chimera | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
306s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
23/03/2025, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

chimera discovery persistence ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files\Java\jdk-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/4300-1385-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Renames multiple (3243) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 3 IoCs

flow	pid	Process
206	1772	msedge.exe
206	1772	msedge.exe
206	1772	msedge.exe

Executes dropped EXE 5 IoCs

pid	Process
3776	butterflyondesktop.exe
748	butterflyondesktop.tmp
2760	ButterflyOnDesktop.exe
4300	HawkEye.exe
3572	AgentTesla.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	ButterflyOnDesktop.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	ButterflyOnDesktop.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
202	raw.githubusercontent.com
203	raw.githubusercontent.com
204	raw.githubusercontent.com
205	raw.githubusercontent.com
206	raw.githubusercontent.com
201	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
354	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\osm.x-none.msi.16.x-none.vreg.dat	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\EmptyVideoProjectCreations_DarkTheme.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-100.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-200_contrast-black.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png	ButterflyOnDesktop.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-default_32.svg	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-40_altform-unplated_contrast-white.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-24_altform-unplated.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\sat_logo_2x.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\sfs_icons.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\ui-strings.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\ui-strings.js	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_listview_18.svg	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-24.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\chats_emptystate_v3.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_altform-lightunplated.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\MedTile.scale-100.png	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSplashScreen.scale-125.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileText32x32.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-150_contrast-white.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-200.png	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16_altform-unplated.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreWideTile.scale-200.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr-2x.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg5.jpg	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-256_contrast-black.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NoProfilePicture.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-125.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-72.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-150.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_anonymoususer_18.svg	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LargeTile.scale-125_contrast-black.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.scale-125.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-125.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-100.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MediumTile.scale-100_contrast-black.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-400.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_de_135x40.svg	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-400_contrast-white.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-200.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-125.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-200.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\ValueProp_Shadow.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ui-strings.js	ButterflyOnDesktop.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-125.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalStoreLogo.scale-200_contrast-black.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyShare.scale-100.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-400.png	ButterflyOnDesktop.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt	ButterflyOnDesktop.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f800f43246331f4499a70972ff180a7000000000020000000000106600000001000020000000c59dbfa6d11ce41e118b7caeca422ac3d790ca6f087ad6f782d64781f8a66331000000000e8000000002000020000000f147ac2c07fc19e1bdec1dc2f7636cd5cb6cff59de9d734bab48087baac700ba2000000055cf141ec7ed9b680849e97427f0062ded4273ec91c0d7acff4638e919ccea6b40000000ea1c7e3f7a8f246301a79d43f8b64e562281e2f9e4b9e2133d01712328e7fea985475b1251730b945b018ccc416b0e4cdf3353eed9337c9c82f71e2fe7830a2c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10940cd4989bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 308f05d4989bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449460805"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FE5D3155-078B-11F0-A824-4A8A2A9F28D8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f800f43246331f4499a70972ff180a700000000002000000000010660000000100002000000015ad8b74cc16df7a2f293d619c696548cc6dec5c54a819ad23b9a842f3f3e171000000000e8000000002000020000000d9f03afc333a5950b83d3ca3c4ac36eafe0b30c862ccafc1b5bab3811e334db22000000098d211f5475cbff4fdd1e1da183168570f8d25fbed6dbcf71c713ae20555e0c2400000003a60c927eda815cd2da9862370e11d61985347c3d551d15464e8dbeca817bec8283545216cd498edab7cf7d46ffb2c11e22ac4ae0b4437713fa117660dad93b1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133871692258142500"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3218366390-1258052702-4267193707-1000\{84FE2A04-D82A-4B8F-ADE5-28AE4897D4E8}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3548	msedge.exe
3548	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4300	HawkEye.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
748	butterflyondesktop.tmp
2760	ButterflyOnDesktop.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
4120	iexplore.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2760	ButterflyOnDesktop.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3572	AgentTesla.exe
4120	iexplore.exe
4120	iexplore.exe
5800	IEXPLORE.EXE
5800	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 436	2312	msedge.exe	86
PID 2312 wrote to memory of 436	2312	msedge.exe	86
PID 2312 wrote to memory of 1772	2312	msedge.exe	87
PID 2312 wrote to memory of 1772	2312	msedge.exe	87
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 3528	2312	msedge.exe	88
PID 2312 wrote to memory of 216	2312	msedge.exe	89
PID 2312 wrote to memory of 216	2312	msedge.exe	89
PID 2312 wrote to memory of 216	2312	msedge.exe	89
PID 2312 wrote to memory of 216	2312	msedge.exe	89
PID 2312 wrote to memory of 216	2312	msedge.exe	89
PID 2312 wrote to memory of 216	2312	msedge.exe	89
PID 2312 wrote to memory of 216	2312	msedge.exe	89
PID 2312 wrote to memory of 216	2312	msedge.exe	89
PID 2312 wrote to memory of 216	2312	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffac0daf208,0x7ffac0daf214,0x7ffac0daf220
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1792,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2060,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1424,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3572,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3600,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=3644 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4292,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4352,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:2
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5312,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4012,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5304,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5568,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5464,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5464,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4036,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4080,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6324,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6328 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5524,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6756,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6764 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5340,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6328 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6752,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6580 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4444,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5140,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4052,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5168,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6308,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6884,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6660 /prefetch:8
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6292,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6952 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=6748,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4468,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6328 /prefetch:8
  2⤵
  PID:4076
- C:\Users\Admin\Downloads\butterflyondesktop.exe
  "C:\Users\Admin\Downloads\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3776
- - C:\Users\Admin\AppData\Local\Temp\is-ACE89.tmp\butterflyondesktop.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-ACE89.tmp\butterflyondesktop.tmp" /SL5="$130054,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:748
  - - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
      "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
      4⤵
      Chimera
      Executes dropped EXE
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2760
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\YOUR_FILES_ARE_ENCRYPTED.HTML"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4120
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4120 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
      4⤵
      PID:4972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
        5⤵
        
        PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=6868,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=6872,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=6852,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7144,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=7132 /prefetch:8
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=7212,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=7304 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=7352,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=7332 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7132,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=7136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5968,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:8
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4072,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=4348 /prefetch:8
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=3732,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5124,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5580,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:2612
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5236,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7616,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=7360 /prefetch:8
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=5560,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=7956 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8144,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=8116 /prefetch:8
  2⤵
  PID:416
- C:\Users\Admin\Downloads\AgentTesla.exe
  "C:\Users\Admin\Downloads\AgentTesla.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3444,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6956 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5984,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=6340 /prefetch:8
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7368,i,8092667257731696247,10626256816358705330,262144 --variations-seed-version --mojo-platform-channel-handle=8188 /prefetch:8
  2⤵
  PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files (x86)\Butterfly on Desktop\license.txt

Filesize
2KB

MD5
813b3907feb01be02022c411e3bbf39a

SHA1
7fb109b20dccb4500ee60348567c1e11fa7f4d3a

SHA256
8d2dcc5ab7815f594e6a79c18069ba2870eb3c28a9b3a85c1fffcc4cf62c33c7

SHA512
0198a2f08de825c22a99eaf5cee3d1296957ecb033e4d37ecf8d705b28859d40f814ab09076755a6962ac02dc475ad51383eb9e455b8ed5ede172d2f714b7bb4

Download Submit
C:\Program Files (x86)\Butterfly on Desktop\unins000.dat

Filesize
4KB

MD5
addc0a9c8c5ab06da982ab0741992cb9

SHA1
b63caa2222c02e2707a437d1a7f1235873a52289

SHA256
51ebe7fde09946502391cfd7f4876952b00cf7a74986f9ba840ac995fe38aaae

SHA512
2060573199a98493aeb82b183a0601d3f58996032334b36b9c4256b5de3999ad32060cd9b49115956d7cc18b8f96faa7236ab80d6d0831f7bb982034dbe1892a

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
50e69702a371c66f6be2f7604e570c4e

SHA1
6d41beff403cbf52c0b12be5b85dab4a71089510

SHA256
8b288083d92f05f906caadc93d491fd6b7a9cf52121b8d763117a9079ed8a004

SHA512
a65ce6e61191e3e8d16f0bb5bad9d965901c0195ee79a1e0a10d24e8413f4f3950c5176bb98c1982c7d1c75fa73f9df1817722d565e9d5a9f5682b59a1f7dcf5

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2312_1318390015\manifest.json

