Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
207s -
max time network
198s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 21:59
Static task
static1
Behavioral task
behavioral1
Sample
butterflyondesktop.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
butterflyondesktop.exe
Resource
win10v2004-20240226-en
General
-
Target
butterflyondesktop.exe
-
Size
2.8MB
-
MD5
1535aa21451192109b86be9bcc7c4345
-
SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c
-
SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
-
SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
SSDEEP
49152:5aA7f7tlVmdqK23H2bpHI4Qs5ABV9WRHZRsgI82lcHGAaKLinXBgJ:Q+VMkX224QsWBq5SfARGRgJ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1076 butterflyondesktop.tmp 2496 ButterflyOnDesktop.exe -
Loads dropped DLL 7 IoCs
pid Process 2364 butterflyondesktop.exe 1076 butterflyondesktop.tmp 1076 butterflyondesktop.tmp 1076 butterflyondesktop.tmp 1076 butterflyondesktop.tmp 1076 butterflyondesktop.tmp 1076 butterflyondesktop.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop butterflyondesktop.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Butterfly on Desktop\unins000.dat butterflyondesktop.tmp File created C:\Program Files (x86)\Butterfly on Desktop\is-QK8JM.tmp butterflyondesktop.tmp File created C:\Program Files (x86)\Butterfly on Desktop\is-G95ND.tmp butterflyondesktop.tmp File created C:\Program Files (x86)\Butterfly on Desktop\is-9M666.tmp butterflyondesktop.tmp File created C:\Program Files (x86)\Butterfly on Desktop\is-PHQTC.tmp butterflyondesktop.tmp File opened for modification C:\Program Files (x86)\Butterfly on Desktop\unins000.dat butterflyondesktop.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\freedesktopsoft.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4BDC64D1-EBBC-11EE-9E06-5628A0CAC84B} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36EE2DB1-EBBC-11EE-9E06-5628A0CAC84B} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\freedesktopsoft.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 412 vlc.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 268 iexplore.exe 412 vlc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 324 taskmgr.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
pid Process 1076 butterflyondesktop.tmp 2496 ButterflyOnDesktop.exe 2468 iexplore.exe 268 iexplore.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe -
Suspicious use of SendNotifyMessage 52 IoCs
pid Process 2496 ButterflyOnDesktop.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 324 taskmgr.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe 412 vlc.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2468 iexplore.exe 2468 iexplore.exe 2176 IEXPLORE.EXE 2176 IEXPLORE.EXE 2176 IEXPLORE.EXE 2176 IEXPLORE.EXE 2468 iexplore.exe 268 iexplore.exe 268 iexplore.exe 1636 IEXPLORE.EXE 1636 IEXPLORE.EXE 1636 IEXPLORE.EXE 1636 IEXPLORE.EXE 412 vlc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2364 wrote to memory of 1076 2364 butterflyondesktop.exe 28 PID 2364 wrote to memory of 1076 2364 butterflyondesktop.exe 28 PID 2364 wrote to memory of 1076 2364 butterflyondesktop.exe 28 PID 2364 wrote to memory of 1076 2364 butterflyondesktop.exe 28 PID 2364 wrote to memory of 1076 2364 butterflyondesktop.exe 28 PID 2364 wrote to memory of 1076 2364 butterflyondesktop.exe 28 PID 2364 wrote to memory of 1076 2364 butterflyondesktop.exe 28 PID 1076 wrote to memory of 2496 