chimera | 7ff2c3acbb884ead411c8b9f0df5b0ca5038333bdf872cb37d5e7eec4ac96b6f

Analysis

max time kernel
96s
max time network
100s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/01/2025, 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master.zip
Size

63.3MB
MD5

59cb533617e10ca74e8735ff41e5b823
SHA1

644468d5d6d8fab98268e219e8f2ce518b655ff4
SHA256

7ff2c3acbb884ead411c8b9f0df5b0ca5038333bdf872cb37d5e7eec4ac96b6f
SHA512

9b7e28bde79886ff479110b43380e73c4d1a95c547947abbb1825ed4f5078d3060a4390bf1dcead1d593abe0c0167c396e0aa47b3231eb577737c8c93efbe50b
SSDEEP

1572864:1bR+Nd33aius1Ckqujkhpgz2L9HBlHYSZ95hPfqL55r/XKAM:1ANl3aFs1C4SA2hlHf9Rfi5xjM

Score

10^/10

chimera discovery persistence ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	flow	ioc	Process
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Windows Sidebar\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\VideoLAN\VLC\skins\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Microsoft Games\FreeCell\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jre7\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Microsoft Games\Chess\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft.NET\RedistList\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
	56	bot.whatismyipaddress.com	Process not Found
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jre7\lib\images\cursors\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Microsoft Games\SpiderSolitaire\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Windows Sidebar\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Microsoft Games\Mahjong\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\VideoLAN\VLC\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files\Java\jdk1.7.0_80\bin\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/1276-528-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Renames multiple (2006) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 6 IoCs

pid	Process
2660	butterflyondesktop.exe
2564	butterflyondesktop.tmp
2184	ButterflyOnDesktop.exe
1276	HawkEye.exe
2216	AgentTesla.exe
2108	AgentTesla.exe

