2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

Resubmissions

17-01-2025 20:14

250117-yz7h3s1qfw 10

17-01-2025 20:12

17-01-2025 17:25

17-01-2025 17:21

17-01-2025 14:16

17-01-2025 14:12

16-01-2025 12:52

16-01-2025 12:50

Analysis

max time kernel
895s
max time network
433s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-01-2025 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/butterflyondesktop.exe
Size

2.8MB
MD5

1535aa21451192109b86be9bcc7c4345
SHA1

1af211c686c4d4bf0239ed6620358a19691cf88c
SHA256

4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA512

1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
SSDEEP

49152:5aA7f7tlVmdqK23H2bpHI4Qs5ABV9WRHZRsgI82lcHGAaKLinXBgJ:Q+VMkX224QsWBq5SfARGRgJ

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
704	butterflyondesktop.tmp
4820	ButterflyOnDesktop.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250116125433.pma	setup.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-DGGQB.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-DQCQ4.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-GHFR8.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-1BQC4.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\664c0290-5bd6-4e59-92d2-e187a714e0a1.tmp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
348	msedge.exe
348	msedge.exe
4116	identity_helper.exe
4116	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
348	msedge.exe
348	msedge.exe
348	msedge.exe
348	msedge.exe
348	msedge.exe
348	msedge.exe
348	msedge.exe
348	msedge.exe
348	msedge.exe
348	msedge.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
704	butterflyondesktop.tmp
4820	ButterflyOnDesktop.exe
348	msedge.exe
348	msedge.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4820	ButterflyOnDesktop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 704	4752	butterflyondesktop.exe	81
PID 4752 wrote to memory of 704	4752	butterflyondesktop.exe	81
PID 4752 wrote to memory of 704	4752	butterflyondesktop.exe	81
PID 704 wrote to memory of 4820	704	butterflyondesktop.tmp	85
PID 704 wrote to memory of 4820	704	butterflyondesktop.tmp	85
PID 704 wrote to memory of 4820	704	butterflyondesktop.tmp	85
PID 704 wrote to memory of 348	704	butterflyondesktop.tmp	86
PID 704 wrote to memory of 348	704	butterflyondesktop.tmp	86
PID 348 wrote to memory of 1260	348	msedge.exe	87
PID 348 wrote to memory of 1260	348	msedge.exe	87
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 5012	348	msedge.exe	88
PID 348 wrote to memory of 1052	348	msedge.exe	89
PID 348 wrote to memory of 1052	348	msedge.exe	89
PID 348 wrote to memory of 3948	348	msedge.exe	90
PID 348 wrote to memory of 3948	348	msedge.exe	90
PID 348 wrote to memory of 3948	348	msedge.exe	90
PID 348 wrote to memory of 3948	348	msedge.exe	90
PID 348 wrote to memory of 3948	348	msedge.exe	90
PID 348 wrote to memory of 3948	348	msedge.exe	90
PID 348 wrote to memory of 3948	348	msedge.exe	90
PID 348 wrote to memory of 3948	348	msedge.exe	90
PID 348 wrote to memory of 3948	348	msedge.exe	90
PID 348 wrote to memory of 3948	348	msedge.exe	90
PID 348 wrote to memory of 3948	348	msedge.exe	90
PID 348 wrote to memory of 3948	348	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\Malware-1-master\butterflyondesktop.exe
"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\butterflyondesktop.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\is-DSNMP.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DSNMP.tmp\butterflyondesktop.tmp" /SL5="$401E2,2719719,54272,C:\Users\Admin\AppData\Local\Temp\Malware-1-master\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc6d3d46f8,0x7ffc6d3d4708,0x7ffc6d3d4718
      4⤵
      PID:1260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
      4⤵
      PID:5012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
      4⤵
      PID:3948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      PID:3748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
      4⤵
      PID:3152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
      4⤵
      PID:3256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
      4⤵
      PID:2028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:3040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6d5645460,0x7ff6d5645470,0x7ff6d5645480
        5⤵
        
        PID:756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
      4⤵
      PID:1996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
      4⤵
      PID:2612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
      4⤵
      PID:1176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
      4⤵
      PID:2792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
      4⤵
      PID:4664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
      4⤵
      PID:2712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13841607953193097373,11222739538778500458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
      4⤵
      PID:3356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
63af7b2048710d6f167f35d94632a257

