chimera | a8683d722ba537caef48839be7a454fcb9a190aaa06c092daa5e9f92686b35db

Resubmissions

05/03/2025, 22:13

250305-142jqs1nz2 10

Analysis

max time kernel
352s
max time network
355s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05/03/2025, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SchoolBoy Runaway.exe
Size

635KB
MD5

c66114e4978c9d4471f950928b0e2f9d
SHA1

1dee05ddcbf6f449d07e5f82a8bedd5c5e5452f9
SHA256

a8683d722ba537caef48839be7a454fcb9a190aaa06c092daa5e9f92686b35db
SHA512

e066d1a3061b50ad0d1420c2813069d6843920e6262f9ececa35a4a066f31060c51ccb5ea2caf59e39de3f3752fdf291b7725fb01abe2d73f1324125fbe4a563
SSDEEP

12288:UKQGzu2BFhnkCYEABNdL7urYP1DqcKoYRC3zC12KZvIZX:UKZkD3L7urYP1DtKoYRCQ2KZvE

Score

10^/10

chimera discovery persistence ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files\Microsoft Office\root\loc\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/1652-907-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Renames multiple (3279) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
4008	butterflyondesktop.tmp
1436	ButterflyOnDesktop.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 25 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ButterflyOnDesktop.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
245	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbUpOutline_22_N1.svg	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jmc.txt	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\ui-strings.js	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\List.txt	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\ui-strings.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pt-br_get.svg	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\reduced_mode.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-down_32.svg	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\ui-strings.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\ui-strings.js	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\ui-strings.js	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\move.svg	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen.svg	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\rna-main.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\nub.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-down_32.svg	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\ui-strings.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_pattern_RHP.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\organize.svg	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\files_icons.png	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\PlayStore_icon.svg	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	ButterflyOnDesktop.exe
File created	C:\Program Files\Microsoft Office\root\fre\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_selected_18.svg	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ThirdPartyNotices.MSHWLatin.txt	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\ui-strings.js	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right.gif	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\ui-strings.js	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ed8b84b354796746bf0dd2da37a6e5ab000000000200000000001066000000010000200000005f9b71fb2c8af6f0850ce7808011d71c3a65a567ab81eb5fc5fea9d0c401771e000000000e8000000002000020000000d3f57611ad724f5303c206d455f8fe97f0d8ec32e21543d4db2107d261221a3020000000e797974f872b40957350667b82dd24c219d5f300281c80b6ca9538e781bf2f8640000000c8a398b6f495f24df5c9a18a3471a5c740a714e2590fc46190dab9da9ea297cdc8f2e397399da0b283a1bf054872599c6925cd8ab55482145762505f536f3204	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ed8b84b354796746bf0dd2da37a6e5ab0000000002000000000010660000000100002000000095a68af6eee6101b8fb2220139fa9a8096e3b28e079025000fd87eff582ee136000000000e800000000200002000000052c42c2bc425485bfc075166c8ed5d75514ca536f09926681f6c30524ab6b112200000005576a57cf45f9129756ea343ae259cd9e74abc8b0581bd2e2eec89af4ab97c4940000000fb151a388e4f53439d8e4445503b6c9bb43bbd05c8a89a1daa02986468f4ef96035343466a957b20120090b1505238c486b55102512b93efc915e26ceb6b6df3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2035359d1c8edb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C7BC1E2B-FA0F-11EF-BAC9-EA3D4F6D6FF5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c4329d1c8edb01	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133856864122382847"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
4688	chrome.exe
4688	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
5012	msedge.exe
5012	msedge.exe
4292	msedge.exe
4292	msedge.exe
3272	identity_helper.exe
3272	identity_helper.exe
1448	msedge.exe
1448	msedge.exe
4424	msedge.exe
4424	msedge.exe
1672	identity_helper.exe
1672	identity_helper.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe
Token: SeShutdownPrivilege	4688	chrome.exe
Token: SeCreatePagefilePrivilege	4688	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
1436	ButterflyOnDesktop.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
224	iexplore.exe
224	iexplore.exe
5012	IEXPLORE.EXE
5012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 4288	4688	chrome.exe	91
PID 4688 wrote to memory of 4288	4688	chrome.exe	91
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 4712	4688	chrome.exe	92
PID 4688 wrote to memory of 3700	4688	chrome.exe	93
PID 4688 wrote to memory of 3700	4688	chrome.exe	93
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94
PID 4688 wrote to memory of 1420	4688	chrome.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SchoolBoy Runaway.exe
"C:\Users\Admin\AppData\Local\Temp\SchoolBoy Runaway.exe"
1⤵
PID:2024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ffed1e0cc40,0x7ffed1e0cc4c,0x7ffed1e0cc58
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2008,i,466440548498199643,17898920063863271601,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2004 /prefetch:2
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,466440548498199643,17898920063863271601,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2032 /prefetch:3
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,466440548498199643,17898920063863271601,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,466440548498199643,17898920063863271601,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,466440548498199643,17898920063863271601,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,466440548498199643,17898920063863271601,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4624,i,466440548498199643,17898920063863271601,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3988 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4456,i,466440548498199643,17898920063863271601,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,466440548498199643,17898920063863271601,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:4600
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x7ff61a5e4698,0x7ff61a5e46a4,0x7ff61a5e46b0
    3⤵
    - Drops file in Windows directory
    PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5044,i,466440548498199643,17898920063863271601,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4848,i,466440548498199643,17898920063863271601,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5208,i,466440548498199643,17898920063863271601,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5032,i,466440548498199643,17898920063863271601,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:3956