Loads dropped DLL 7 IoCs

pid	Process
2660	butterflyondesktop.exe
2564	butterflyondesktop.tmp
2564	butterflyondesktop.tmp
2564	butterflyondesktop.tmp
2564	butterflyondesktop.tmp
2564	butterflyondesktop.tmp
2564	butterflyondesktop.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 37 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	ButterflyOnDesktop.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
56	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as90.xsl	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\2.png	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\is-01UC8.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageScript.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Groove.gif	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMaskSmall.bmp	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)notConnectedStateIcon.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\settings.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar	ButterflyOnDesktop.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_down.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\slideShow.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_docked.png	ButterflyOnDesktop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 305d3f09bb69db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443374831"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\freedesktopsoft.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a8114a52fff55240bab509ca9d275aa70000000002000000000010660000000100002000000010d3320176b7c1225598db600ee1092e49def7379e514e93714fb7e66e631e0c000000000e80000000020000200000008bf48a11d75998c7798472ec6409b8c086412a67e463646166a182ebbf8a4a1c9000000038cb3f531fc6bd630a2d51719877a10ffbf6b1f0713e7d178817c943355181e90ffb025d2a563558d83fa499375da0ce2bad6e1fb3e06719970fd819c64b2267117b9e39bce4fd1f1b9027632fd782bee5d1341e320cb529327ef1be0e975ba795c2cda206549c82da30862198960475ba75ffa820124acac2690c5c888e440c19dbcce4a4c56f791e672c907f5d26f040000000b5c90c0f9703721ffe2a930a47ade41c701ba45567a365c4185e8cf211c5a980119bda9c9cde6cc751c108acee79b94d5605f05f277dac9d88a7b1d1a0f1d2a4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 5801e609bb69db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{42C3E559-D5AE-11EF-AE95-527E38F5B48B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\freedesktopsoft.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a8114a52fff55240bab509ca9d275aa7000000000200000000001066000000010000200000006f8eaa0043dff303ca6145df5cbe3b7ff602e0699db3f25d4bf08b71fdfa5036000000000e8000000002000020000000e90b5d40cb3990c1f935cae8a9d300bc0bcceffd3d73bb23b945f9b65eeceef0200000007678d830792f6f11dce0f06538d0a7e6d3384abadbea0ded82e65feeac30d0c740000000576aaa8c054cd3b6b6fb618d42c2d75fc1f744de4d945374f9848cd2d0d4b932cd4a735a9282d79ba02de0c698f0eedec75c06fa74bb863c30aaefb10bd5d8f6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "4"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WINWORD.EXE	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList\WINWORD.EXE	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1784	7zFM.exe
1784	7zFM.exe
1784	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1784	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1784	7zFM.exe
Token: 35	1784	7zFM.exe
Token: SeSecurityPrivilege	1784	7zFM.exe
Token: SeSecurityPrivilege	1784	7zFM.exe
Token: SeDebugPrivilege	1276	HawkEye.exe
Token: SeSecurityPrivilege	1784	7zFM.exe
Token: SeSecurityPrivilege	1784	7zFM.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1784	7zFM.exe
1784	7zFM.exe
2564	butterflyondesktop.tmp
2184	ButterflyOnDesktop.exe
2424	iexplore.exe
1784	7zFM.exe
1784	7zFM.exe
1784	7zFM.exe
2228	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2184	ButterflyOnDesktop.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2424	iexplore.exe
2424	iexplore.exe
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE
2228	iexplore.exe
2228	iexplore.exe
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2660	1784	7zFM.exe	30
PID 1784 wrote to memory of 2660	1784	7zFM.exe	30
PID 1784 wrote to memory of 2660	1784	7zFM.exe	30
PID 1784 wrote to memory of 2660	1784	7zFM.exe	30
PID 1784 wrote to memory of 2660	1784	7zFM.exe	30
PID 1784 wrote to memory of 2660	1784	7zFM.exe	30
PID 1784 wrote to memory of 2660	1784	7zFM.exe	30
PID 2660 wrote to memory of 2564	2660	butterflyondesktop.exe	31
PID 2660 wrote to memory of 2564	2660	butterflyondesktop.exe	31
PID 2660 wrote to memory of 2564	2660	butterflyondesktop.exe	31
PID 2660 wrote to memory of 2564	2660	butterflyondesktop.exe	31
PID 2660 wrote to memory of 2564	2660	butterflyondesktop.exe	31
PID 2660 wrote to memory of 2564	2660	butterflyondesktop.exe	31
PID 2660 wrote to memory of 2564	2660	butterflyondesktop.exe	31
PID 2564 wrote to memory of 2184	2564	butterflyondesktop.tmp	32
PID 2564 wrote to memory of 2184	2564	butterflyondesktop.tmp	32
PID 2564 wrote to memory of 2184	2564	butterflyondesktop.tmp	32
PID 2564 wrote to memory of 2184	2564	butterflyondesktop.tmp	32
PID 2564 wrote to memory of 2424	2564	butterflyondesktop.tmp	33
PID 2564 wrote to memory of 2424	2564	butterflyondesktop.tmp	33
PID 2564 wrote to memory of 2424	2564	butterflyondesktop.tmp	33
PID 2564 wrote to memory of 2424	2564	butterflyondesktop.tmp	33
PID 2424 wrote to memory of 2084	2424	iexplore.exe	34
PID 2424 wrote to memory of 2084	2424	iexplore.exe	34
PID 2424 wrote to memory of 2084	2424	iexplore.exe	34
PID 2424 wrote to memory of 2084	2424	iexplore.exe	34
PID 1784 wrote to memory of 1276	1784	7zFM.exe	36
PID 1784 wrote to memory of 1276	1784	7zFM.exe	36
PID 1784 wrote to memory of 1276	1784	7zFM.exe	36
PID 1784 wrote to memory of 1276	1784	7zFM.exe	36
PID 1276 wrote to memory of 2184	1276	HawkEye.exe	32
PID 1276 wrote to memory of 2184	1276	HawkEye.exe	32
PID 1784 wrote to memory of 2216	1784	7zFM.exe	39
PID 1784 wrote to memory of 2216	1784	7zFM.exe	39
PID 1784 wrote to memory of 2216	1784	7zFM.exe	39
PID 1784 wrote to memory of 2216	1784	7zFM.exe	39
PID 1784 wrote to memory of 2108	1784	7zFM.exe	40
PID 1784 wrote to memory of 2108	1784	7zFM.exe	40
PID 1784 wrote to memory of 2108	1784	7zFM.exe	40
PID 1784 wrote to memory of 2108	1784	7zFM.exe	40
PID 2184 wrote to memory of 2228	2184	ButterflyOnDesktop.exe	42
PID 2184 wrote to memory of 2228	2184	ButterflyOnDesktop.exe	42
PID 2184 wrote to memory of 2228	2184	ButterflyOnDesktop.exe	42
PID 2184 wrote to memory of 2228	2184	ButterflyOnDesktop.exe	42
PID 2228 wrote to memory of 2568	2228	iexplore.exe	43
PID 2228 wrote to memory of 2568	2228	iexplore.exe	43
PID 2228 wrote to memory of 2568	2228	iexplore.exe	43
PID 2228 wrote to memory of 2568	2228	iexplore.exe	43

