Analysis
-
max time kernel
755s -
max time network
709s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-09-2024 19:08
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/TheDarkMythos/windows-malware
Resource
win7-20240708-en
General
-
Target
https://github.com/TheDarkMythos/windows-malware
Malware Config
Extracted
C:\Users\Admin\Documents\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7D52.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7D56.tmp WannaCry.exe -
Executes dropped EXE 64 IoCs
pid Process 3432 AdwereCleaner.exe 3068 6AdwCleaner.exe 2032 WannaCry.exe 2016 !WannaDecryptor!.exe 3772 !WannaDecryptor!.exe 1520 !WannaDecryptor!.exe 3960 !WannaDecryptor!.exe 2344 butterflyondesktop.exe 820 butterflyondesktop.tmp 3392 ButterflyOnDesktop.exe 1564 ButterflyOnDesktop.exe 4064 ButterflyOnDesktop.exe 3424 ButterflyOnDesktop.exe 2312 ButterflyOnDesktop.exe 3832 ButterflyOnDesktop.exe 2328 ButterflyOnDesktop.exe 1584 ButterflyOnDesktop.exe 3568 ButterflyOnDesktop.exe 3496 ButterflyOnDesktop.exe 3436 ButterflyOnDesktop.exe 4068 ButterflyOnDesktop.exe 1448 ButterflyOnDesktop.exe 1372 ButterflyOnDesktop.exe 2968 ButterflyOnDesktop.exe 2796 ButterflyOnDesktop.exe 1864 ButterflyOnDesktop.exe 1752 ButterflyOnDesktop.exe 3716 ButterflyOnDesktop.exe 3224 ButterflyOnDesktop.exe 2992 ButterflyOnDesktop.exe 2824 ButterflyOnDesktop.exe 2332 ButterflyOnDesktop.exe 1380 ButterflyOnDesktop.exe 2624 ButterflyOnDesktop.exe 3804 ButterflyOnDesktop.exe 3600 ButterflyOnDesktop.exe 3520 ButterflyOnDesktop.exe 2288 ButterflyOnDesktop.exe 4040 ButterflyOnDesktop.exe 1060 ButterflyOnDesktop.exe 3016 ButterflyOnDesktop.exe 3964 ButterflyOnDesktop.exe 952 ButterflyOnDesktop.exe 3752 ButterflyOnDesktop.exe 2080 ButterflyOnDesktop.exe 1812 ButterflyOnDesktop.exe 548 ButterflyOnDesktop.exe 2484 ButterflyOnDesktop.exe 3344 ButterflyOnDesktop.exe 1828 ButterflyOnDesktop.exe 2440 ButterflyOnDesktop.exe 1512 ButterflyOnDesktop.exe 3540 ButterflyOnDesktop.exe 768 ButterflyOnDesktop.exe 3160 ButterflyOnDesktop.exe 3856 ButterflyOnDesktop.exe 3220 ButterflyOnDesktop.exe 3788 ButterflyOnDesktop.exe 3820 ButterflyOnDesktop.exe 1724 ButterflyOnDesktop.exe 3348 ButterflyOnDesktop.exe 2808 ButterflyOnDesktop.exe 3180 ButterflyOnDesktop.exe 3116 ButterflyOnDesktop.exe -
Loads dropped DLL 13 IoCs
pid Process 3432 AdwereCleaner.exe 3836 cscript.exe 2032 WannaCry.exe 2032 WannaCry.exe 2032 WannaCry.exe 3988 cmd.exe 2032 WannaCry.exe 2344 butterflyondesktop.exe 820 butterflyondesktop.tmp 820 butterflyondesktop.tmp 820 butterflyondesktop.tmp 820 butterflyondesktop.tmp 820 butterflyondesktop.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r" WannaCry.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop butterflyondesktop.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto" 6AdwCleaner.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 163 raw.githubusercontent.com 164 raw.githubusercontent.com 165 raw.githubusercontent.com 166 raw.githubusercontent.com 194 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" !WannaDecryptor!.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Butterfly on Desktop\is-TVKCL.tmp butterflyondesktop.tmp File created C:\Program Files (x86)\Butterfly on Desktop\is-17AF7.tmp butterflyondesktop.tmp File created C:\Program Files (x86)\Butterfly on Desktop\is-K2F49.tmp butterflyondesktop.tmp File opened for modification C:\Program Files (x86)\Butterfly on Desktop\unins000.dat butterflyondesktop.tmp File created C:\Program Files (x86)\Butterfly on Desktop\unins000.dat butterflyondesktop.tmp File created C:\Program Files (x86)\Butterfly on Desktop\is-HGD0F.tmp butterflyondesktop.tmp File created C:\Program Files (x86)\Butterfly on Desktop\is-MAA4P.tmp butterflyondesktop.tmp -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\AdwereCleaner.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdwereCleaner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000500000001e001-1583.dat nsis_installer_1 behavioral1/files/0x000500000001e001-1583.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2332 vssadmin.exe -
Kills process with taskkill 4 IoCs