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1260

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3684
- C:\Users\Admin\AppData\Local\Temp\is-4S6AV.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4S6AV.tmp\butterflyondesktop.tmp" /SL5="$70282,2719719,54272,C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4008
- - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    - Chimera
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:1436
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:224
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:224 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of SendNotifyMessage
    PID:4292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffedf4546f8,0x7ffedf454708,0x7ffedf454718
      4⤵
      PID:1632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
      4⤵
      PID:4948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
      4⤵
      PID:3500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
      4⤵
      PID:3756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
      4⤵
      PID:2808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
      4⤵
      PID:4656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
      4⤵
      PID:3336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
      4⤵
      PID:2920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
      4⤵
      PID:4280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
      4⤵
      PID:4112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
      4⤵
      PID:3380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
      4⤵
      PID:4356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
      4⤵
      PID:3300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
      4⤵
      PID:968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
      4⤵
      PID:4308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
      4⤵
      PID:4008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
      4⤵
      PID:2040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
      4⤵
      PID:4440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
      4⤵
      PID:2920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
      4⤵
      PID:644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
      4⤵
      PID:1824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1
      4⤵
      PID:4996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
      4⤵
      PID:3800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7444 /prefetch:1
      4⤵
      PID:3704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12373680644935729250,15273240426875463619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7480 /prefetch:1
      4⤵
      PID:3596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2820

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\YOUR_FILES_ARE_ENCRYPTED.HTML
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffedf4546f8,0x7ffedf454708,0x7ffedf454718
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11862134267598192746,13653363828773741978,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,11862134267598192746,13653363828773741978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,11862134267598192746,13653363828773741978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3052 /prefetch:8
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11862134267598192746,13653363828773741978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11862134267598192746,13653363828773741978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11862134267598192746,13653363828773741978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11862134267598192746,13653363828773741978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11862134267598192746,13653363828773741978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11862134267598192746,13653363828773741978,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=252 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11862134267598192746,13653363828773741978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11862134267598192746,13653363828773741978,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:2400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files (x86)\Butterfly on Desktop\license.txt

Filesize
2KB

MD5
ce04e860fb85c398183734069ce8d00b

SHA1
a6fd47309ca6e7bea1194140fe93286462809b30

SHA256
8e9b33888cca3b5f02c7c72b3fdf6d105ed7a28bef598d20146f756be05337b4

SHA512
703b37124940895a3f03df524284e4f8b1bcaf75f90f88dab4361963bcc99085b5ba1772a0530798fe00181920b33eeccf8a7853768e4c8fab869a3fcc015c68

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
16271824b15b93c78b959c4da314d5c5

SHA1
80fbcfa47aea3b1c4b881dbad2c7c3743163adf1

SHA256
d49b94a2dd8480041b7202b2975d639cfac490ceced9a53c0f995a7f12cd465e

SHA512
34982112af3e0ae47e7071d4fb6fea00c6f3c55f1693d5532507ae9fd69e7e8dde1ee27965b344bf54df57c48ae62670029d028d92bc8a357a0d938d19988ef4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
bd857a659911753abcfea12d39df3632

SHA1
e42c9aeef580f0418bd03a119af15c3e99c45288

SHA256
c61485552809164dfe32a496dabba6a156e2b001ffa0c06801cd6931fbdb381c

SHA512
b85af49a682979e93e66eed328432a72a61cdd5405cf37d09f7ec01c86fad26f78bd88ffda41781fabcc699c855de96b7be43b5a1981df6d35ba4e06c7b3b49f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
080da2a35116cd9b450b7528d3626870