Filesize
160B

MD5
a24a1941bbb8d90784f5ef76712002f5

SHA1
5c2b6323c7ed8913b5d0d65a4d21062c96df24eb

SHA256
2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747

SHA512
fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2312_1359087549\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2312_1457573593\manifest.json

Filesize
176B

MD5
6607494855f7b5c0348eecd49ef7ce46

SHA1
2c844dd9ea648efec08776757bc376b5a6f9eb71

SHA256
37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd

SHA512
8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2312_167352578\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2312_1727407266\manifest.json

Filesize
135B

MD5
4055ba4ebd5546fb6306d6a3151a236a

SHA1
609a989f14f8ee9ed9bffbd6ddba3214fd0d0109

SHA256
cb929ae2d466e597ecc4f588ba22faf68f7cfc204b3986819c85ac608d6f82b5

SHA512
58d39f7ae0dafd067c6dba34c686506c1718112ad5af8a255eb9a7d6ec0edca318b557565f5914c5140eb9d1b6e2ffbb08c9d596f43e7a79fdb4ef95457bf29a

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2312_1916190598\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2312_1916190598\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2312_2058118187\manifest.json

Filesize
134B

MD5
58d3ca1189df439d0538a75912496bcf

SHA1
99af5b6a006a6929cc08744d1b54e3623fec2f36

SHA256
a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437

SHA512
afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2312_337808012\manifest.json

Filesize
160B

MD5
c3911ceb35539db42e5654bdd60ac956

SHA1
71be0751e5fc583b119730dbceb2c723f2389f6c

SHA256
31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d

SHA512
d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
01fa3211165ca3e0dbd816e5389630bf

SHA1
2a6569707c8ea29cbf996a906855470bb7831f48

SHA256
ab165a9a5b25e6c05f6f2eac77c9dcc9b4157897524a0be4415cdae9cef5636f

SHA512
1848c476ebf00781299715f7c664465a071fa54e3bc14002df35a74aa27667788956bddc4b96b241ea2865f819cf5e33ed7907504a99342c2a0379a0964550ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
f9fca2271e803e3f2a63e37a9ee2636f

SHA1
e8b749fe61e1098784853c6754a78be5c26df79d

SHA256
6b3e2b529a67f67a1c95f32a51387bfdb74beff69198569ca18909712f5eb574

SHA512
f8a1d96290d4b426be66a849579b976f6fd1b3580e88a9b06b9c97deee5e73c28893e367b5e10565ed129bc4dd00ba25a1b5851e3bf01cd7348d152a1b2d999e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json

Filesize
3KB

MD5
6bbb18bb210b0af189f5d76a65f7ad80

SHA1
87b804075e78af64293611a637504273fadfe718

SHA256
01594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c

SHA512
4788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4013ebc7b496bf70ecf9f6824832d4ae

SHA1
cfdcdac5d8c939976c11525cf5e79c6a491c272a

SHA256
fb1a67bdc2761f1f9e72bbc41b6fc0bf89c068205ffd0689e4f7e2c34264b22a

SHA512
96822252f121fb358aa43d490bb5f5ce3a81c65c8de773c170f1d0e91da1e6beb83cb1fb9d4d656230344cd31c3dca51a6c421fda8e55598c364092232e0ad22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
fed4ab68611c6ce720965bcb5dfbf546

SHA1
af33fc71721625645993be6fcba5c5852e210864

SHA256
c41acdf5d0a01d5e9720ef9f6d503099950791b6f975ba698ccd013c4defa8c4

SHA512
f9ab23b3b4052f7fda6c9a3e8cd68056f21da5d0fcf28061331900cac6f31ef081705804d9a9d4103ee7d9c9bdb6aa4237987b7e821d2d96cd52da24219e55ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
331B

MD5
0bf5088f6d60ed99c5f0affb94f3c51f

SHA1
7ca23c88efe84bd3b8f6f3a210c39864e39954e5

SHA256
dd942d748cde055070b3ce32bdba23158bb808d676d032c786ee0225fc67e4a9

SHA512
73f056cd40a34a5e3313a0be7a1d2e4bcd85fb744a59ef16f8f14ac1046fc47a9c4603e371251d543b9ee4705b5dd7c1d35f556438f652b8c80a5d88cf48878c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
884216b7fdf95d9df4ca2562962a7be9