1076 butterflyondesktop.tmp 30 PID 1076 wrote to memory of 2496 1076 butterflyondesktop.tmp 30 PID 1076 wrote to memory of 2496 1076 butterflyondesktop.tmp 30 PID 1076 wrote to memory of 2496 1076 butterflyondesktop.tmp 30 PID 1076 wrote to memory of 2468 1076 butterflyondesktop.tmp 31 PID 1076 wrote to memory of 2468 1076 butterflyondesktop.tmp 31 PID 1076 wrote to memory of 2468 1076 butterflyondesktop.tmp 31 PID 1076 wrote to memory of 2468 1076 butterflyondesktop.tmp 31 PID 2468 wrote to memory of 2176 2468 iexplore.exe 33 PID 2468 wrote to memory of 2176 2468 iexplore.exe 33 PID 2468 wrote to memory of 2176 2468 iexplore.exe 33 PID 2468 wrote to memory of 2176 2468 iexplore.exe 33 PID 2496 wrote to memory of 268 2496 ButterflyOnDesktop.exe 37 PID 2496 wrote to memory of 268 2496 ButterflyOnDesktop.exe 37 PID 2496 wrote to memory of 268 2496 ButterflyOnDesktop.exe 37 PID 2496 wrote to memory of 268 2496 ButterflyOnDesktop.exe 37 PID 268 wrote to memory of 1636 268 iexplore.exe 38 PID 268 wrote to memory of 1636 268 iexplore.exe 38 PID 268 wrote to memory of 1636 268 iexplore.exe 38 PID 268 wrote to memory of 1636 268 iexplore.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\butterflyondesktop.exe"C:\Users\Admin\AppData\Local\Temp\butterflyondesktop.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\is-7IJJJ.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-7IJJJ.tmp\butterflyondesktop.tmp" /SL5="$4001C,2719719,54272,C:\Users\Admin\AppData\Local\Temp\butterflyondesktop.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://freedesktopsoft.com/4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://freedesktopsoft.com/butterflyondesktoplike.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2468 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2176
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:324
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SavePublish.mp4"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD53cdee3212972fc869a924889def56b7d
SHA180efabf4bdfc3e8e6ba28ab3462b75ed5774dab4
SHA2565f81c3edbf55bb41117f549174494113b63e0d441f544d5860ce69e0b30fa8b4
SHA51286c82043ce02ebee141aa16bbf42a91b98616c50dd88c2669894f5a14d95d9b26ec4f4192cc189aa55e532ca82e6cb72abcc97dd8b39d348a2773a784259db36
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD56c05cb875cc3882335859c75e630fcbd
SHA1c7f8beb41188a527b80f7a075aadb6f3adca06c7
SHA256968d649baac388893ffbe1ff4593fd73cb1cfd1faa7a69c01f2ca9a7a2a62be3
SHA512b455aefcd116185f5c8783c051603afbd49553d5fb8acd97284d548aa358b6b73b585a716227a1c272ae1ec194f14b3cb0e58b69083031a39868106e88eca917
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{D6F58CF0-8EDC-11EE-8BED-7ED9061E9C39}.dat
Filesize4KB
MD52b6f10bb39b1d53d36e510e41007a90f
SHA10131c26c11fd1bc8abde645a69dc3c756cf32076
SHA256b687722172a3ed6c69c3f6d3f5c18a3ab895e00f2c9b0bf23202d75db754b199
SHA5128b3bd6f0dd4002efde2210ebfb35179c2f083e64e5bf4afaf9c31892b0b18c38c50854283a495f83e5f802885dd3f8dd496c8edb6e94de7c2e4130e8baa14385
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3RWA8GE3\butterflyondesktop[2].htm
Filesize7KB
MD5de9bccf93f6c0905b249151acff95e02
SHA144006662d744b4b98e41e2919bcdb1784b2349e5
SHA256e7a27ab028b60ddbd9093d5c0165a5e33a0acbc69602b7a0d94fa108f982f377
SHA5129eba9f38b2fdec7498563a2bb8a7e48dc6a0a0c9a1d3ad546af9f5b10acaa3c7fdb5dc2d44ed35d7ec35413ce22963697baec5565d88177cc471b47bedd665ca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3RWA8GE3\ga[1].js
