623

SHA512
1bf67181414036a62c3c0288b1bc04a490d785e5e513544839e56875ed4aad2fce240c901b068279332001a44d2849ad06d0f99c9ed8d83f8669beaadacc9457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
d0eebd7ae77d38c6c0ce1926a6f9bce1

SHA1
74155bc99457842cfc87f77f982613f2b3030c73

SHA256
f3532d9d8fecc841937762b1ee8a8329f2eb148dabd8d80f0c735b6343cf33da

SHA512
e8ab4c66557720c0202a81955ab5e1d44332a344835a74ff88293f58014246b18ff7d12c007087fde870bad72a60a2c08e5fec83e138d4ec7a43dd8f6c488cad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
0cb40592f133da131b83b22ae9d1b9d8

SHA1
29b53644ddfbfef55b9a43d76d8f574a9faac0ac

SHA256
7be8b549d78961e7b3b2ae86160dc07cd5ef1fc1170eb6594a7249f3638dec36

SHA512
0de290be9dc07977881998871a6bd9e89b7ce802955edf41ac2c02ada1dad2ff9e519661beee955602685e0ecddd87f28139e15114db1e438efb19fe8f3b7ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
865B

MD5
166bce9e83b9d63655b17887d14871d8

SHA1
0a46dd23e936403b735eafb528074a84b002fe95

SHA256
c963622a650caa52dd4129c2a5798329eb0f02d07dcbbed3b5f053157512e26f

SHA512
cd0d31e37a51a8162a4321fd4ec99e60140619c1a12a5b138b3dc9eeb1d160986ee89feace0f4f177491fc7c5d8b81938341cc2969275261bdb2507a7bb58c00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3b442a1166e9ac5848c680dc00a87eab

SHA1
6bb09060f04b40fc45e23637fb3d7a5fe1f64446

SHA256
b98a34904dd19a5cf1ea3dd09955abbdb82dc4ffb7a082d8840d7e98cbb20540

SHA512
59ca0684136536bd0986fc41a3e439897cb2597b890b72244c8324a676251a8230981a6a91d57c700f90ca425dd6dc8a4cac56f5c38a96194f6b65f38180e351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe581364.TMP

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9a02e28c1fa5d0c1af1210693bd95142

SHA1
fb8b26f11e4d2719795cc49ea5734f9810255acf

SHA256
e4c7e4ea736fccf340919d6879d1297b9f18c43f5667cbd1e02dfdbcb3c69562

SHA512
ebf889175d7bac57ba2e262654c31450a9b2d2c7b3b5d5e69c6a52cd551286ced89397b0d33b3a7efad431dc49fc2caac1290474c3945b75ae81fca15eb83119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a3b525de3fae09f3c2a3e04ecbe7ea37

SHA1
02b4cda745e73b30fb136a57847f7d9e4ff6908d

SHA256
a251186cffc296ab8448b76ab4ae4294143fced53173f7cb3f625707846eb1f9

SHA512
c0c130e698fe3a9af16176c097013804b35538aeb4011c1feb8b6fb716630ac32d973929e1f0852627e0dbdc9b305e104104cd750aa359e4c0d5c2195acfdf5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7327a4f5680bef081873678d4bfc8b2d

SHA1
416f0d5b4903740354c722d89ae00dab26f771f0

SHA256
edd9dc9e80950d8a7e37c01c570059fd8c4d41e8d811c9f1057ca721dcc09b27

SHA512
befac3bb15947c17960c5412ce409728a7cb16e88991ccd526daf1e2809df85c27e982d080062c918ff62dcd3a3f34f8b770b19759d6e897c606d1b0743a691f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5558bfcf9ce65c228db3361301f5c0db

SHA1
301b9713794dd332c31e3ad4b5c16647580c5b58

SHA256
e971f1b1843ebce101d0b956c35d661aa132c01fae29d81d8303e6fad8f2ff36

SHA512
6d1c629665e1fff194105f0cabd38aabefd88ce397107abd68e90ff749130936b4d27f560a99351f00a2c4e4cfec37bfdf16538bd1f353141493ca3995e617d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c679425bc1df2338cdc728961e62b0a5

SHA1
8a6a06770234bcfd1c0a15b394eeaf13428e8f5c

SHA256
9eb5754b98c91e1fe35694bf075b80d9704139470430b6cec5ee5918ae05e662

SHA512
06fce35a4261f17676f06fb9af6e4d6a35007f7661f8b41e34553ed1730dd82f3c77ab9d0270c6c716fe9348fc7397463a99d358b942777854e5ad307849a47e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
48febe0b0625901956573dfb2378e7ed

SHA1
c324173a8f8fd7a6a7398f6bb24dd2ee11d3cf24

SHA256
f0fae7ad33efdd05845d0d631ce8341ea4b6dfd4c45be844f0c117738df9c0d0

SHA512
fc38a0c64e67e3b5d43f787fe86f700e6f753d8e90bcebc446d4a8c631b9e4362a74fa862a5b2ffc74f3f5236d3ecf006b341042b5469d1cc24f2c325a607a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
bc3a0ca62cfef580ff9ebbb7afc92b9b

SHA1
fde9832ce521fcd53850d0701a543ef75b772e3b

SHA256
b0203fb7c3812937e92ac04ad6065a2129bc165a36a60a4d2fdb0accc4499464

SHA512
fc1f3a5bd2106d9b6ed5a678c2f4978550a0d7414172b0ce6954a835b0da01ac28c177955a48c2ef56ea3d517a6672474a9cab873aeccae3f22a45ccf2d070de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9a410a7d3bbbd07cd2acabbc40a9a0cb

