File name:

Butterfly On Desktop_1.0.exe

Full analysis: https://app.any.run/tasks/1eb390c8-6976-4423-aa6b-7734e865e3c3
Verdict: Malicious activity
Analysis date: April 12, 2024, 13:40:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

B0A46BDCEEC5B9BEE139749A207EF7F8

SHA1:

279D59A3DD772D97F47F9516C897B3DD42F742C0

SHA256:

78FE70328471CC2149EF0DF79215F10CB53C4D32DD4193F39C50ABBD9EAB2EEF

SSDEEP:

196608:wjPllBkm9+zoSfSOspbLik8S6sB0UzXFNfj+ugK:wj9Im9+MISOgbLikn6L4X/hH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • butterflyondesktop.exe (PID: 952)
      • butterflyondesktop.exe (PID: 3336)
      • butterflyondesktop.tmp (PID: 2984)

    • Actions looks like stealing of personal data

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)

    • Changes the autorun value in the registry

      • butterflyondesktop.tmp (PID: 2984)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • butterflyondesktop.tmp (PID: 2984)

    • Reads security settings of Internet Explorer

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)

    • The process creates files with name similar to system file names

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)

    • The process drops C-runtime libraries

      • Butterfly On Desktop_1.0.exe (PID: 696)

    • Reads the Internet Settings

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)
      • butterflyondesktop.tmp (PID: 2984)

    • Executable content was dropped or overwritten

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • explorer.exe (PID: 2632)
      • butterflyondesktop.exe (PID: 3336)
      • butterflyondesktop.tmp (PID: 2984)
      • butterflyondesktop.exe (PID: 952)

    • Reads the Windows owner or organization settings

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)
      • butterflyondesktop.tmp (PID: 2984)

    • Checks Windows Trust Settings

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)

    • Reads settings of System Certificates

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)

    • Adds/modifies Windows certificates

      • Butterfly On Desktop_1.0.exe (PID: 696)

    • Searches for installed software

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)

    • Executing commands from a ".bat" file

      • Butterfly On Desktop_1.0.exe (PID: 696)

    • Get information on the list of running processes

      • cmd.exe (PID: 2992)

    • Starts CMD.EXE for commands execution

      • Butterfly On Desktop_1.0.exe (PID: 696)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2992)

  • INFO

    • Reads the computer name

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)
      • butterflyondesktop.tmp (PID: 124)
      • butterflyondesktop.tmp (PID: 2984)

    • Checks supported languages

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)
      • butterflyondesktop.exe (PID: 952)
      • butterflyondesktop.tmp (PID: 124)
      • butterflyondesktop.exe (PID: 3336)
      • butterflyondesktop.tmp (PID: 2984)
      • ButterflyOnDesktop.exe (PID: 584)

    • Create files in a temporary directory

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)
      • explorer.exe (PID: 2632)
      • butterflyondesktop.exe (PID: 3336)
      • butterflyondesktop.exe (PID: 952)
      • butterflyondesktop.tmp (PID: 2984)

    • Reads Environment values

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)

    • Reads the machine GUID from the registry

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)

    • Reads product name

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)

    • Reads the software policy settings

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)

    • Creates files or folders in the user directory

      • Butterfly On Desktop_1.0.exe (PID: 696)
      • Butterfly On Desktop_1.0.exe (PID: 2728)

    • Manual execution by a user

      • Butterfly On Desktop_1.0.exe (PID: 2000)
      • Butterfly On Desktop_1.0.exe (PID: 2728)
      • msedge.exe (PID: 2824)

    • Reads the Internet Settings

      • explorer.exe (PID: 2632)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 2632)

    • Drops the executable file immediately after the start

      • explorer.exe (PID: 2632)

    • Application launched itself

      • msedge.exe (PID: 2824)
      • msedge.exe (PID: 3564)

    • Creates a software uninstall entry

      • butterflyondesktop.tmp (PID: 2984)