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\7zO8F6B48B7\butterflyondesktop.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8F6B48B7\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\is-ONAR8.tmp\butterflyondesktop.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-ONAR8.tmp\butterflyondesktop.tmp" /SL5="$40182,2719719,54272,C:\Users\Admin\AppData\Local\Temp\7zO8F6B48B7\butterflyondesktop.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
      "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
      4⤵
      Chimera
      Executes dropped EXE
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2228 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2568
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://freedesktopsoft.com/butterflyondesktoplike.html
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2424 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2084
- C:\Users\Admin\AppData\Local\Temp\7zO8F6997F7\HawkEye.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8F6997F7\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1276
- C:\Users\Admin\AppData\Local\Temp\7zO8F62F3D7\AgentTesla.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8F62F3D7\AgentTesla.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2216
- C:\Users\Admin\AppData\Local\Temp\7zO8F639038\AgentTesla.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8F639038\AgentTesla.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files (x86)\Butterfly on Desktop\license.txt

Filesize
2KB

MD5
f77f1cebc17983181d42c7295bc22971

SHA1
456ef1d8a452ca82272b74f8cab9c90a4c333bad

SHA256
2c79bd862b0879d0951d500f59ef14f833eb6424b56814a154d90f4b59e8c83b

SHA512
80c728517d34488846f0163e9eff1a8b4b64d7ee78232ae833ce0179ea410630fa01e6cd50f28abb4f993007962dae094b41555228a06975b4102a862b06ec33

Download Submit
C:\Program Files (x86)\Butterfly on Desktop\unins000.dat

Filesize
4KB

MD5
6e0298356a38b4cafd79788411621445

SHA1
616bc21303998fda403bb24ec377458ab60b2a15

SHA256
2ba44165a08ad90e007a68259c877accbc6849408e399c091a689f9dac800958

SHA512
c4f088affb2f3b92d9e4c218b07ec237ed9c23b4d6c83a1e9fa65528c9b3abea3e0b60fd2d92c46cdd7bff3dbff53f53170b09c5949d6008fcffa5366bf5e006

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
485e90fd33f7b463a679723073be94dd

SHA1
ae406b954e3d0fe0fc69c1f1182ca0285a0fcfcb

SHA256
e3759e54de21f9e45b9be3eed76a0947afcbedb8000d9f75c4eddcc570fbce6e

SHA512
1764bbdc6fd0f4d0f7b5dcff1f99e230df780fb547423ae23c137de14a0f167d2e6f0cdf50bd72e2185c0f6a3f4342ac99e0f1534d7ad0fec8c7ded1e907b8d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
dff389d2d6b02236ed5700a4bb6eee96