SHA1
b8c6f5c78996002d8b24f1747578a3f9c0ead54c

SHA256
246922c25f1de8d366eb057e4190093e5d020cc15b495133c41d52a4e43b10c8

SHA512
0c7e0b0695eebcd646c407fc0820bdcc070cedb54eaef85d330679dcb7383ce80e21937a00477cad91f9b3b90a01ed1c3740c68665eeba63b0e088869ca12495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e0503d7796755c21c48f68872ea3379b

SHA1
d446a8f624202a134f9203e20054943c4ba8c631

SHA256
458f8378526e2f80422a138bfd1fda0f0c7bef27052627c509b52206809dfbd8

SHA512
4b0d4d55ab241fbdde69d21b443f7e516b674644fb5f39f98477174c2e49b2842d54d3cf5d5186112339a0192eaa369df466bc56bd5aeb6577feaca8973fd6b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584d40.TMP

Filesize
1KB

MD5
1ca59c143fb47647308588bedcbade2f

SHA1
e7681b010f76c90190ad7444c4c518696fd13435

SHA256
16479fde0d1ad0494b941afd5764ce14cd09b8af4d8ce0269205d43b2e563c0b

SHA512
246be09c3bc78556cb24ce75bddf79b26c8bd5bd139fe909adcb51751baaa1b5fcea566ca04302bc68f4687a41323edc0aca2bad3dc532f28a48f7576a4410e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e0f38f2403ce3c29f5c249c061c240e5

SHA1
10370bfb53ed2f9c86fd5126d8f6e699962d363c

SHA256
e3611980000647370e0215ce1c9e44ad69060f813a18263fc9afb9a884bab88c

SHA512
541ffacf537f805db47b0f51a3f870ca675098b8b6efc859e9c1dcd59764f7521b3fa61b24475b2c3572ad37d305502700b865e5ae0c0781d4f15500dcfda69f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7adb4589371232d2f8adc89e4d4f04dc

SHA1
4b16530cfbaf4cf2ff5c70a77506cb49370bf271

SHA256
5a3ce7c3d8d2109a6f9aa2ffa45e4bed1e52878c0255aa78771ef5b1e76a1acb

SHA512
c6c760c8ef7bf3e909af8d4440f46cdce2cdfcaad23ae84bbbf1f76aa024bcf6ef46b506764b84f61fda3040a1d9d4c10cfd88ff61c8dadc82f8191f914f49d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
3a0d1135b28765f568d6dffe5365d7c2

SHA1
1bd4c42f711d698a3623e779bf4c2921f75c47f6

SHA256
b4757030ba25f2694750db222379ffd13b5b79b47d4472c31a0ba85eaaa80de0

SHA512
c73855ee56adf9b0cc1536ce2c2c12415a8dc6e46ab7a5388188ecbb3d7e560404e79d849c29fe49addcc619eb6202795e14748b3d1a1b1b4343f45875454ef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d624901ce5595efb6c0e17bee49c7742

SHA1
749181b149b3d7407d8979d306e2ba8b077e2980

SHA256
10b85ca86be88632fd07548255a0434b0a7be24329bff5ecedbb39482420a09e

SHA512
3a225c71196d96c7d6fa155b79ea909373e22f77584381935807b49994fb292984cf9a8edbf4572df74475eb212d12ba20b16a91c0c4c959bab6568787d87d34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\A4HFCYWX\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T0M0E.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
a4c2e22e67ae4e7c20553148f9845a17

SHA1
9d54c4948dc6ae6b5e52420d5149a82594dbc786

SHA256
fa233f5052536e91741caddf4963e4236a86a924f0138bff25414cb9b827efc5

SHA512
b2765368da353e80a7b5005b8bc709e083f40ec083bde8c42058c52c89c08448b45702f5932c9dd587d8ea58fd0792a864b429fda445f4986b682272c25a7b93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
237487f2e95d1e651cf525907d85cc43

SHA1
489eda3cb0553d5b390e991ebd9769e05dd37b98

SHA256
2d66449c9dbafa9977e5f5e45cda8970d628ec3cad30c80e4c7c851cf22a9af1

SHA512
7149e35a13b4a011bd7d9f0dfeaaf7badb56a52166767508644190d1b314bf26448dc098dcac81c96f906b6ccaa63b0c5279a950371792e49a8b6763a762d090

Download Submit
memory/644-658-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8629-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8657-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8656-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8655-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8654-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-629-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8653-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8652-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-1325-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-1450-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-6327-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8651-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8591-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8650-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8649-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8648-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8627-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8628-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-639-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8634-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8635-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8636-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8647-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8642-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8643-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8644-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8645-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/644-8646-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2456-660-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3272-527-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3272-555-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3272-566-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3424-667-0x0000000003CB0000-0x0000000003CCA000-memory.dmp

Filesize
104KB

Download
memory/3424-665-0x0000000003CB0000-0x0000000003CCA000-memory.dmp

Filesize
104KB

Download
memory/3424-663-0x0000000003B50000-0x0000000003B66000-memory.dmp

Filesize
88KB

Download
memory/4412-556-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4412-564-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4792-8594-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4792-8592-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download