SHA1
383a1bbd2e176fcac3a494bda2691ff8acc062ef

SHA256
c6256d770c2e95da512e68a97ece55d993c441ac7faab300e152ca48a17a770f

SHA512
692771eede1b7c9672bfcc7d4cd1999296b9d2fdb631671536f5f979d471f4942b210956fafab2cccc158074b9a75aff60b17e7372bddec4b8ca5c5cb4f764b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
4a0d29b28445063354e2c72dd55765c6

SHA1
9999653708a1adfb368f66ad388e5d5b88018af5

SHA256
62be3261de84aef84ce7282b26bfe65bd64c4279dbb52cb316e6d7f040c8c62f

SHA512
8eadad66396aca9bd82dd803157648c598807dc735acc17223f7204d4d30c7ce92c03826c88d37bdb1b183dc5fd66c48cec7ab4d44b6e91d28c32360965269f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe58149c.TMP

Filesize
3KB

MD5
8ff4ab056ecab6dc17359c6bf980f8d3

SHA1
50244978940822d32af521e6219c54994296f375

SHA256
a80530e89e3273ef66331c91ae45a46432d998b0312a0524d04bbe0f85bf8853

SHA512
01e19c17e1fe89315597889450c004132fce3c16820dad64ce72ce9ef795d09686130b8bc4f8a3b0176d94d95cd21173bce779d0f1555ac6a1634e35a7609fd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
5ec68376f1779f8d464c44d243f42148

SHA1
ac012057d277518a5dbf5ac6df49f7dd184c2b2d

SHA256
53d5cb7b926de588eef0c406659d56a0630c09b56bae6598607b1c2f323a06ab

SHA512
783f0f35ee6a020f5936920fbd21053214c3b5ca843ebe71d9c1d37060fc87cab525e35b7271a54f6f0c4069eb8493838d9e12b512fb2c55f3e3f88c7c1d03e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f076b61f724b12e5bb4adb71623e4188

SHA1
b39cebdd81de2d73be65e47b296a7a18ec385463

SHA256
f72da5dba49b7a16a3d22305b3a09c5dfedcf8df2db78d767ec7464420ebebba

SHA512
56bca3b70c776532aeb4c6526693bdf8f9a062b4386c5940c96f3385ce784b603a1b6269ea2d211c55d3171b08d7cb8a706804715f07382430ae84ac8c8a0597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
f9f8f3ea41ae4bf4b0aba79ce4119b86

SHA1
fc334b4fa1e3df4d18001ea1242f8343118720f4

SHA256
bce5ed3a6262896ab2475534bcfb659bfb4a59f918e2653be59fc93f3ef0e843

SHA512
e1a64b5d784d5c6f4e57bcd27897834570fd3081a7d1d0895aa1c6af6b2aad79a4fd5baf1b7f53a77ccbb1597ffbf7fa07e182340f745fd19c8ba77e923760fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
04342ba38769bb2c2931e67737118a64

SHA1
c6cfb883bdd99705ccaf5f4c038eaacc47b89cd3

SHA256
73d883903885fa8f14dc5f01761b0cac397a701b42235551e9f7e5d7d48ef01c

SHA512
4b47c76ad2f98ba46039e3a5c74cb0572167570ecdd75ce3a7ed368ee5b01f76cfaaf07b34217f0cb1be3d9f1ab7cb61fe51d2e1eaa3a7eb1b2c843c1c248ea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
58eedf9105135a6134a21a8d7406c130

SHA1
e6283458d6919b62ac01aa5a112b62e8c5da3dad

SHA256
2cf2d59a3812f5f6824030d08f7a601fd4a32f22c2d189e18ef8c0a4d8a75253

SHA512
c7b79546e85e9b4503a1c22b3d09e9e96a4b02f2a4a0e7c10294431ae6cc958df28fa5f9a734546c597c9ba7e37577eb35c829eeed9bf8dc0e3f117ab826bfce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
a95de215e04b437174078ecfa39a5156

SHA1
27b998f6895a6fcd9632b63021f7f5b674a49ecd

SHA256
60171c2bc40aa87f2c43b26aa9b7e938da2625b8ef008d971d4d556c35776e37

SHA512
dade22451b6de32f8beb875e3fb16037665412819fe6bd9d45e87b6f842b2c7ffedfb63c649d1a4659c31f84a152ff27fb3076ee24e2cf54d5194fea0c7873cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
7b96943565b5e08e96da55270b1ad4f4

