hxxps://github[.]com/enginestein/Virus-Collection/tree/main/Windows/Binaries/Ransomware/GoldenEye

Resubmissions

01/03/2025, 12:05

250301-n9ewpszxft 10

01/03/2025, 12:02

01/03/2025, 12:00

01/03/2025, 11:57

01/03/2025, 11:54

01/03/2025, 11:51

01/03/2025, 11:48

01/03/2025, 11:46

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
01/03/2025, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection/tree/main/Windows/Binaries/Ransomware/GoldenEye

Score

8^/10

aspackv2 defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file 3 IoCs

flow	pid	Process
36	5304	msedge.exe
36	5304	msedge.exe
36	5304	msedge.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x001d00000002afdb-580.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

pid	Process
4812	butterflyondesktop.exe
572	butterflyondesktop.tmp
4104	ButterflyOnDesktop.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
20	camo.githubusercontent.com
23	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Butterfly on Desktop\is-9FT0S.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-H2I1Q.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-KPJ4M.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-MJOAC.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CookieClickerHack.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Launcher.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 945018.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CookieClickerHack.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 61560.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Launcher.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5304	msedge.exe
5304	msedge.exe
888	msedge.exe
888	msedge.exe
6024	msedge.exe
6024	msedge.exe
4264	identity_helper.exe
4264	identity_helper.exe
4908	msedge.exe
4908	msedge.exe
4144	msedge.exe
4144	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
6096	msedge.exe
6096	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
572	butterflyondesktop.tmp
4104	ButterflyOnDesktop.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
4104	ButterflyOnDesktop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 5996	888	msedge.exe	78
PID 888 wrote to memory of 5996	888	msedge.exe	78
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 4952	888	msedge.exe	79
PID 888 wrote to memory of 5304	888	msedge.exe	80
PID 888 wrote to memory of 5304	888	msedge.exe	80
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81
PID 888 wrote to memory of 4884	888	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/enginestein/Virus-Collection/tree/main/Windows/Binaries/Ransomware/GoldenEye
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff92443cb8,0x7fff92443cc8,0x7fff92443cd8
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:3344
- C:\Users\Admin\Downloads\butterflyondesktop.exe
  "C:\Users\Admin\Downloads\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\is-QC45U.tmp\butterflyondesktop.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-QC45U.tmp\butterflyondesktop.tmp" /SL5="$702CC,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:572
  - - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
      "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
      4⤵
      PID:4488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff92443cb8,0x7fff92443cc8,0x7fff92443cd8
        5⤵
        
        PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1216 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4336 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,13514628403879611119,2446362789099252157,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6564 /prefetch:8
  2⤵
  PID:1384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46ec2d399c9d10a0545cb514e47de14e

SHA1
98fc6f3f34f4082b8d81cc50dc571ec06eb454ca

SHA256
f50fff32b15e4b61c3cb18655c3daf46a83556aef1f3ff8d9ed074f298f247a5

SHA512
993b723da7b0ffcaa731a1f06057bf2ebdc2fd518ef8765b4f625b9fd0094cc6abdccfe998d0e6cb760a3e5d6c411b197a47e67c1de5a6ec4315d017a552a2be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a1ea058d6231b47f5bb8557adba13351

SHA1
111dbb6ffff6517e11719a20683fd7f4ef0579d2

SHA256
f5a91a0770c54a1601557b8babfcc7813972275da171c384cc8929d2910a851f

SHA512
e613f481c50b5a7022a763d13ac1b1ebb6a9d4d973de95108d95d23844d9d526d8c90f391493f043e86e22e9a5abd8a3a4cab5f2def248033d0eb9421091889b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0fa33b0040a2f8622de6935a11e4a657

SHA1
fc813c6ac25860a4649a9858b37efee121e41447

SHA256
a8bd29233f8a1910b9a9214db50541f91b77abf85edba2e87a2fa92a630d8447

SHA512
d8881521539f0264b8b244e665b19cfae73aa1e1bd5e5384d7115e3b74f4524c4e7fb581e1e8269bd8224049f1c1748ec4fc3dd6eff59b531c411ed5a8e01f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
731046ea63292bfd5eb3288e30489fc1

SHA1
6c59a5d5c786f6c26be8a42d200eb47a6087da6c

SHA256
e27b1a194f80eb34eb1aab862917528f6d435fe996b9467074418033df998aa9

SHA512
d6a88225f5dcfb548998f66133ac5456993fe40ccf21db4d2e72b1c19b2533e45b078742fa4838fc7588c2a04b636de21e26af653c07eb63a22bd07d143f0483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
a32c9c9d62907880762e754bf08b363e