    • Creates files in the program directory

      • butterflyondesktop.tmp (PID: 2984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:03:28 15:40:28+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 4022784
InitializedDataSize: 2968064
UninitializedDataSize: -
EntryPoint: 0x3d807e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.1.2.6582
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileVersion: 1.1.2.6582
ProductVersion: 1
Comments: -
CompanyName: Drive Software Company
FileDescription: Software Installation
InternalName: -
LegalCopyright: ITNT SRL
LegalTrademarks: -
OriginalFileName: GenericSetup.exe
ProductName: Butterfly On Desktop
AssemblyVersion: 1.1.2.6582
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
87
Monitored processes
38
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start butterfly on desktop_1.0.exe butterfly on desktop_1.0.exe no specs butterfly on desktop_1.0.exe explorer.exe no specs explorer.exe cmd.exe no specs tasklist.exe no specs find.exe no specs timeout.exe no specs butterflyondesktop.exe butterflyondesktop.tmp no specs butterflyondesktop.exe butterflyondesktop.tmp butterflyondesktop.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs butterfly on desktop_1.0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Users\admin\AppData\Local\Temp\is-A7DGE.tmp\butterflyondesktop.tmp" /SL5="$F0170,2719719,54272,C:\Users\admin\AppData\Local\Temp\Temp1_Carrier.ZIP\butterflyondesktop.exe" C:\Users\admin\AppData\Local\Temp\is-A7DGE.tmp\butterflyondesktop.tmpbutterflyondesktop.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-a7dge.tmp\butterflyondesktop.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
240"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1512 --field-trial-handle=1284,i,5462504845454413072,10865605262329674166,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
584"C:\Program Files\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files\Butterfly on Desktop\ButterflyOnDesktop.exebutterflyondesktop.tmp
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\program files\butterfly on desktop\butterflyondesktop.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
696"C:\Users\admin\Desktop\Butterfly On Desktop_1.0.exe" C:\Users\admin\Desktop\Butterfly On Desktop_1.0.exe
explorer.exe
User:
admin
Company:
Drive Software Company
Integrity Level:
HIGH
Description:
Software Installation
Exit code:
3221225547
Version:
1.1.2.6582
Modules
Images
c:\users\admin\desktop\butterfly on desktop_1.0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
908"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xf0,0x6bcdf598,0x6bcdf5a8,0x6bcdf5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
924timeout 5C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
952"C:\Users\admin\AppData\Local\Temp\Temp1_Carrier.ZIP\butterflyondesktop.exe" C:\Users\admin\AppData\Local\Temp\Temp1_Carrier.ZIP\butterflyondesktop.exe
explorer.exe
User:
admin
Company:
Drive Software Company
Integrity Level:
MEDIUM
Description:
Butterfly on Desktop Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\temp1_carrier.zip\butterflyondesktop.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1352"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1484 --field-trial-handle=1284,i,5462504845454413072,10865605262329674166,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1492"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1620 --field-trial-handle=1284,i,5462504845454413072,10865605262329674166,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1608"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4068 --field-trial-handle=1284,i,5462504845454413072,10865605262329674166,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
29 328
Read events
29 020
Write events
291
Delete events
17

Modification events

(PID) Process:(696) Butterfly On Desktop_1.0.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\3354215998cc498efdf76f123473fe62\ServiceHide.dll
(PID) Process:(696) Butterfly On Desktop_1.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(696) Butterfly On Desktop_1.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(696) Butterfly On Desktop_1.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(696) Butterfly On Desktop_1.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(696) Butterfly On Desktop_1.0.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(696) Butterfly On Desktop_1.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:delete valueName:9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:
(PID) Process:(696) Butterfly On Desktop_1.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(696) Butterfly On Desktop_1.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
1400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D70300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB60F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D8200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(696) Butterfly On Desktop_1.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
190000000100000010000000BCC80DAA2F98A4692805BFF4CBB372EB0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB61400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D7200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
Executable files
30
Suspicious files
55
Text files
64
Unknown types
30