SHA1
a401fcbc747a0a896c93777a964ec5cf97a13993

SHA256
83428b0f128ad8eb0dd39965d93f6c1db591f90fb744108d227b46bf5c5be16e

SHA512
0183dd479dd9f8503a2971aa6e6b4a3210f9ea0ee74fcf55467b384786a35af66acfb9d695adc7868362a74c6c43d152b8fb1f4e8bf5e99083c170fb19a84aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
2da30ce289d2f6c418b428ed3dfb02f8

SHA1
2c55422964f013163e79cab1a6faaf3b6e3fbb71

SHA256
fb603b7aef4f0cf070f054eccf4354ca1e7879fd956b3d41578080e1550e8cf7

SHA512
3d1acf75a0f2745b04267eff93b750483b3c92d750021265f2cc5026b13dd6c30ea72daaa651a46b8c854fef5944b49f1bd3dd64283618fe0d566ff915c7f572

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
94334b27f6a4d8781d5e31f7b52bde67

SHA1
ab5cf32176f72c332504c1e101c8aa7409364012

SHA256
febd863c0b89a5ff3fd61eed72730e3a4d993ac66ba9861311c08c13268361ad

SHA512
de70df6176f6984614c849b53e4941dea12cb990361c8551d99a4342811c8978ef6c0ea2499b4d2c909d0a5d9a89e8b0ab9216cec4491034c19aed2c6faf0368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
a922afa3ba7878f4ff7a336bbc6a4476

SHA1
b6c34aa3a9405965ba990a3964357d48e0d09374

SHA256
ff599c5d8fb32798fd0a69caf1cf5fdbf9dd6ca9a2fee32cedc3fe326aced3e1

SHA512
e15fa2ac310b0e71929ee5fc9eb2d9480bb58f78fe040769481ffbf68ad6ee3e46f98865edc941c3d624f1760b8b7453b3f1554d7d98f3304da660eb163f8438

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cb30c79d41b80b8764462339c96b09f6

SHA1
cf348a9eba7a595ee8671a02a370a03feffa1505

SHA256
c08990728be30a8b1d8920bf81c0a0d2a4990df05546d54c9b8b0fd493a2985e

SHA512
775797023c39d909d7508f7cd409a0fe3615428c1885ceee21e6975bf8e3748096a54dfa944a6871631c84fac580064a209bccd531d913d06b35c3205eb90235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ca748c92d3d130d41a520c52df74ed73

SHA1
e4a7b993cba91550ec724af2a847b1277b482442

SHA256
acc4d3f28737b9f04491cd081e8e46d116142073d541a79f7082b5bcc5862168

SHA512
0451a29cd47010f0e13ec581edb8ce877c5f817767ec5c521d6d99759e055f6b252f4b3e4f85e56d05dcf378bccbb546bb6da25974703e55d3a80c8b757a8567

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3f9482393e5d5b1f177e5697caae8419

SHA1
920336f255232504a00702a6ebc2b70a139f910a

SHA256
773357e455554595eb885eee5bd3f16779e7ac3be4b2a66e9e4f95ab63406bb2

SHA512
bd09087fa712e2b30a62b5cb0afcc0ae864ba2d00e6b79af27f3ff7ca31bf91c282a8feef0cb6d5abcff5e5eb80a5e8c14d65c77061c324f8eb767352f49867b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e107e29f5f844131ea1ffc6809623c26

SHA1
7e33a2447fd37d80b601faabc668a8ff46bc60fb

SHA256
793a73cf373dd9401acaa29ec8a08c125aa3e7bdb29bcdecdae9135762e02fe7

SHA512
7bbca18ec5a77f08ffb9b43bbccce093f89cb49ad03596f501db372c1cd8058dda532e15bb4f00ca894c889de6f584342bd2f7b46a4b134a5d776bf61aff3e4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
be593c88b995819d3c316d0556a962f0

SHA1
f29bf94856b85018daa19e6e2222378ab8bbd5a5

SHA256
aabda4344b6f23d1416ec91d056ad491660f9bced6a5c13817f44bb3ee64140e

SHA512
786923b5e8aea4fd08202a22affe177ef5bcd29387ba972fc4f9ddbaabce2ad554e98bf0848543c573ff1de048a7a78124b5016df23b3b8ebb740ba036d85d7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
181c941aef8dce5035e0a0f05ff9bf3d

SHA1
31ee3ef7326490d7f9a057b73991c8faa503bfc0

SHA256
ed8f8174ce4f74c040cd15b6db9d2765af94a0b2aaf016dbe5dc37e5e36920c1

SHA512
aef75576645f9ddfb3dfe353a6588eac89a05fc098e05b190be834412e2fae6313c09aab0ea9ddb2e6e05fb167eb5a5e98f9fbf7664137f5a287696bbcd624cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d5b85c9bc93febeaa017f9abb6acbbe5