SHA1
b364e127864d84c2d9241a284874ce0034f96b40

SHA256
c4a8159badaa75ee80b31ed1b832c2ad84b55aa62cdbb76040f776825ffd1746

SHA512
d5204a2da2d9ba28e7a00153d0edb2a003c128b8ce1478750a45a3b8ee1d77ac2a589fd045460e897e6dcebf1741b5d616cc3f83313dba750f3fcf33f1bd269e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4478fdf8c7405efbef8048096161c849

SHA1
9826d18924e6e5a05c01c3121432f9b3877d097a

SHA256
47a04a00e97710e4d183ead7661557b54ab61221f591c31ecb933d30ffbad40f

SHA512
409fb4b33911e73c8e351fecb9047268cd0700d9919f533f13dda90c1ee0a8b866d173abf4255e91afcd55206ec6e57fd63e5d60b773e8deecfa71a5d65e4463

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e8034ec8fb5405ddbf22aefa493372b

SHA1
5d2bc56973e5465d7b8295fffcf9a0b2a08596f0

SHA256
d63dbd264bd74f79b2eccebad45f02dd00d0ac907e0eabc3a9e57a7f29322dca

SHA512
ea2d299afdcc6cd7eb3a1606516330c125017da61f3c95b8919b8c62a2ad82600f36628b2582775d13aa278e3f9e872a64e6819d9f2b0bb8668f92ad6012a8bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a38498de801b6dbd5c418715f91d2887

SHA1
3440416cd357c28907a9a9cf088034e2cd38cf50

SHA256
d0f8b921afb330890d5793dd62e567a7876e7c011956a46ca6fa6e88342e297f

SHA512
371b87e077842b6c210d9e66e9296de6651a95fa91e992612c53175d3eb57038b89500642456c23e654829ae98a541bbf27e3b78e3c53d0a40d285c4a5498a84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d411d200ef01060b626a6a1e72d8013

SHA1
5e9438c4179bbf65ebd4aca86c19c00abf3e47b0

SHA256
f4124fa6289a791f2ce01f384a206e312fcb47fd866d1147b93173ce15387917

SHA512
4f7fcc56f2d1e89c8d0801d292363b24ff2caf86641dde4bb5572f8b1acc74e6a44b9d51ce13895bf842e6ae544011fa35a880aa5aa62245ea1f9453c225ec23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d73c17ec217b51258e658662a2b8b45

SHA1
4a65cce19b83100d8709e54264a1fa1135e3593a

SHA256
56a03115d5809f707873fc63c8e552c923ba32138dd5917711c894e480e1861b

SHA512
15eea45276b5e5b6744aa2d29c90aad68b06924832dae50f948fb3e7cb91b62984a60512bfbc4b451eb762211604d808c4ef819ec1a5e9e03a77667abbf8b393

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f02bcab08985bf58291a480067f1056c

SHA1
3a77bfd5d80d702d640b8c5c7786b0aeb03c6924

SHA256
f13af3d856fe7ec5b8f4833c7577874424a001f4e80cb8785cb314568d308d21

SHA512
1ed7ff54629cc632ba507351462a8df332b51134d46bc7d4a56b73aceb983ce1f1563c95e6cae54ae20b2896a793907eae4964e568ac6a198b0fca88da5e6c03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ebf0e2984e71f0e07bbf5188f20799e

SHA1
051d9a7f1ead39f2c84d901d666691e75c146b8e

SHA256
45e49acb26151f9f295e0252c37e1cab7fb0ccb1ba83858bb4f18d9913089600

SHA512
68d3a3767043191e66c1983b602be1d0a2c84e7129541f93791a9c1f965aacc97bfb194e713bbb9f69b1bcbbd3448ba8b1b326b6298e210a96a15566889aaa78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f7aa1735984e9ae77c492485b8f20ef