SHA1
a32e18c266445b2b255b3da6c02a407939fe8b84

SHA256
3df2bf1dd9cbab193e7c36d0c476fe0e95169f29d8b92981e79d0c57579587ab

SHA512
7b300359fd4bcd91fc2d5e733145dffb9911ecbf496c75a9aaf70bde3cada4e7299be3dd220306ed581f218bd6b7494c0fa4000e01c3a71a91f67f9c57cc3339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\bb9a4039-5fee-44f8-a618-d20a135c468d\index-dir\the-real-index

Filesize
648B

MD5
e4088fb13c2af19f111bd69a99cc90a1

SHA1
967700285d0a1899f4477881933c608b0244925a

SHA256
00878e8b9d572d248ae27015f871593bdab0479015f81f122405da189e0ce243

SHA512
b839c2c5bfdd22df3c116173adb47995a7ac13e7c56013628f993c17ec3b660c930b37149c24baf696e52ec2325c6289f21bf45d095175cff52ebc23f09656d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\bb9a4039-5fee-44f8-a618-d20a135c468d\index-dir\the-real-index~RFe5c1d63.TMP

Filesize
648B

MD5
566c9dbe3557ce247c0f11e7ba205b34

SHA1
487adaeac06db35eaaf1b1a36a8270e723ea7ded

SHA256
8885df602505e382bc5a2a77c2e35e1d01fdb399d9cb49a62fcb96d3702f3abe

SHA512
0b3ed6002e916208ae9bbf927b5713ba23c16c5abae290df7406d475e0a87a6d521f9b814a64c1a1c2f0d720433219f825e682baeb399af7a4bd09ad801d2a24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
b9a9a2ea1df32d7c9c5f20c5316d5cc2

SHA1
e8b52cc63c2c378d30c1d0d67ed6a4b01beaf5ab

SHA256
b13c7ffb80f4cef1e81a63641ae232a7f0515c36830b7d9ccf0b807f26cddd27

SHA512
5cc06bc02ed41aab12fdb1448451738b6a062a227241a9f77572e5fd1171001bbb21a83ad61e2690aa7ee51ac2133e4403b1331a80e5929d32ae28da1fc72b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\978e5f2a-e742-44e2-9281-ffa43b9b080a.tmp

Filesize
21KB

MD5
e4dfd0504387a1ebcc4a48846e44a23e

SHA1
a5a91da421e3d8728ae857694dbeb24ea72b7866

SHA256
d3c39babd9652bcdb02ae17f895437ed85f617cb04f7ba4bbaf7ad7e8ab78cb6

SHA512
94a1d4ab7b18763b55c9246d73feb0ed64a7e506572884a2940696b12910d6ff2a03a0b1aca3e4035a81548633acd437e762e758952ba72dafc97f191e46d419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
868B

MD5
fdec762c3618eaae96ecd643337b7eca

SHA1
b280cc89e34c86b63439a6601231249a8d47ca17

SHA256
130b3f040becf65892aec11a0c8a89339c9315ee8714ef5c7aa3ab6de539270f

SHA512
86a5ab7b775c26484328a15e8e58d1227488824b473806e9a14df56028b4c4be3d6956bfb66f210b99eeed545f52cc319e8b2058a011760523bf7a430ff3a0ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
b599b24909339e60f27ac6f59d1fa3d8

SHA1
d113ead98b67afad3655ef57faa193ee198e3525

SHA256
938ae1551119b9bcdf15aefd1470d716f31399e3b8244c9e0a900b13ba0b5ed5

SHA512
db5809b1eff0a53404dd49de70d2c69fcd87e835ba6b5a292a9924a3f7f7e449cd9ecb3543d5776df33233ede3c62e8629d25dc912041266e9ed79bde7ef1dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe5867dd.TMP

Filesize
463B

MD5
824696ff4967424cf318c958602b837a

SHA1
ae01111c04716a57ab195c9bb98ef7cc46fe72f8

SHA256
2f5c241005454afb22d7a9680fb5ad21a33ab5290a8f2309f4beccfefe153ba5

SHA512
95a7078610133ff8bd731fe00d2637fefd5d10987f35db85491305034df280ceac22220fc6cc2edb8b62d058c5ee5cd50aebbe34dadaf37ed472f85a26c2533a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json