SHA1
e5a949b4d526e2f28793463480269d4ab9f5f36a

SHA256
cdcefabcc6b2193d488c3dfe54d73998f583e1a14475d257fcdd422e2087587e

SHA512
7b8f1638585cffdef65bbb5b16d4d4328f60c10c13a7bb0a2627e398d3e91efb0de7ff728812ff87dff88cc081e2bf2f636bc0a8102226a1a385ca07d033d9de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
18a6287563fe8e0db2e955f7a656306d

SHA1
1e491735009200082c1da0e4a1f4e52b24c8b9e9

SHA256
19c7d544a916e30c71e1ea18a38f40b751a94d227d6378d8f7ca85ad481bdfff

SHA512
0a48a410c348a4cd4bda227147bc0d77cae996fc6c871ad5866c5ba7d4dc06a2956673630f6f07fd051819e85ada39f43d849f20b8a6fd8a98ef27a3066b160c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e9b6907324128aff3f376cf332e57a0a

SHA1
2bfdb12ca4169910a4cd1d8c0d09919fb0083860

SHA256
994a35e6fdfdada1627d1c974b83be560abb9db92b54662ab6f3901b93c41ee3

SHA512
01b29825c4cac22578db50d4a682d7f3b05bf2a12995b7d43764a173308bda994751f5d326f3c6901fc23b16df821fda7df35c9aa50183a7d93aef4991248cbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
493603995b0b83618f9762c6ccbe04d9

SHA1
59514ab679f1a7be526c772aef4308fb8415947e

SHA256
aeb45cfdbd35026eca8de95886a2f5809257fcdaced976b99ae4a2e758d5ab9a

SHA512
ea380083b4fbeb99aa8ee02e570c6f5db26226f891105bffcd3bfe4f07c6d9d96d1dcdd44f4a6a8d6530893f72d7ac3f593b765020cd4f0b20f06574dfc14678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d3e475cd27102468cf3c036a660f4f8c

SHA1
042adb165f14c724ea2950d0c1d185261b7a3a89

SHA256
2c9df2161b49887ffa8063968cc753fd4b59ecfc7ccbce3de9854a6dce84893b

SHA512
5627e4717803ddcae50d58f95c977d2429e0f2c95ec7221c37e0ad3336180225986028c603be8aa87b32a344988671ab659bd4c9684aa4afd5711a88a1deecea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
647f7b16d32147687b2d85fd8cb9473f

SHA1
c1e5421331a2b1fe7880708989ed0d46e5be1d43

SHA256
c18ed19e9c4108328173713ee880acdb4fcc699c18bc69af331e1b46f1b0b365

SHA512
3b3cc606d4e62c67b6f66fe17bad40e8d56af648c4728415c1f35cf7ef8ceba4b10d2eb7a1053d76546b6ba6ff2efd6d1e6ed5333407162aa766eb9747ccd322

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a9930eeee495197d55e3e751ab52fe6e

SHA1
246df4d47ad4fb0bb493d50144120c501b73af6c

SHA256
6d10d1314b668a6d166e88899213148acdd907187829dda32d2478f197ac5a0e

SHA512
8e8ba4c9e63399eb800b36639f70437074e68bd4d0772f3876a8b6b7a0e39991217fb4b79d878397102e959921f8557c6f5994fa7a293c4a5420d7db2f340e8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3238cac10eb8bb057cdf649d21b47fb5

SHA1
76ae8ae16c6d00a034b9902a96c1c56de4b06f06

SHA256
2a2d4ea80379f55c60526fc83b536175949c6b7ba921b6ab00b42499453b62e0

SHA512
4c13621e8c418dc87f53399709ebb1ec224e2a45457cd6ae1863978ab073f813854d9e7953be59006c495b034b6bf4e8692b79e1322b8961df4a51a2e2757c08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
23e54f2ebd40cf212888d80fbc22ecf5

SHA1
b434b6b97a159d90e7aa2591e2df32aad6f740e0

SHA256
6ff3ff2a47c72a7f985835fb717b954f6d51f62da6db4a35e9fbc41318c75985

SHA512
0d4f577027e1ef4c589ca65326ff5070d3ccf604a0d7f43da84916abaa202e4c727cd96f4e3bbdc2dd3ca80e591e29348e8b1eefdd969760a79c848a026c4f6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
304cf694012258d9f55fa6e340a27ce0

SHA1
0a618f9baa81c2340257b9d0077db158f4e3207f

SHA256
662ac579a000a70cd1a75c5c77d7e6ddba8d92498e1bfe19056bb68e1f851bf2

SHA512
ca93d852f11dcd28c890a793522c72fb848922888d72bfc3f797ce064524874d22c38e6ffff8a2c95d566286046ed7857b9f5c143dabca9ad82ff6ab11928a49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
150B