SHA1
2ddb2330116012238c569508648c7e802616ce38

SHA256
d8c9c9e0cca6e0d9dd6254d099fa601a2fc8bae1e081925c26b3152b128012e2

SHA512
e1f287aa6410cd61a6a53d56a6c1705154cd6d67f0827db1188735ca906e1d6ab685a1bfcf98e2255c430da1bb5d1d2b60a3fd53d1b9539f750a02428e78b1cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
46df0b43edf0d3e34381b3456b01120d

SHA1
b367840f35ddf730070e74c6990e367db61984a8

SHA256
6c6f78067920a18b1b425c29b119b571f9e0895d957d6efa12f7b55a622e400a

SHA512
f99bb7e7991dd3952304a0c5961c65efbc720c8b529498f8adf5eaacc3c7c63a57cb8bca62ec0c94fb54b82c565a29fe475b39def174b28faf8bb97623592386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0e16bf5d674376b1b3150933f0835d35

SHA1
adab362eea406f5e38f75e7f53f510ed50f87938

SHA256
2fae3b45f0cd7c1d57a6816970f0c2513e7f2312993c9bca5194c33bdd3b9de2

SHA512
8160c27ff9265b7e58346f5b2c64bdbb0f9f36ac706de27a167d2e8f004849b4b754c9c78bb94548de00abc7de05eec1c785266076240456b290f4b627b4e166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a593aaf32de7df18b5a849c44dde3c38

SHA1
a1ca0296c516f5be58ebd72d941913621bb9391a

SHA256
69d7196e1d8d31387dd01882f25697af8166b306d8b450b109ba1313bd0e64b6

SHA512
2fc44e4115282abe4464556e01d81047250356c15e9c47bf3a0529fc47024647aae7d1de80cbe198aeba489e7abe50fcabd2e9e5c16a01cda91fcf29a2deb554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3065e4476f7da18038f5b5b8845f6d4c

SHA1
6a5a8d2e33a8263461038c81accdd822602481a9

SHA256
48df625bedf53841bf84bb1559ba53e8394c38cb4984747a3908f33bef849aaa

SHA512
1ecc03dbbf0f2753e5270c1fc0c164f7acdf4a18d4875c6e02b77b6b8f5c360b2affebde7cca3e1c538b4d32a57771f4fb4e6bf5622c60eddf536673b5d284cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
31585f7b446d5f80f3e0ac7ee83e780b

SHA1
d8d1aac1da6cf27715f8270ff3eefe2dddea4467

SHA256
74f99c7ba42df5a192d295d9da14f2405518f4774330d305cc9ea84474870685

SHA512
d22f2b581f44113be1ad4a88b323d8fea9ea58224042de240efbd57d42d2a42d28e6e1d68c753d18d7e119f6dd25107d40bceab3dc24201b54f77b6513659b3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
9505c08f9d8b047b4aea3acf29b18edd

SHA1
bff01d66cd99270eb2f11645b8cee1b9b8e149d4

SHA256
12d795be1e7a4099a9895c6c8782c224972c727b0200d755240c7aa49a09996b

SHA512
90dbc3586df593be04957e10eb5d1203c9ff2cc53ce18732e3ac17c1d926b4da639a1313380965d66efbd796a05fb151d5ddac566da8dc1225fc227b00220077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
19f00cd8aed0c4429aae66e3fa5b3321

SHA1
44c12a95a23b3a4cbb3ea27d95c98e7299856c2a

SHA256
e793d2f10a14957a1c4c6238441424bfd24bfd62704b4fb8ded3c90ae2503f2c

SHA512
eea6ed54fca9fb8d9961b11b6ee0c2cf608afffe32ac0d39bcbb23850e1da7fe0cf7adf0188f8facb0592fa6a8a12f8092f5ce8e04ceb48c80c1899c2630ccb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9c9a82d184687452ca849506df3e16ac

SHA1
1d115adc67ad142cfcad48ff8d2e732712fdd8a4

SHA256
d17072865935c83d957075aa83a95faebbde35844f74df0cbca6f72ca63135e9

SHA512
6700258358029c4dcf58fe404b22bc7509255109df4b9331b0a2e2836738f51bb56b0e1ab573d220a355ef1afb7697b0999b685a7a0b63fd67b56b345d27a53c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0d6cc49d1b15483d294306513b3802ab