SHA1
94fb0d5d6a71920b30f7482b5072bf76d0f4c0ce

SHA256
81a9fade7c9cede6bd66eb298c2bdc4e3106eb51753064dd7009444d9d5792b2

SHA512
4a74d7db809e223c7a2a951e7e42a53203293aa3498813349292ec788ca330412df483b4638ca77de55e6f36f6fe1304e1dd23e3dc5c9bfbbc7952b567c7d15d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a937297e2da9ed6fe2572f1fd5d75ea1

SHA1
7ef2ba3082f5f6c1a4255bfe38abe5ede682e514

SHA256
81c4029138ad98d8e96ba1b65acb7d553d7c7041d3d2870d15e1abcb834294fe

SHA512
f55c0f7a3873ec337b24a141b58349b30b0348abedbb8319cb6a574aebe8a560559ebdc79e67fb5e19249507710c0537973125d9a34e99509785c28a8c91121f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
867aa86d898884414b81d8f216b4c303

SHA1
a5ec73a1a6c834e85995952d4cdf8bfe2684e070

SHA256
b8749b78b57153384eb9c35f5e394d250295d61b9be5bbeed405111fa9119bda

SHA512
6384b2e7e0108599f795b9d35a2cca6a7e1faa0c762a6ac90f4fba7c2a5a6d65d1875562f2779875906958f6ee4ed4cb0f9364ad56dcf34ecf748895a329e82e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afe88403ad0a34bb2c4eb9321a4f7577

SHA1
95431d088247c847b1ac118143dc99f3bbe14b46

SHA256
9c1330069ceaeefa1d95ddfea0ac5ced62fadc5e93d6607f649b1a248ccb4469

SHA512
3e5b40c4b02add3273ddf0e9ac821de6bc01d1b5f714f8b0d4ff3e6e46321301d7b78daf85c1d64f52ee27d7ddeb5af98f2906fad006f1b6283c25236862f091

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44d5ab20780864551d7b075ea8aeffe2

SHA1
29a2691c08f59681824a1db0fed3506f2f09f372

SHA256
799396de32d5875abf8194fe085357362369b523983ab2ea32c27943237326fe

SHA512
e9122fc30c4f75b620e778e21fd3a764fa49efa1b0ab603ce961ac1ee5fb01947bf8a12a5a4ac276a08cdfb4850e4271178fa7e196b580f319b68ae6c19f8123

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
265ab590f901724592edf34090b6157e

SHA1
ed20d5aeba39059c3a07b0afe1176f9197888867

SHA256
baba10b4eb2371b8264a83e45f92bbaf3e9749963842cbf8114a9f0bff0436ed

SHA512
1aacf7069bf49ad7eafe7e959abbe6846a85f717c1cdaaebd0874a6b68050b44df31e8aad06d075e608b41dcca7b9d2b4f247a694b2a4d636a6200e45e813c6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd6c8caa5913252049bdb4e8083d30cd

SHA1
639605841bd71e20b4751d5805a18025b4433dbd

SHA256
501bb4f0b896bb0f168f7a332ec68cb89bd981f6b6a16169d551187e6eac4584

SHA512
efa3e9040763bb3978883073c6387fdbe7485e14871471d23c0f6fc4a2b273568e2f32f0bdf4e3ab881efc3e46d160463e55f4d7558fa4b6b94809b9fa90feb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acde85f7ba36487cee987cd049a10b10

SHA1
42de641259ef72f6b9c075384ff08c1b009dceef

SHA256
510285cd00f9b9e2bc5a8801b187c869a17ba446d928ed8acd52babae3bde257

SHA512
4b47e7478312ef107d4bea6a20a403afae810d470d23ff14b6a531d8f4b99266b433262d40986e75c63f8cfcf932ed0159510c993e63f8d5c93d50bf666dc2c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a5627f91be37d4fa33996e8e7ae64d5

SHA1
4b38ba85eee2c86805593b6aba54f9f7b6741289

SHA256
4254f99e80e8797c6f872ccd2682dc70c764681cfd7e6868ace1008d40b4e743

SHA512
1215c216293ae628be338528b69fa93853ce31f455ad79320929772b28d1ff5123373f341deffa744f2944a3c0cf079622ef6fd3ab8da1c576c7ef62e467903a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebb1efdb8f2eced073f2eba3f02afe90