MD5
814d72a56223b580a88989ac56c7ef81

SHA1
bc6c044626d6f26be7a1471d333fda27a397b0a1

SHA256
5c66ccb6ab8556df7c02264dc0aacdbdf3c2e261ef900aa48bb7431babeb48e2

SHA512
fa0a25a7508e93f40865fe446d4d0bea95234e0b22097b13e3861ad37eabe950af847c1070802d0dbc2fbc6f66541af761bea4afc64a1c5cb0e2fe6007126ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\29c525e1-17e2-41d6-aba3-c33c7ed7c730.dmp

Filesize
3.6MB

MD5
343f241daeaa3d488f72f3093d8329a0

SHA1
d89f46a0a952ea3a70d087e5bead1e9a0bd4ef8c

SHA256
2a2f228f20708c287bba56671781500dd77d7aa292bcc9dd7ce4417747c194ac

SHA512
ea400ef29456e9b02fb9310203bb31480c820fdcf691602296f8b80c315b86091e90ba88062f23ab66dc9638cdc0ea00f14054bd1bda6f197ebdeadc599016cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b610588a69236105eb2d29d94762ba4c

SHA1
db898fd16d7233fe4b4ce62c0784c9fd9373c249

SHA256
921857973c44324c646be6f2086277ae6d90b8b5f0aa0c2359ce4d2aae3c448b

SHA512
358e476bb4196e932dd0208969996c00261eeadd8ac1066ba59dcd07a4d907db2490a03f6f9b8d63f5f19ade877692328b4914654763109127f7fc50f1984dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c32f25360240c784fcb085af9584f603

SHA1
ed1e7cc38a2c35022751ed06cefe40c99feb7149

SHA256
118897ab696eb8caccb018468fe38b1093b5122599a78452ffc2d9135d310b17

SHA512
3b0de0240897cd8e886097ce7e11509e19c896ce423d69253f48d9ec6f14ab687e7aad077553da6fee8c085514e7cc36e304b57decbcfdd13d5dbe5552e81dcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed05621b2a1e4a5665da21bfaf333a47

SHA1
4cd83a338b9bb2940b9cd9c3c8cc6a7638556579

SHA256
bc3f423aae2852f02ecee50bc19e7c78cc61b20e0d3bb04237ec628c3cf63c5a

SHA512
775d9523db85198ce510e082e2932fdcb7ef2ef1ec8d730cada441f795919399ecb3fb72b498c1c20c555aa95728a33bc45387ae43818cef51a19316bd80b2df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
030eb93edd776c3783eeb031f8b0998b

SHA1
751c16bc9905877d364c2d9876ca0040c2debfa1

SHA256
3e3e2f27eba9b9fbd2a2a9d43309186cab163f8b01c3c7a15957e6571d100ae2

SHA512
bd572bd3d8d51def5feb934971f35f96914e7b5a092e15c3831ba79b0a142608908bfff7dd566bdd6cfbef78d52d47fbcd8741292e9c06af8a5005ddcc6f791c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
3eca9604689492974cc5247c7a99c7a9

SHA1
7456394c79283d475c55f21f5971e6c9fa804c15

SHA256
6dfcab885a455915e78cbeb9745549596531acd073b2ac6ced757efa48300d85

SHA512
0c0f9daff15d9d838bc252880e1575925bc057d313d2188e248b814c7054d59cf5b76999cafd024916356f102f80746e5c36e6a1bb82e3124a2e77a8a0b2cd96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
a9fd2659ba5f21d0fea288a62a29fa1a

SHA1
461d1341577797cba2221b6a58bcc2a9aee289dd

SHA256
361e20dd9cd3fbefc37fb27c5c6fe147d421715b63618d3d937fe6eb2e9ef54a

SHA512
59697b3feb5d811025c531f936afe41f942ea8ee50b54306b2825733e0351c5138a5de395848b13251b8eb3926d417eadd3f929058da94942d2fee538d86f060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
742B

MD5
00a62aa994d99491b03c929911f35b09

SHA1
1a38bed01d2f6d82d62556290a51848dfd01760e

SHA256
bc25c704c144bfabf3a6c3e45fd7bea8f75c8c22dc659c9e5897de6d6b26db3f

SHA512
645bb74df7b6260cff0cb55cc23ff4cce5a87745ea9b1b639068962b443fbf8d4c06404c9aca46a0f7b5b5c5eb88d2be7e540251dd28c15274ec98585f952561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
4KB