Filesize45KB
MD5e9372f0ebbcf71f851e3d321ef2a8e5a
SHA12c7d19d1af7d97085c977d1b69dcb8b84483d87c
SHA2561259ea99bd76596239bfd3102c679eb0a5052578dc526b0452f4d42f8bcdd45f
SHA512c3a1c74ac968fc2fa366d9c25442162773db9af1289adfb165fc71e7750a7e62bd22f424f241730f3c2427afff8a540c214b3b97219a360a231d4875e6ddee6f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3RWA8GE3\menubackground2[1].jpg
Filesize16KB
MD569a850972c7d424e410608664a163fd2
SHA1d19d8b80c36bc6b1a8f70f63a54a5e15d60544c4
SHA2564635d13be3ce718b407d72a4da6413f18321d34aaa91dcbac14e3b9cd4d19961
SHA512bcecf2c4fb981f9bc3cf73c89ca593c051cca8e76aaa0ad21f2233403fdd36a3c1c3f05f350cfc360a92ea353b31edb7433f78f82ad17299a17c13fd805f0ccc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3RWA8GE3\slider[1].css
Filesize6KB
MD598f6d58d01b54054367c4235895d182c
SHA1e4929f2143329f86bb80345efe056dc1a3470dfb
SHA256156d690906cac548876cd6ca7c4ef23da2557d2c3b91dbf97c893eca1b7df0a8
SHA512f625135720f919b5ab7162439f0296d9e20c143e2061affa09bab922d688e119359b65823a33063d8f954763893344ee14724edfc36587f4f0d51cd7aba62e93
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AWMARXKJ\banner_bg2[1].jpg
Filesize2KB
MD511e512fba29c88032e0958095ca7ee46
SHA1427848d97c6347f2e040db4453a74cea832cbe0c
SHA256b90ae6cd0c9c3df8f9ef47b0924db1892c78fbdb248db7af46a55180de7a0159
SHA512d1bfbc1cb527e905c88371224accae7c364b1f9f3ab309f52098c3bad85abc962b480375188ca981ddd13925416ec43dd862db9a7a6d2bf979f9d37ed2c26b24
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AZGKD8FM\banner3[1].jpg
Filesize11KB
MD5e70321e25ba7aa957b227d708df65a02
SHA1934e57b8d05ccc1758a08e23f10a18b1269bd958
SHA25642a325b49c1cbe221d73a82211108a0c3c6bbf9aaa11cea21b38b0d35e892d94
SHA512289a9a4c7891e2e611e2de549801f462abeda6f493d07e3daa9a766ef1f66e597ab9b0db0322068977f53371c36fcd0afc313d3c514c3121f0f54d61d6624bfc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AZGKD8FM\banner3[1].jpg
Filesize41KB
MD5802dc3898e04813167ef270f1adf3c55
SHA103885da2d6b4a83b619c797a8d48f6288cc79cf6
SHA256474ef6f98193d29e81a73d37f6785ec393de0ef6fbe927f3b28ffff2eb3b5e86
SHA512d14fcc1613c9f2757a7b2953c478fa44a4ee21a41b40bda5ac47b417f1062f00f179c5dbaf7ed4a6df0f90451c67e6216bf6ee884c5e0cb06e5f27cc70607749
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AZGKD8FM\button[1].css
Filesize2KB
MD5737b76c3d20064566bb84ab2b4df4cd7
SHA134f14b3a2df4db9b98fba119358c6201dd7d19e3
SHA25652f7ecddc750f2c8f7dd5dc3ec4ff121101ff49236829dfa61ef63e05bc9e1b2
SHA512781dde4af76873d5e7173b700a422951b509003f76b2e9c9605ae7dde41526d7041cd1bd91b5cd04fe78481ad99e5f27b47f2d64c593b1ba8c4b40b998af7939
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AZGKD8FM\main[1].css
Filesize4KB
MD5b20455b8c62dff81a15372cd7547f524
SHA1b7e605da2b2d76dd6f010f721ed12bc9b3c2c9c9
SHA256a5a58a0a58fb7e53c25b480980cb41d7d76f03cc70f70c221336a2193e11281a
SHA51290645db242d2543c2bfbb0cd1ee1e62c70be65be90bab48368e54287baa77058b9285434533c41f395ab9e47b99ad1874315bde134ebf80589563811cbd71488
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AZGKD8FM\menubackgroundside2[1].jpg
Filesize1KB
MD5dab7c1bc5923243eb6cc12b3725e9ab5
SHA1cd74bf2eb35fd10dddc493ca6bf7c8f59c155cb2
SHA2569dbb456d15b2c22ec5e147dd2585a1ca4634dde18555871183dbb1addda75f09
SHA51242d6519f871ca06d838b52eb5101936fdfec75b482a6db743580e2843a1ed865e66f1f826d805e373d1e06392ae17a7dba9b63e4dd638ca37a28da1aed2154ec
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GFILZH8E\all[2].js
Filesize3KB
MD51abf97da8f7d8aa5b2958803e598cf69