SHA1
84373a7be79dce0863080965423db269dc037ccb

SHA256
0eeddcd1a234a4f4e0d4fd00310d95072191fac8363690f4fe3d0f4a57279053

SHA512
35ddbc3b7081d65fe3f3aaf9d5f07e9f14ce3558403aa347aa40cf414fdae33fa660a1283330acba2701a7698a6bf2a02842d729573450c265e89aa2991e66fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8196c0ff1cdb802996999b1cdbe8484

SHA1
6208f72e2d7be6fc661a63c2bf83eecb9cfc6aab

SHA256
8d89209d199566cffffd886fee937909bf43fec8e6d817b8f58dd961a6cfb0c7

SHA512
f93f7a500551dddbfe973b231edb2f193ae1336b45bd95f083810eb363f7da65e38a91089baa184bc539f7ef78036cc9987cefc0b7e5d9dad4cd65976a34a1c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2cd9e5d418231ee092bca1e9a24dd35f

SHA1
50b4a0985427c2a3e4e92c3c8acf503d835a1e82

SHA256
f28d177279bb6b8d67193e0b8f269cb2411f1a6a0b38a58d2c8738c983abf62f

SHA512
19fba5ba8dede2cb65ab008becc998c200a1b9b62d594387fec2f67b84f2b1cb5b9517c58af574e37b0f0cdc63a2c5d38ced8c1b3e405666356509c91e3a70c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f62ac7686df01b2bd9a07e78d38f798

SHA1
fbeb681cf4114ada10ee451a5f9c673fb015e191

SHA256
cc658bb0195891a3fdaf2baf9012fb00aca8269dd9c74d0ef612656ead0bc78a

SHA512
d089ab2fc3a214554be595fd4335948f8653f130ed9287d608cf345258e8ba76a9423fb5dd0824c4eb5910ef5e7cd1771d64a66d4471deb61c1538a849a5f432

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7eca6228af8eef1d50c00e44736f7bb9

SHA1
a6449b523a64fb31dd6ff44541433b81e5b7b862

SHA256
8878bdf3763ed3f3169816e508130c0a830e52cc53d0c611db98594bbb0a94a9

SHA512
c3055829925a2bf7ef326edf16fb6355c03ca584a73806afb397dc40df0859e3efb53fe04789f523979b4ff16cb634984ba5d4e7e358b97727e7de9d18522e58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fb48f7b31cc5c302296fd7b41e31dcd

SHA1
2021552dacee72d396c82979396fe0848c30ebfc

SHA256
fbdfded756626d6a4a45240d5106f5858ace4eaff1daaaa1d050e46f02d60522

SHA512
e7e329035c9bb729a30016de2d23018115fba526bb0c320eac218b8032dae6bc8536fb3b59241247f6f53a8ed0d9c0c07efb4005aa28d3d6f68c72798c37c21f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3451a6472dad9540101b4a1eaeecdc4f

SHA1
ef155f5b15032b14b88ed03feea2d8e32624ef63

SHA256
d11a7ec36dd1e8eef7b48d58c18ac968d0ad886003ba707f67878e0e407e796d

SHA512
51d9c19601f383a8905109399d24741b8e64e4a0761ff47f604ffe9f32080e4b100fc496f85dde8a535d9497be22670b6b466956522ea1e9bd765aa72bdd5a4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
520c1462cf0ea059f674e936c57ef672

SHA1
c3b5a6c01abe9afda266c0c9b3eb0152f7109060

SHA256
42b8ff3b8e9a2890294fbbeb4a16fbdc3f9fce196b5686e4e6edaf21df962416

SHA512
9afa537a917e085dde19128f2353fdff242684f8ab5950a911f54e8b111c51d77c5ccd8642e91de10563770d29764c902c13466ef4f85efdb1aec56fd97266ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1f8b67e1f778f10439961a7fbdd833e