MD5
01227c6cbfbbbc8b99844812ad4f0bb3

SHA1
684cfb0e4f0ed508666f2319e1d9b892582aa1ef

SHA256
c1a9095370261bfc145599cf21a910e7930fe7b05eb84984a0ff9be9cdafbaf7

SHA512
d7b2db0f7c1cdf097c340938e49589c39abdb0e93054d8321bc0c0b10f8b45adbcf325ea3810d6b6852ab77b15843ad7a6217912f418b6577cd83ced9c61543e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
6c03ec860c4ee30edb15cee24a971675

SHA1
445d75f6b30c47e69c44991e7b7158a62e043fdd

SHA256
72d128f6659789d1ae0af2abc4887912d464421ae80f8acaae67b1e3f128658c

SHA512
d6b6bbb02f9d103b70f520d39c9b18826a94ec8cbd20e13d5405abe9174b28e13b5c31bda2b371c450bb7166b6a48cf86aa327b0de4a3c46b88089827368e733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9ed9d4a905b46b6ae8e450de0e684b6e

SHA1
21442e2ddcbda7bfc9e62833e4a503b8007e37e0

SHA256
1fc027c51f99785b01e4135f6ec77bebed1089deeb87a30e71de76b2850c9d37

SHA512
bfdfaf802837a2e3373c4e2c33004ad79864d7f14cf1af00200fcabaf84bf70c831a320f9603bbe0e7c3ef98b5dcc59b4030db5d2177f5079d7e197373742225

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
ca020deafa1f4fedf907d56725eddb41

SHA1
9b7caecec426968dbf9818e5b729bad2fcf14683

SHA256
69b4b05491e0d06bf6ff610027d0b822b48c714bb8bcf4916f831fda23031cdd

SHA512
2eee63e4f116a43a8112b6fae9f18344cf8113168edefd9116c8b79f531b23ed8fbc6ef18aeeaecff25606cc6ecfce46769ffa8b953f322e3ccd8c148b939b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8420c845c5344823b3e7de89ef1ac062

SHA1
bfdd9a488787f153a37704e10e73596cd243c1fc

SHA256
f7af3427d442294c510aed315a85f96215250896e35fb8e6a735b462589bfbb1

SHA512
f42e2b2ef544daa3ba8f93319bf85538b20ee10b480335232ff79ce93c6d87b732c427663b32da3d70a96797e8ba50cd544847b5afd146b0dd363ccb2002ed93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
beccdbfca259970b420901549e0284da

SHA1
9c0c35dc785e84c199db7af32529b4d810895c0d

SHA256
7b262985adbe98b98c59a2ddd52c8f1db2648035bba0aaf6529b682b51d2e397

SHA512
eaa6191ad106f88acce3a4032f87b06f79aec30cb17ccc103adc4052f0dd1763bfb13bfe3982ce77351e388b02f9d32b33d216c351c0faa3cdc28d35a0c17c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
55a1bad23dec4f6c6b0de414d0e44af5

SHA1
3cc77424d8247dc87a8dce4d808acdcaabf3942f

SHA256
51437308601ebd4e7ac1a6ce00fe6dd1cc681d534b6ee4557050603e6c2ba13f

SHA512
0a48692e3ac45ee6481f57a557f8d159192f973eab7a352e0d17bde03625cdd63c703ab90ce09b2d6bcc5f603fdaca2a6937196f43acda96deaca5f3117366fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f58a0708f95750c05d2c10065a440937

SHA1
86063df1471453969881d32997be15fe18e5f3b0

SHA256
4f763bbc32582945bdff2678308ee08d497ab7a7b262c730c2e382e69350596b

SHA512
0cb344441e5abf21ac1aab4a8fdd01f7f480bbc47a79a49408f9f4fec37a0c049a9f0d863813bea384b3ddef0586173ebd6bea57f013b16232021ae0e54af9d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
372a68020db3d64a365641e6cb2a8331

SHA1
f45f082136527bba07ca1990894c08945ebb608d

SHA256
4dd209f90a5c454ba314e7cd47e9031ee72d1abb6e7c6e9788c9a84bc48604a7

SHA512
1381a088a67fadea93379f9037fcf3029dcbd40b88623f982921faca41890765d0b4fa53b1ef32327d7c4cc1f3e2130155341d0b7bbed6ea1c34333f9ba63423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
291dabcb0964316c4fae66258b94b2df

SHA1
8448cbe77651dbaff20eba946a87b0c17eebf083

SHA256
cbafaca1acc311c5ecaf801ba54fa75489b68019e491dd983e0526d02ef4bd92

SHA512
bc28533cd4013dba105ba28e0ef4127c0992129c0a1ce6b0d52ce2dbb81c5bd8f1215552b1792e8108572d5874715a5e8a44b1802594d4620cdedd1dee276f3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e06e0eabe13da96c0555c9f41f27680f