Dropped files

PID
Process
Filename
Type
696Butterfly On Desktop_1.0.exeC:\Users\admin\AppData\Local\Temp\3354215998cc498efdf76f123473fe62\ServiceHide.dllexecutable
MD5:
SHA256:
696Butterfly On Desktop_1.0.exeC:\Users\admin\AppData\Local\Temp\3354215998cc498efdf76f123473fe62\vcruntime140.dllexecutable
MD5:
SHA256:
696Butterfly On Desktop_1.0.exeC:\Users\admin\AppData\Local\Temp\3354215998cc498efdf76f123473fe62\msvcp140.dllexecutable
MD5:
SHA256:
696Butterfly On Desktop_1.0.exeC:\Users\admin\AppData\Local\Temp\3354215998cc498efdf76f123473fe62\Ninject.dllexecutable
MD5:
SHA256:
696Butterfly On Desktop_1.0.exeC:\Users\admin\AppData\Local\Temp\3354215998cc498efdf76f123473fe62\OfferSDK.dllexecutable
MD5:
SHA256:
696Butterfly On Desktop_1.0.exeC:\Users\admin\AppData\Local\Temp\3354215998cc498efdf76f123473fe62\H2OModels.dllexecutable
MD5:
SHA256:
696Butterfly On Desktop_1.0.exeC:\Users\admin\AppData\Local\Temp\3354215998cc498efdf76f123473fe62\H2OServices.dllexecutable
MD5:
SHA256:
696Butterfly On Desktop_1.0.exeC:\Users\admin\AppData\Local\Temp\3354215998cc498efdf76f123473fe62\H2OUtilities.dllexecutable
MD5:
SHA256:
696Butterfly On Desktop_1.0.exeC:\Users\admin\AppData\Local\Temp\3354215998cc498efdf76f123473fe62\H2ODAL.dllexecutable
MD5:
SHA256:
696Butterfly On Desktop_1.0.exeC:\Users\admin\AppData\Local\Temp\3354215998cc498efdf76f123473fe62\H2OViewModels.dllexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
63
DNS requests
55
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
78.46.117.95:80
http://freedesktopsoft.com/images/bodybackground.png
unknown
unknown
2356
msedge.exe
GET
200
78.46.117.95:80
http://freedesktopsoft.com/images/banner3.jpg
unknown
unknown
2356
msedge.exe
GET
200
78.46.117.95:80
http://freedesktopsoft.com/images/banner_bg2.jpg
unknown
unknown
2356
msedge.exe
GET
200
172.217.16.206:80
http://www.google-analytics.com/ga.js
unknown
unknown
2356
msedge.exe
GET
200
172.217.16.206:80
http://www.google-analytics.com/r/__utm.gif?utmwv=5.7.2&utms=1&utmn=2102355053&utmhn=freedesktopsoft.com&utmcs=UTF-8&utmsr=1280x720&utmvp=1264x574&utmsc=24-bit&utmul=en-us&utmje=0&utmfl=-&utmdt=Butterfly%20On%20Desktop%20-%20Freeware%20software&utmhid=1409375576&utmr=-&utmp=%2Fbutterflyondesktoplike.html&utmht=1712929278873&utmac=UA-39364152-1&utmcc=__utma%3D49514865.1419217374.1712929279.1712929279.1712929279.1%3B%2B__utmz%3D49514865.1712929279.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=529917491&utmredir=1&utmu=qBAAAAAAAAAAAAAAAAAAAAAE~
unknown
unknown
2356
msedge.exe
GET
200
78.46.117.95:80
http://freedesktopsoft.com/images/superman1.png
unknown
unknown
2356
msedge.exe
GET
200
78.46.117.95:80
http://freedesktopsoft.com/butterflyondesktoplike.html
unknown
unknown
2356
msedge.exe
GET
200
78.46.117.95:80
http://freedesktopsoft.com/main.css
unknown
unknown
2356
msedge.exe
GET
200
78.46.117.95:80
http://freedesktopsoft.com/button.css
unknown
unknown
2356
msedge.exe
GET
200
78.46.117.95:80
http://freedesktopsoft.com/slider/slider.css
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
696
Butterfly On Desktop_1.0.exe
104.18.67.73:443
h2oapi.adaware.com
CLOUDFLARENET
unknown
696
Butterfly On Desktop_1.0.exe
104.16.148.130:443
flow.lavasoft.com
CLOUDFLARENET
unknown
2728
Butterfly On Desktop_1.0.exe
104.18.67.73:443
h2oapi.adaware.com
CLOUDFLARENET
unknown
2728
Butterfly On Desktop_1.0.exe
104.16.148.130:443
flow.lavasoft.com
CLOUDFLARENET
unknown
4
System
192.168.100.255:138
whitelisted
696
Butterfly On Desktop_1.0.exe
104.18.68.73:443
h2oapi.adaware.com
CLOUDFLARENET
unknown
696
Butterfly On Desktop_1.0.exe
2.19.102.236:443
package.avira.com
AKAMAI-AS
DE
unknown
696
Butterfly On Desktop_1.0.exe
18.245.86.74:443
download.enigmasoftware.com
US
unknown
696
Butterfly On Desktop_1.0.exe
169.150.247.37:443
spyhunter-download-v2.b-cdn.net
GB
unknown

DNS requests

Domain
IP
Reputation
h2oapi.adaware.com
  • 104.18.67.73
  • 104.18.68.73
unknown
www.google.com
  • 142.250.184.228
whitelisted
flow.lavasoft.com
  • 104.16.148.130
  • 104.16.149.130
whitelisted
sos.adaware.com
  • 104.18.67.73
  • 104.18.68.73
whitelisted
sdl.adaware.com
  • 104.18.68.73
  • 104.18.67.73
whitelisted
package.avira.com
  • 2.19.102.236
unknown
download.enigmasoftware.com
  • 18.245.86.74
  • 18.245.86.53
  • 18.245.86.28
  • 18.245.86.104
shared
spyhunter-download-v2.b-cdn.net
  • 169.150.247.37
unknown
cdn.supernovaprizes.com
  • 104.21.31.55
  • 172.67.175.2
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted

Threats

Found threats are available for the paid subscriptions
4 ETPRO signatures available at the full report
Process
Message
Butterfly On Desktop_1.0.exe
at sciter:init-script.tis
Butterfly On Desktop_1.0.exe
Error: File not found - sciterwrapper:console.tis
Butterfly On Desktop_1.0.exe
Butterfly On Desktop_1.0.exe
Butterfly On Desktop_1.0.exe
file:resources/tis/TranslateOfferTemplate.tis(82) : warning :'async' does not contain any 'await'
Butterfly On Desktop_1.0.exe
Butterfly On Desktop_1.0.exe
Butterfly On Desktop_1.0.exe
Error: File not found - sciterwrapper:console.tis
Butterfly On Desktop_1.0.exe
at sciter:init-script.tis
Butterfly On Desktop_1.0.exe
file:resources/tis/TranslateOfferTemplate.tis(82) : warning :'async' does not contain any 'await'
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Butterfly On Desktop_1.0.exe