SHA1
d69ed074a80e982da5a6d42ada8608a8e4e5967a

SHA256
e1bbd0e18cf9e1368a1888a106c057b065c142ca58104d9c853f4fb9804422f2

SHA512
d59d4f6150cfedc532e4b26e9c57e2bf61ed600112e8cba529a4354f2cf70505101cb02a9f1fb5480f6ba274778c34a53fca9348f9922a938f5cddc5ea42a021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
685826f28abb8f51a07f6c38f6e7bfc2

SHA1
0ae62e06a7ba412864eb59e4681dc251a25429b7

SHA256
1e3739833000769a90b53108f0502625b867d8337a7c6cb2df5a0e540544a509

SHA512
84e24121d756c2b957d6ebfe97e3b03a47944e5925e1d9073cd62670879ddeaf5cb3f82b41ba5eb2f8df2771f10dd8c24accbb159a79e01e8ae4279dde986944

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a98c8728736b4e870100594a8c2e8841

SHA1
af0c8fd93228abfdcdde30b43b54b3158031b354

SHA256
0ec284b65347644b08aaa689bd1324488a4c3f890dafd33511871fb2f0a94a58

SHA512
612781285d0d388b77e7ce9a98036b442e6eb9dc92c8e5a376b0a90ecaa14f7c2565cf1af52201c537b556ac71ef3f5089d89f2ec9b4274dd48a94f4cd3b6e92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc2b3cbbb1ef2654d40f904d85bb1dfd

SHA1
dcc4cae5e624f98efc8584e7a2455eee54a9dc27

SHA256
92af486d10d0ae0d6ff0ea83a45161022773c66bc6d474be51f0be8a5793b6f6

SHA512
ef1f4d470dfcfc1452690a07b5561eaa178a6b78e86639bfcddd2efb6045c8ed200c381c83b71145182169d939e8c4be1889b115de78ec68329678c3ce06a4d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b32c699d97668751a1f53f8e0bd181f6

SHA1
ff1401b8ff55cc4a8cde8d0475bf524a6b70d64f

SHA256
8586d9ccb6bcd564857ba76bccee917a866876729cfab19e0d85addf54fe504b

SHA512
02787c6f6d3a1e42216d330b4ff96b0801fb73dd06c7e862ec850039cd459088d71e6a0d4c7f9f6f0d7aa89830faea767682de699e56b36eacdb62165074fc9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad789d8eebd9f38fb7d789760c879867

SHA1
3dee3fd177ab99bc228880754abd0f65bbc0b921

SHA256
e26551d702e4f1a8daec5d2804b70f2caa6b78a5e780d67328cfdc57e6113425

SHA512
4f316c73f4eccff1d0b152af9630c9b15a35e1a5a1fb96eca8b2d8eb6858844abd3328236a0c853a64ba7df00fe92c9677a2bc989af251a94d876f23fe7d2bb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed07d6b3cc777aea5a563661600de9f3

SHA1
f563204afa165ee712e82f798334ac2788dc5aa0

SHA256
bd7043611d961d1ee315cc7a6701feb88a73736cfa993781d3e821b9cd20b3a8

SHA512
43010e585d0a1084fea79a04bd550c85576bfb4e48f33eb81764fe6f93992493dc4887af57cc4ca09270db9b0dd40d69e313c31d80c095cfab617d628dc8d1f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a598dad4d31f661617b17b47936d0b9d

SHA1
45cafedeaa22c75a4a1314e12f85369eab00b2c7

SHA256
a328f8fa183a8d0ed88c2d342e525274bb3a794b86d5319a27bcaef3aa0bd824

SHA512
94726fe246864b3bb6c305cb719524ac87998a34033f56819d0f5bd1556c535489b2a545e1917038d6bd377c0311d32313481732315d78a30228389489045322

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc4087c7b0bfd53e42a6511b9d8a2e37