SHA1
23da3a720898d34cf5315d826b04b092a7a7af23

SHA256
74be89b38857408b4992a5b4cef2e17800daa9d331f82567927844780658d9b0

SHA512
28d50648f55bfcf84744b376f71f04687fe57b5e8ff524ab15a69758a8938b93cf71dc160cedd4ef81ac613b2348de7041a6423fe5d9152b1f206d817bd8301d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
10c8c9482015a0e01e5bff04aad2635f

SHA1
8f842f65b448fc1b4f01ae7b02e739f24def49be

SHA256
a0dc0806dc547144e2e5461d35c96c1f25933d85242548f95c15282fc8b07234

SHA512
f53fc10e055d71fb12962bdd8da63ab7a98149d74bfda95f8dc408d55998ae0d2e08467a0a8c1c350ceec8f077e62788801d2ff0d12101e27b3425aeab376a93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
df3f9c9788e393d675cb4df58aee7cf1

SHA1
cfbdf8f21d0a1765b4c80a10972948331f50cd39

SHA256
667d2e77b324191ebd8103a545dd18cb2415fe5a61105da166799e11e6e61f77

SHA512
e2e531214f366ea4893950046fdc8914a397ce8d735db5b578d8524047ab0e8ef9ca696d3ca2555f77c32c3d712e7b146d089acd47253b65d18e113cfd726005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0afbd042ffb96869237995a241f8c558

SHA1
3684dd7a9ff926bfe69316a21ecb06613e96e015

SHA256
45f181fece7dca6b9fce44972530e623b1048d43b3a3cf58d12769c6740935f7

SHA512
70be83b3128b7d093ce12b187f530d517a54a00b6e3c544de87a27cb634e2833fdfc99b8b4c764478e506ec32ed34f55be56ce66faf9acb3d16290b454fc6ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4ea34a18e348fa60f50d120b0091aeb4

SHA1
8b0f8505660438504157cf495b5c600a7934b4bd

SHA256
3ca8bfc5608e20aabea26251c412aac72b4847c3ceb6aaf70f1c82832c89b6f9

SHA512
a9076a2002e087c647e85a855c4c22bd245a50038841441df0c6c9138721083efe10f0b01f133da4fddecc6c53991f511349458f20205cb228323f36bdbc8a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dc46.TMP

Filesize
874B

MD5
5c0e79188da3c34be23d3efa4a4df62d

SHA1
7d21c03489719efc88d7fbc2278cae553953d7b5

SHA256
e42eb28a60681cf05eac46591e1f735150bad17f0977f30e19786acbe59c33c4

SHA512
fb0f3d4517235bacf1f0e35686990f344b9ea097fc5d7e509ecf515db8877aed4632e91ce81adcfdc3d86e3aab1acf2a9c52dc0a27e4b4b190b48d2ea9378b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
00f2c27b2b28ffcda1d97e3b92313cf6

SHA1
7a1cc986477f149b5748342f5577ace5306dd7f6

SHA256
1a256ae55a399667f8f2a08bf8bbc628c92fc701395be53cdb1c21595144c5d5

SHA512
b2a1b2593ed68593c11ac58a89f5a8d855570865c660ab5bc3a34801d09d78e919878a262feb8874767283e1527d85a03f6be475085f5ba020df870ee550ccca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e6e653a8d8290536b6ca3d5e27b979b2

SHA1
6f0f305e8b8fdf9df2307eae50ef432f78c80aef

SHA256
6027df6928a4ea5607b9be145af089218d974c6e5e5ce2906a9ef85173165b52

SHA512
cec66544408b5a23dea4bedcdb0b9a191de6986de8134afe1cd0a6a8d25a8bb2f8bbc1c1ea4fe8b30bab2d41c47b023029ffe6e93ad1d55971397af2f240fe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QC45U.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\Downloads\CookieClickerHack.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 392401.crdownload

Filesize
68KB

MD5
bc1e7d033a999c4fd006109c24599f4d

SHA1
b927f0fc4a4232a023312198b33272e1a6d79cec

SHA256
13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401

SHA512
f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 61560.crdownload

Filesize
197KB

MD5
7506eb94c661522aff09a5c96d6f182b

SHA1
329bbdb1f877942d55b53b1d48db56a458eb2310

SHA256
d5b962dfe37671b5134f0b741a662610b568c2b5374010ee92b5b7857d87872c

SHA512
d815a9391ef3d508b89fc221506b95f4c92d586ec38f26aec0f239750f34cf398eed3d818fa439f6aa6ed3b30f555a1903d93eeeec133b80849a4aa6685ec070

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 945018.crdownload

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/572-294-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/572-337-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4104-554-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4104-504-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4104-474-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4104-541-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4104-425-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4104-462-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4104-575-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4104-424-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4812-293-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4812-254-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4812-339-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download