SHA1
812c8f140a72114add2f38cab52fd149ad8bdcfb

SHA256
15aafcc88226b6178e02a93858555ca48fb205ae317815ce31aa547555329046

SHA512
0519b7dcbce66aecefbd2aaea6120c0da213d8bb3e00a7599bf2e390bee3f643baf952cc553766f8c2779fe9fa303570a56a8c846c11e2fcf9c2075c1e41ccc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
17ce65d3b0632bb31c4021f255a373da

SHA1
a3e2a27a37e5c7aeeeb5d0d9d16ac8fa042d75da

SHA256
e7b5e89ba9616d4bac0ac851d64a5b8ea5952c9809f186fab5ce6a6606bce10a

SHA512
1915d9d337fef7073916a9a4853dc2cb239427386ce596afff8ab75d7e4c8b80f5132c05ebd3143176974dbeb0ded17313797274bc5868310c2d782aac5e965f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
3ebb8baf9412e2d2a2b0ddec12850a3a

SHA1
3865985870e20815cad398bd58bf1758a7df706d

SHA256
28652bdae65d46e6daf81216f5654080587687da7d32939e5950807b2bf43172

SHA512
46a4d1db2ef41b1298fc586cab0504d2968381eec4f9f4a22f833bb05b84996e95ab4b54e22c007017b34fca5f87f7a4e800cd08b10b7e2c70233cdff49427dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
731000a7b19715e1cfe6de5f70dd07a2

SHA1
945b76b4b66ada687f0c812e8d3fee6e427dd137

SHA256
0fc7a6f194547722898d91336d5d9fc14b358d896e8e5c317cf1386edfa12886

SHA512
d52d449bd1deed398d3ee227eb20b050c3f50067ff0019f817fbb419ddd22ac17dee52f6b0cafa7bae0b8ff508cafdf00d88bae463223d5d96eb4411359081e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
14f410a32a568467ed933fdf84660b91

SHA1
8e75101600c176dcb067a4bf747c07a5d57f7f53

SHA256
d91a7f973275de9adbfc3dbb95d3517c5c84b5819b48da5a8d177aab7adc2def

SHA512
c685ef477266bb35e8581c71a27cd507b64e195f290651dc950ddc8e803cd224e05a08dc6ee596e941ee6b21166f19c126cb718bde33f866dd6b423b2d59b016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4f9a70963a95a8d6eff918901ec56314

SHA1
a26dc06cab36e1aa4e95cc87f49e5d3aa0f9458a

SHA256
fae6210ecdddaa0c964ab0391a0632b6cf62fcad1e57b4ae3a50847aedb1d678

SHA512
e48c3e0f426ec530e06ace326e6c6f4d492627b6ee5700800c0c0a7b777edf725c3ab70c920a83dd13434ae958c8ff6614b2b71958b92545314ffc6dc4f10821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58ab8d.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c1d7cdd8715c3d330067c937dd8c7e7

SHA1
beac5befccd812a294e68b2ada18a72135f9db7b

SHA256
c4d3885a9c94719d8f37a5ac53642a2f7616f1cea725d2da51c69c8c3f5ac614

SHA512
d4dfca2c892d46f4dce812ebabe38dbd62ccb6a188ac2f34173aa7d714bc07be66e6059bf56d9d65ed3fd93f109d1a0784f967930f99dcb58f89f1b58a3d6df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2135633a9d28c317a74a6a7ba8f9b872

SHA1
5c6c5a4fbd29b73ed39f9c8005bd1c74895cf5b3

SHA256
79a7582372268b9ece9f386c2fea8349ca992cb53f50b40821188b6285732b13

SHA512
1eb49c48488e331829b6a2914868a7ec52963a83f9b24848033bbc89498680ed890dc0ad088999cf97caa1dbb4e109929f62504c4fc8aee565082063e177371f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3b826c5d6ce848894c7105591af98eb5

SHA1
36bb8ef922df225ecec56686c4047dfcf1971b1a

SHA256
ce848eb165470592a57fadcbdea02edc338c96217237711bb3e3d25fbeab5d9b

SHA512
2684adc70d8d042557365ff9749e184766ef14acfe5ecdae190509580fe67f36ef37c0c3e7509daf3582f40c6838a09f75e6f7339d30a36955fadea2954e1f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b8d5a6329bbc5edf31844f6bfa4ae972