SHA176d04c9aa878b6f1b3a985bdac54985a4fb35ffc
SHA256bb12ec68db4029654cd1e8e3b6f51451f05fe75478f4a66c2229bda56ab00bb0
SHA512a7327d8622ede8a8942ff541e95944bc191198e84d7800d702e8e50469cec19bd21c69445663fb60b565a05ed986804f205b8543d13ee26db8f3685756582a45
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GFILZH8E\all[3].js
Filesize299KB
MD5d1454fd90cc5898d5162f1e7c31575ca
SHA192a8523366e4018d4e5bf7f395418129ad9a051f
SHA2563ef95cfc414cd7abc4811de550869e42094e4768ff8afc72fe54c145b2690e84
SHA512a8a657cb59afc509f91f903501364d5ee454335dc2af94022bc1423e96827d5609aafeefd4f71057654cf8fef82523292323512a003e77726c2824ed9bdd656d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GFILZH8E\bodybackground[1].png
Filesize11KB
MD51e097697ce0731629c7ba40eca4777f3
SHA1c5cb898484b4fa5da5afba438da99423f2f936d2
SHA256a06322f2cc199ad081b7e157e319690426a6f490e514f748951c73a42fea32ef
SHA5125d3d7c89d0a4b01809c3be3e51e2487064f87604c23abd1056f8c99187cc60eede9fed03ff3d987cee297c7a8ce677e6c8ec00586cf7041223f8f988b406a16e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GFILZH8E\slider[1].js
Filesize2KB
MD510a9a62fdce91bd51cbb7b267f0f3a2f
SHA17461619bb60abfd3f13f7b23a4d1c867816e3096
SHA25653cde9ec4d8608ca8038e06db87f0883afeabba8ea91647f47a6757751e231c8
SHA512fb3f242f66b17508145fef9d0a9b76f5c9762778374e87ada24211b344558529598afcd53546e799451b819f8829145fc832886bb5ea0438856796c0f25c28e7
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
688KB
MD5c765336f0dcf4efdcc2101eed67cd30c
SHA1fa0279f59738c5aa3b6b20106e109ccd77f895a7
SHA256c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28
SHA51206a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891
-
Filesize
24KB
MD5e33c5b4a00a9a552192c247f6bab628d
SHA1649857c68ce11ef1dd6d3bab3d982433c0d875de
SHA256c5ef3254a88f8dc62f0af2cf5acff3d22545692ed0809309fa666065a4cdd0f8
SHA512d62b8c2775ba704f81e6137df7da3c7180a0cb3af34fcea715d36041a0ac1e8318ca6f1f7ac4163d30e68677a8c01bc7e7a46a27b60397ee0eb986fee236421d
-
Filesize
76B
MD56c035707590b0c7f93402ec7d80dc103
SHA1ef2c18850944c627906e5c260dff57b0acb84679
SHA256834329cf7b2b85db73b2b4db3a13621118acbdcbf1ccd343deb8fd81cdbf9968
SHA51297ef6ea4b5c8b7c6b6025a8bba8706696fcbc08acef21474c7dda30a2a3defb21d18da28183e05a4891dad9f48b9b417f9db9c9f710e50d970bcb96958a1ad93
-
Filesize
1.3MB
MD5bd9531891faaadbfa403ed8061a54e36
SHA1ee890065a1148d8223d13bbcc76e70a52d44dee5
SHA2567928a0653c8bac7c393af10632bd3b3a70469f54a3f067d09bcf43fe0cd841d3
SHA5128a9982ffb7e186367818b5bce5e51e483125c2865723c61499f85264e2bb5a38890db1c7b5b4903394fcdbc5e85d83fa1a518316f227dc691e6ad5b9860095fc
-
Filesize
671KB
MD525fb6dc1287f22197f1da1b6ef11d956
SHA17e0896afe3440972e9babcf0d2d1b8d3f946b513
SHA256b63e7af60f2941afb8e5564bdc0423f50b792b13d3aa2c5abb5f5a92cd29d495
SHA5121da4652cab0a09a9ce6d2e2a7647a5b86de2df64838179dcd2ca3a65411d716f41e9710dfe5ec8f97e6147d17eb15da47fb29b1dc318a3dd19d8cba9df9d6a86
-
Filesize
3.0MB
MD581aab57e0ef37ddff02d0106ced6b91e
SHA16e3895b350ef1545902bd23e7162dfce4c64e029
SHA256a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287
SHA512a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717
-
Filesize
553KB
MD5357fe29ae0d5fca47586077566f0562c
SHA16a27ef93fba71dd74b50305d31600cfc6413e000
SHA25684bb00ddfd2172463ed5bc442d51c7502441600b3806c1cbb855da7fb19aac00
SHA512a9790c9c227116c8f95dcbc1766b13df1e4fb5d73762047c1cc2e0e04a5e6987cfddc4241c3009d2782ba79293add59df6364e864907a55639723f20f406023b
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3