Filesize
3KB

MD5
94406cdd51b55c0f006cfea05745effb

SHA1
a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9

SHA256
8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e

SHA512
d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
90be6682ee00b20e28618a37284345d5

SHA1
de451928c5a1dee11eeb370507eacc5ea0eed622

SHA256
10fa5df2361b9b2811ecb62ef910c7936b4e124bce5a92703eaca2b183801f52

SHA512
8143ae60bb31582d28b7c71de408ee72d656ca114e4862958ac94b2183c8a5139fcdbe11e388acfcaaaddf183f226e73f1bbfe63b147705a0b01c1afba9ec024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
39KB

MD5
4b24b11e2a9951f953e711316fa37529

SHA1
f5a0ceaaf05ac6edb2bd181d45c52e66fab43b0b

SHA256
0dff5552d8ac18996eb5f6beeb0170224d0d638faedc48ad6ceadd65ecf4c619

SHA512
d9173b291ea8c9c5374c2b793decd90c84fc193180072ec0333d692fbe9f44993c93ab3fb6a17aa82892174fa756ec779d24ac9d5a7f86960ef97b3aa8292f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
0b77a0af406c7e8d67c0b48ccc740f80

SHA1
d95b4e5a0f3989b9ef04de0738c787eb9ad5bbc8

SHA256
6c473fc32feb78663375623aadfd4a1ae4c1c014518fa801a218ec467c4696f0

SHA512
3a16454fc8efe25bb1745bb2608c5fc894378ce5e60f239232a1c4730eec26e31f67f5067bcf40519d017ecae8897f245866372b866f65d9727148ed8dba6d66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
39KB

MD5
37dd087188d4ef3c77ce4411a321c921

SHA1
f86dc469219fd3908b2241f49f5a19f0761644d1

SHA256
1184fc5e60b63526a218313f4afa4bcf1196d40b91166ece7097c08037367126

SHA512
79928e73e51b20604f95ca6850e1780ad884a03a77c41610d7f7143310e95115302458f1f3601d1a242cd57bcfc31d16fc449f056bcdaf6ed99b1dd1256dd362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
e0f378cbc9e822032ebb8c68012fb529

SHA1
56e94c9360f1f2b392b544d4c7a0e8d08c6d10dd

SHA256
1c1fb00656728fe9e4b509a3fca191d578caa3a2c1a6300c61e130f252c18e8e

SHA512
11e16933f3b5032ae1a8ebbd1109ce0ed7db0bf31aedfb4023ce1b1bb68783abf6796bbe6f18401e86302779fcf667edab893d6ae2b89e5d030de10593a67481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
39KB

MD5
f2145643f61dcb61c53747e19509ed9b

SHA1
9c4f26bcfc29de55bb9d2371203236dc050d5a30

SHA256
b7df40629f126a5ac9a912e9dd88499cc5e657b4e083895d7ae62cf5bacba189

SHA512
87c057f49642ae7305d9ae26a07acc8dacc7fa2a9ec385e3239d73972a301eee9716cc77db26c90a7b2c383d4d66c3b2f1a036492ddfbd9efc546586249b1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
0969047197621afabd99c194a4aee5f0

SHA1
99077e1f76a55094e99bbc3382d521219fb39151

SHA256
5f0a0317787bc575a696117382bbba21e17fe9e4bf16cd2ec7a84d441afa0541

SHA512
d4ad26bde7e6883d88bfab5859a68eb70e2a58924f94ad25f8c8bfc1bb87a7497acaa91c505ed0e698b19a70be96ffae9d0570a5914fbe00c1afb6b182dee987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
58b087d39467c2b9170b027db619640d

SHA1
aed689f9fcede951bfe298fbe21a9828040d03b4

SHA256
c447333c3744053855b1af042e7da641c055030717e66e4cbdd20b75a708d7f7

SHA512
c44c9a995cd0a761fc53e3af36d0281972248f1cd4efadb38e735901c76b005fb10f1bebd4e257263900d36f3b34b1dbfc13f455978ededb701fa4866143c01a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
1b293d196a8cc41c0dbd5f4c9593e182