SHA1
aeb0ff83a4000fc3425afae51862c468d640d773

SHA256
41cdd39dd72d2e3b06cb3894fb08435c66cab64a4b5e6f7c42744886e60a6368

SHA512
6fdc73101ec2eb9d36a7614e6e824b90af33ffc9a2249f08060f0d26bf0776d07bb65eb4f11fa2a9c07e248e7f5396d8fb5271a48b9927e2603edcf332a527aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
a23c586f681995949f3245e57a2269c6

SHA1
525e5f130a68e649c083cd76d24995ca54be4718

SHA256
75fe9f0a29c5d855d4513fc4b494b2605cd8d9c13d24e2c92776a01da9241a7a

SHA512
04b0ad7dd0c456b36e1fcb0b7580461818c7c9a31cf24bf1107e93be08cad1ea8822286bdd00f4aadf7efa23ab47d119f51189c40cf913173b9919eeea71c7f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
e16f057d101c48d202a20da229a8e897

SHA1
8744ccca6fb8c1c90bf6d8686f2ed734373ecd30

SHA256
e67ffc758df255326e8139b7ca19f204e738830020a48f96ceafd033ba7124a9

SHA512
c1ca6ced2b39d76f78972320f70513f267431b8fe978330e601204fa2286d6b8745dc3fec4b4979f98b94c556feaecdea95af967fc35dc26aad02922f1b92504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13385686654685579

Filesize
29KB

MD5
8387564a4fa6ebd8ecd6d7242008d80f

SHA1
b8cb37d4b427f3747817040cc74d11b0c1cb000d

SHA256
245782f09351ddd7dd1e146e2239eeac8078f9e9d65a9a7ce6d7ab52f068d662

SHA512
8d758f340e13b7d04504abc71da83457d4469050da18dbf3143d52625e95b46ff210697e13e493f25d43216ad4705783ef0cd29eb3de6dde4fb622ba83feb1fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
5ed8fd7e66e377b52db9001f01886954

SHA1
8ccb16010eddb26f2559374049b16e7a782adf27

SHA256
396f2d7ed01bf135780277b84c2a6e25a206c7200576eae7444c4f7994c86de3

SHA512
beb90192173384a221b3d609b467462a9de1a1d77f5a0717939a1bc59c35828b5fef0aa6a24196bf9d5c14e7e876e41d58d8c2042b9f4ad86beb4cc0e3f83bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
8aff972c4d0384bcae920f76efa26702

SHA1
1709f04cb9d805d9bf3548526c8e68db99d50bf2

SHA256
53dcb7e7afb0df4610f9f388825dd0d8146314de06164e121e8bd4238d91574b

SHA512
1ddc1c71e05e7aef90b8c9380544027278dc818fd7dcf50ccaca9e962ec742db0782f1cc3d3b5874a38a78166a4da7b56a418d36cdc78b1ca0fc66d2961dbfc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
2319764c40db4b138b15ba0b2c7161e3

SHA1
539af1d5b0f21557b13908cc8b4d578e71bbfe3a

SHA256
20c1d8f0571338c31f3f1197d7f20b5d74cd693bed938e5f08516b8a79ff3baf

SHA512
bda1e2a8554e0f97262ccf22c7cbaea570af0930635e64bb41b9338b81e7a838b785dae5aa6fa38393812533b3cb69f234dce87f0d9f80cf99b4b7ad28348a94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
d9a916ea2ffbf10bc28ac93d4f26ae68

SHA1
4ec86bb42f2e2a90bdfc99fb748ac110070b27a9

SHA256
74aa04dc7c2afffdcf703f5fc922baeb2cea99b444b8d6099c5bef9a81f15179

SHA512
34f63c5aaf39cc3db5a73d0991e0b8831c1a8c177e307bc23180475d1b2382e99ab24322009435102930f4ef09471c8ed2dfdff22ad471eb26b1825ad80d42fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
66370313375bb2ff78800e93755d98b4

SHA1
9bfa548891f68409f823b450c75eb983dcf5cfc6

SHA256
96e06c0b30dce1dc4c22c92a94427ee749b9397741576564950ee010e140b551

SHA512
1206878044ff83867123690928241761031f744da0a87048b4e9173de00b1723753ed7fb4035f209cdeda532c387c95f09cdf3a5ab1d3ed07c26159a7316fabf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
e03fc0ff83fdfa203efc0eb3d2b8ed35