SHA1
3fc15e417de0ce06dd074121109a1e4e9c183934

SHA256
b68e491f39a3c92b15bb103f96403e4f97b4b08eb3b09c253a9c8a3b3113bd38

SHA512
8b94109de631e933337a024061a3aeb98d0d651d32c150e0e5ec3d3397dee3a25a73cbece2b30c6562a421645d1083ae3c3b7d5eff03b98fb0fa6465526a1577

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4955522315ed21cb933f4d55a5197a03

SHA1
d15573b9a02eaa37c9cb4e5cb6c1db689a7efeb8

SHA256
c2ab007f0766519f59e52402dd754611d82dd860c2796ad057f4007eb2387ed8

SHA512
2e5ff198ed78e69cf898e9795aa278f9de4020a2619d8b6d47d6f70e9461cecfdfb334c4affb05176c368264430fc3f42d88d529d1cdbb4fe084e240647a3d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{341F6041-D5AE-11EF-AE95-527E38F5B48B}.dat

Filesize
5KB

MD5
541d3b317a5d3a1458a1fbad6c8fd67c

SHA1
47b5a8a0b40e5da9ebfe22e7bd9a6eb348c2f946

SHA256
53f1fd8ff9abf153987f6b275061295b1a71101ebd618ae8768b6f376fb12d67

SHA512
df4fbf22257d45f0a7314e078013ae642c288ea87016db3ad726e3cdd43c9d787142646df80ba96f1fcd31ca4a8562484e2b519fca04669de84a9b20a9edd73d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
1KB

MD5
d842a3a11222707144a438a34b537b89

SHA1
cccfbe6fc56ae49b66f63211578127dbbf57e32d

SHA256
b449cc83ac6e5db3dd5bee652f978ec74c9d3a68380902d171d598cb3ebbbd33

SHA512
967423af8afb8ebb226398897a96fce7137f3088d26b767ffc007eacd150e11e5759f78c1d72b0b8f85f33a57f436ab47e5de2b9ef1b5393585713210221c307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\favicon[1].ico

Filesize
1KB

MD5
972196f80fc453debb271c6bfdf1d1be

SHA1
01965ba3f3c61a9a23d261bc69f7ef5abe0b2dc3

SHA256
769684bc8078079c7c13898e1cccce6bc8ddec801bafde8a6aec2331c532f778

SHA512
cb74de07067d43477bd62ab7875e83da00fad5ac1f9f08b8b30f5ebb14b1da720e0af5867b6e4ab2a02acd93f4134e26d9f1a56c896da071fc23a4241dc767f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8F62F3D7\AgentTesla.exe

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8F6997F7\HawkEye.exe

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8F6B48B7\butterflyondesktop.exe

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC064.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC077.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\Butterfly on Desktop\unins000.exe

Filesize
700KB

MD5
a6d2cc4381846da9b57b4c7e3cad0176

SHA1
342b82ed2cae292afa0187dfb7648da21cb8af8e

SHA256
420e896af745a421b4f0e770e33f07ba94a20d6a7ba91eb4a1f9a5a6adbaaf5b

SHA512
5a87c8e7e67666462e4a01c1099fe307002217befe2b07556bcb6c5777eaaa90fc26210d328a8aed03e7ea84439e439e90c62e4607753f56acb0145d56b1c318

Download Submit
\Users\Admin\AppData\Local\Temp\is-5E76F.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-ONAR8.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
memory/1276-528-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2184-533-0x0000000000780000-0x0000000000796000-memory.dmp

Filesize
88KB

Download
memory/2184-1017-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2184-5533-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2184-5532-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2184-5968-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2184-574-0x00000000007A0000-0x00000000007BA000-memory.dmp

Filesize
104KB

Download
memory/2184-545-0x00000000007A0000-0x00000000007BA000-memory.dmp

Filesize
104KB

Download
memory/2184-5018-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2184-535-0x0000000000780000-0x0000000000796000-memory.dmp

Filesize
88KB

Download
memory/2184-3437-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2184-5534-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2184-532-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2564-56-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2660-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2660-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download