SHA1
cf990ec058e772b4cac7599789daa2673ede9cb7

SHA256
ee54c9511cda62a2b590aa48bb637ad72863a8fc4c0920ec6548483fd29c1923

SHA512
a437c1528409975900c19c8cdf31728eebd208a149055a126dfb333037cc577776f8a0c432113dfb4b46a75988c8dbc000643dbe82385029d9dc182daea671ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
ba3f5c5345c9b0263d981369adf35301

SHA1
c1f63f42588a1f94ae8f6f95b607bb5f62ca0161

SHA256
3cc71563c11031df70f67b82cb771be931a04579cebb70f7ca27f6f5b6246b6a

SHA512
41f56abf8e0234f40db9eea11429e0e35e6950de370d44f604948829d0c6d47889eb9da03266ab15f6d2b10e8009d2cb03e2bb169e098baca4a4ad4435261b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
15e3186d726cb9245b2d02cb0b119cf7

SHA1
157385170a68b12b4547de062710ec283248d227

SHA256
eebecdc3971031c96036e50b8a673121595a779accc948eeb13ac1e9019bf0d7

SHA512
cc56f1764b2e68f4d7f3d8226ec58c8823998949554ab16cdce33decc0e44c047319d2597db889713e11e90c7e335867c6789731426a69fa6198b6f65c009669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
72bd11860ac2fd28d1edb4050bbf7645

SHA1
a241dd4dd4ad9dfcb67312c4a11033c33208547c

SHA256
7eaddea3e1cc86a55fe12da647973dbb49cbcf9bd2aad3d5bba5c816cc8ef9a1

SHA512
50bfbed6c023da7c8e33e8f27606bdea136530294f9449fcbde68918df3cdf33390739765731e377978637ca63e4bc3f62baf45ead919fa3f94a3db9d078628f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
d712d560fe25210c8e588c6e2545751b

SHA1
8625af7edc3ab75dcf883fac2e9431aafc039ad2

SHA256
83982071105b6660711f9610cc693133fcd88298e7344ed668a5c208c3fe0ad9

SHA512
7ee9edbb5c630182a6dbbb2b4421378a4e87056ee150158f33d0d9965c67311ace5beafee22ce41b0b8bc88883484361d5179ed6dca14ccdb12804974f896165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe57d978.TMP

Filesize
392B

MD5
11c4b25fe0958402e6b6de79d6ab4e33

SHA1
c5ed83106e1b4d2668a2c7d9a08350ec05e41209

SHA256
43c6f7fc2901f6ae8801a6f27aa4e1e3072b0a53f65310497be4387291ffffb9

SHA512
676c846a81a90f27584bca5ba52da9c9e188841273885720984fe22a7dbadebd81afd005d0aa5cafa28f5c15efa92826b9ddb2d54a0f1e696c680b0c30a5fb52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json

Filesize
2KB

MD5
499d9e568b96e759959dc69635470211

SHA1
2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6

SHA256
98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d

SHA512
3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
2498c98007e54dd1609d3bb7a7b18d3c

SHA1
19e72d5bddd658b0fdd8f5eb372f677b33add7bd

SHA256
0caff6bd4dd6bca6619e2bc9bb77fa7c70b5b2cc39e361e6d44e617535b93b17

SHA512
ff875624bfec14aa9760172fc59492945018cc0008a4fdab77a9c3ef1eb02742a4f0dc7576d517d282ae7ce3a69b3b1866d000abafd5b169bf939ed44add121e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\84O89Q0W\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\914b8b98-ea3e-4184-9a8e-4e53ab141f9f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\b741310f-35d9-432e-b9ed-33f5a420b01f.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2f252df-81d0-4f37-87aa-9a85239e3d16.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ACE89.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\Downloads\AgentTesla.exe

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\Downloads\HawkEye.exe

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Users\Admin\Downloads\butterflyondesktop.exe.crdownload

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
memory/748-1078-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/748-1082-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2760-1322-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-1303-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-2140-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-1967-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-1393-0x0000000000870000-0x000000000088A000-memory.dmp

Filesize
104KB

Download
memory/2760-1391-0x0000000000870000-0x000000000088A000-memory.dmp

Filesize
104KB

Download
memory/2760-8276-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-9338-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-1389-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/2760-9512-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-9366-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-1332-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-9404-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-1224-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-1260-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-9423-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-9425-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-9426-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-9427-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-4266-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-1270-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-9474-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2760-9484-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3776-1074-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3776-1083-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3776-1036-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4300-1385-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download