SHA1
c705b1aa42d84b3414fdc5058e0fa0a3dc9e1664

SHA256
08d550d1866b479c6c41ebbda7b453dba198ee8744a52c530ff34458024ee1fe

SHA512
c0840930d7a9cf16e8fbefefd09c564eabfcfb6e9df1f9b906b830e8218a818c3f9721f9ce1fc2a96b2e6ce725baba0dcd5810a9b55d20b3c9d6f4569b9008a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d2c057f1-35ca-4069-bb8a-fbb31661b2be.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
64KB

MD5
929b2ea4cd4007b91292d2f38dbb7408

SHA1
6e6c9096bd43efd1fba606e65c1c62b47fe3c912

SHA256
2c1f6031561533d1cae08b8b466f6f5efcc10b98910df36caff53a3281df340b

SHA512
81de9abe9619c74700cef9f0d7ce5394472aed3d39b9cb01c950b86f2de5de02c1a95be4db898ace0afe22f1d31691f039c00d2b9444931a231f23daa575bcac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
594B

MD5
d34254425f5bbcb87f4586f3d85566e2

SHA1
e55d38d6d6cb3eabc64e28897b95cee7ddddd1de

SHA256
4b8fd9eb3310166eecaa86fa839f261ae43865a7275c8107848b20786214eca2

SHA512
b51208c0ffd7961f751b604d379378747d75899dcb27af58e159291bf84e1da0de27894453404607d2526e39988fb0673cc0f4fac1e0561e7cb9965c36a7c3c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
37eab0e3ed70f792693a817530f5404e

SHA1
a1c8e347352b96b6d5d24e712647e665ae97c46d

SHA256
01d355172e71e851ee1b312117a7ac8186c0251a864326fece038c845ac63d0b

SHA512
5e64f7b9dd79b9c15f01d026eff3ee7fe4dd67fb5f2f7050611283c7bf9b5e1308a737f3def23ea03a1b633b8f66de02a2f5868edf753047165ec55647a543c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5482d0bb7bafa92fcb48f2ab555848f1

SHA1
5d9f3b6080d067dbf1925eced36579255ad56f63

SHA256
cd22c7b2159c885c18b5064d51aade3863ec1e56911848124d17078257ee0c4d

SHA512
e10dd3b06409a1e73fc94a4639ad87975a24327f33dad33029e873a11d15c8b1f1c66d5bfe17c9b8bbb12559be53d9712126a39e2c4d8d7e503067f5f59a8a4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a657677bd890cdc756abc4b22f7c76cb

SHA1
5128cdf53b43c8fff0071fa430ad5c670d89103d

SHA256
b232fd44297799b73339678fd1643cbe5299e92359486d5129f5ef0a61bc2e72

SHA512
1d638e89670cd08fa2e15758c1a894d2fe94c26f9ccc0b54b6afba01ad0d4352c86b55ff9fa42b303264913d861cfa4b9f7ce20d6720155309b3d7e5c140819d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7a764aa87eb7c77da5415f6e8b699645

SHA1
4fbb1aabd99264bf029a19a349cba87634c86bb8

SHA256
32469aea349a21d5721764204a8268296ca08bf801e51015c470f10bf7753df5

SHA512
b10e17ed96fbd4f8e40ae87b8adfa6d2326f49d0707ae0baff4cdede20d9b58df2474a5512e6e9d1b1bbd1a0b6f5a107f7a9d85abbddff51b6aa422209cf76fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4S6AV.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1).zip.crdownload

Filesize
9.9MB

MD5
dde59ef040c5b16b6fac0e2d2d6d7936

SHA1
1e4d0af9ae115029fde5c68fd203c3d3674d78cd

SHA256
a5aa7920e81c0f1f4c29344fd65e3262c80e8ebc9ba02c3d1120b7cd99d99e6b

SHA512
be3863760ba684ea6af8b6177d9aa358acb16072660c4b96f6ca4b6b63bd974e61c7d8f61efb07a773d04cea2ba216866ab1407828f20c9f0769c71c60a73548

Download Submit
memory/1436-3370-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1436-913-0x0000000004A00000-0x0000000004A1A000-memory.dmp

Filesize
104KB

Download
memory/1436-9035-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1436-905-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1436-906-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1436-9030-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1436-9031-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1436-915-0x0000000004A00000-0x0000000004A1A000-memory.dmp

Filesize
104KB

Download
memory/1436-715-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1436-911-0x0000000003720000-0x0000000003736000-memory.dmp

Filesize
88KB

Download
memory/1436-1630-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1436-8789-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1436-9032-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1652-907-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3684-566-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3684-529-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3684-540-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4008-541-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4008-565-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download