SHA1
1014d91ea7a8867459e7014a725794728d75793d

SHA256
2d90e12869f60c869911a3030ea58211b6b0da7c53d396769f4b3dea0c406309

SHA512
d6b4a08d7188e48b3ec2dbaa78f1ccc23334f43266602c677ba5c52d54554ad02e5ffc32e852de47291e3f1291dfc34db62d4a1eb5f631aad0a0340d30e5f7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8ade2f3a82060e6d5b1e97b275213d86

SHA1
a13c13d850addf7c1c1d58c583255f77b40b7834

SHA256
fc73beb5ec396531d7267cd4980e720590ae4c7c34b6bc63bcceef59730d324d

SHA512
51d989a44462ffea680e4bd9b20c46705793236712d11f0400e12caaac3512d662a41b4b49e7e309c8e752dc7738eda080451b74736c6428541196dd7bb8ca98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
cd8147060121ba4044e94daf1fc5b939

SHA1
3541805657352f83c1bb3730d57245e11eea7432

SHA256
89987f7df05eff973766a200a8ee17a0fc55394303dd5edbb158762ebb55b334

SHA512
83626d61217de23dcbd8c66072bd15a7f83e035b107487369fa7503747b98e7ce521ad3e26c39a1df48881ed071bc936c116738f8db348331eb4544a95739f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58ab8d.TMP

Filesize
539B

MD5
0a8e2e6d2c3df6f810e6d35c1d7b6fce

SHA1
1ffd15630951e7e2670360eaac559658534179df

SHA256
8e2a256f1923ca45c16cf322cd7f8f07da55bc3019369fe1a08d692521dd2d3b

SHA512
884a57937c8ae40a7ec58e98aa9dec04af153ea94b4572f1a9d300b16feb93891e5d23c8eec269c6f034962efa36213ad39c924be4333175ddc43d4bca228f84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
fcc4ce0e202a03ae9ebce88d5dcee820

SHA1
69ca8919b3666e1571be717ac076d16fbab1b2cc

SHA256
c06ab21e3d2a52758d8f26dbebcd5d43d41539d2da94b9f8a32a286edc6498cf

SHA512
8100efe909712632e3df85cb7a3343284d5edaf4c0f2355a62f622e70e1837e9bc653701c7bbb47a934667179223433239bf3143f83ae2f81146ab63be60247b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
940f4a04a14f91345a2f16d0974b3027

SHA1
435148b5521e55584367d895ba39631a00d1f348

SHA256
14e2cc0aefe3edcbab769b9e109bf622e7b77aaa4e9d7b7f749a04bd9020384f

SHA512
73403173c4d2b4f9959c6175a38bcf126dcaec0b926ee390cdd9d56d4b6e6d14721b321bdf1e1a5c49d11c452984a8f73e565e7932c55a23ea2bbd6789150ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DSNMP.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
2d83e52c24eb3fb66a992ddfd3f4ee3c

SHA1
f0b032a500d08b305ccd02025830493138ccbfb5

SHA256
8735c4f5dc984692bfbb7d316c1ff9a60a762807bfd17e54ea6d44bda4873de1

SHA512
ad3caf0a80c56b157a3124034b179947100846c2dcbf6c3c0e87de6a407ccf9fab29353c1ab856101c342f11eca39185a088e60d28bcc1c416a80d18403d05e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
9f48273e0b728902bbe2fccf16641cf3

SHA1
a7f0b3c5770448a6c23f21a237d768e8592b5c0f

SHA256
cc8154c5379746d885524a4f3cfc885a3636ac70ee6111d87e04b978c5005472

SHA512
394f8654065f6da63fec55d09456ebdc0a685cfd679a9560324803f32bb7d42bc098fd7f840e7ec99de6be33989948f20bfd8126b7e1bceec3ec6596b93df76a

Download Submit
memory/704-14-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/704-16-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/704-46-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/704-7-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/704-37-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/704-18-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4752-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4752-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4752-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4752-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4820-516-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-535-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-269-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-240-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-241-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-513-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-514-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-515-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-41-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-517-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-518-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-519-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-520-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-521-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-522-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-523-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-524-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-525-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-526-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-527-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-528-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-529-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-530-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-531-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-532-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-533-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-534-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-338-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-536-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-537-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-538-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-539-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-540-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-541-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-542-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-543-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-544-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-545-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-546-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-547-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-548-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-549-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-550-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-551-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-552-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-553-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-554-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-555-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-556-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-557-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-558-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-559-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-560-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4820-561-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download