pid Process 2204 taskkill.exe 2604 taskkill.exe 2448 taskkill.exe 3332 taskkill.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main 6AdwCleaner.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DB13EABF-79E0-11EF-B961-D22B03723C32}.dat = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB13EABD-79E0-11EF-B961-D22B03723C32} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings firefox.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 6AdwCleaner.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 6AdwCleaner.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 6AdwCleaner.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 6AdwCleaner.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 6AdwCleaner.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 6AdwCleaner.exe -
NTFS ADS 3 IoCs
description ioc Process File created C:\Users\Admin\Downloads\AdwereCleaner.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier firefox.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 2944 firefox.exe Token: SeDebugPrivilege 2944 firefox.exe Token: SeDebugPrivilege 3068 6AdwCleaner.exe Token: SeDebugPrivilege 2448 taskkill.exe Token: SeDebugPrivilege 2204 taskkill.exe Token: SeDebugPrivilege 3332 taskkill.exe Token: SeDebugPrivilege 2604 taskkill.exe Token: SeBackupPrivilege 2028 vssvc.exe Token: SeRestorePrivilege 2028 vssvc.exe Token: SeAuditPrivilege 2028 vssvc.exe Token: SeIncreaseQuotaPrivilege 3804 WMIC.exe Token: SeSecurityPrivilege 3804 WMIC.exe Token: SeTakeOwnershipPrivilege 3804 WMIC.exe Token: SeLoadDriverPrivilege 3804 WMIC.exe Token: SeSystemProfilePrivilege 3804 WMIC.exe Token: SeSystemtimePrivilege 3804 WMIC.exe Token: SeProfSingleProcessPrivilege 3804 WMIC.exe Token: SeIncBasePriorityPrivilege 3804 WMIC.exe Token: SeCreatePagefilePrivilege 3804 WMIC.exe Token: SeBackupPrivilege 3804 WMIC.exe Token: SeRestorePrivilege 3804 WMIC.exe Token: SeShutdownPrivilege 3804 WMIC.exe Token: SeDebugPrivilege 3804 WMIC.exe Token: SeSystemEnvironmentPrivilege 3804 WMIC.exe Token: SeRemoteShutdownPrivilege 3804 WMIC.exe Token: SeUndockPrivilege 3804 WMIC.exe Token: SeManageVolumePrivilege 3804 WMIC.exe Token: 33 3804 WMIC.exe Token: 34 3804 WMIC.exe Token: 35 3804 WMIC.exe Token: SeIncreaseQuotaPrivilege 3804 WMIC.exe Token: SeSecurityPrivilege 3804 WMIC.exe Token: SeTakeOwnershipPrivilege 3804 WMIC.exe Token: SeLoadDriverPrivilege 3804 WMIC.exe Token: SeSystemProfilePrivilege 3804 WMIC.exe Token: SeSystemtimePrivilege 3804 WMIC.exe Token: SeProfSingleProcessPrivilege 3804 WMIC.exe Token: SeIncBasePriorityPrivilege 3804 WMIC.exe Token: SeCreatePagefilePrivilege 3804 WMIC.exe Token: SeBackupPrivilege 3804 WMIC.exe Token: SeRestorePrivilege 3804 WMIC.exe Token: SeShutdownPrivilege 3804 WMIC.exe Token: SeDebugPrivilege 3804 WMIC.exe Token: SeSystemEnvironmentPrivilege 3804 WMIC.exe Token: SeRemoteShutdownPrivilege 3804 WMIC.exe Token: SeUndockPrivilege 3804 WMIC.exe Token: SeManageVolumePrivilege 3804 WMIC.exe Token: 33 3804 WMIC.exe Token: 34 3804 WMIC.exe Token: 35 3804 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2944 firefox.exe 2944 firefox.exe 2944 firefox.exe 2944 firefox.exe 3068 6AdwCleaner.exe 3068 6AdwCleaner.exe 2944 firefox.exe 2944 firefox.exe 820 butterflyondesktop.tmp 3324 iexplore.exe 3392 ButterflyOnDesktop.exe 1564 ButterflyOnDesktop.exe 4064 ButterflyOnDesktop.exe 3424 ButterflyOnDesktop.exe 2312 ButterflyOnDesktop.exe 3832 ButterflyOnDesktop.exe 2328 ButterflyOnDesktop.exe 1584 ButterflyOnDesktop.exe 3568 ButterflyOnDesktop.exe 3496 ButterflyOnDesktop.exe 3436 ButterflyOnDesktop.exe 4068 ButterflyOnDesktop.exe 1448 ButterflyOnDesktop.exe 1372 ButterflyOnDesktop.exe 2796 ButterflyOnDesktop.exe 2968 ButterflyOnDesktop.exe 1864 ButterflyOnDesktop.exe 1752 ButterflyOnDesktop.exe 3716 ButterflyOnDesktop.exe 3224 ButterflyOnDesktop.exe 2992 ButterflyOnDesktop.exe 2824 ButterflyOnDesktop.exe 2332 ButterflyOnDesktop.exe 1380 ButterflyOnDesktop.exe 2624 ButterflyOnDesktop.exe 3804 ButterflyOnDesktop.exe 3520 ButterflyOnDesktop.exe 3600 ButterflyOnDesktop.exe 2288 ButterflyOnDesktop.exe 4040 ButterflyOnDesktop.exe 1060 ButterflyOnDesktop.exe 3016 ButterflyOnDesktop.exe 3964 ButterflyOnDesktop.exe 952 ButterflyOnDesktop.exe 3752 ButterflyOnDesktop.exe 2080 ButterflyOnDesktop.exe 1812 ButterflyOnDesktop.exe 548 ButterflyOnDesktop.exe 2484 ButterflyOnDesktop.exe 3344 ButterflyOnDesktop.exe 1828 ButterflyOnDesktop.exe 2440 ButterflyOnDesktop.exe 1512 ButterflyOnDesktop.exe 3540 ButterflyOnDesktop.exe 768 ButterflyOnDesktop.exe 3160 ButterflyOnDesktop.exe 3856 ButterflyOnDesktop.exe 3220 ButterflyOnDesktop.exe 3788 ButterflyOnDesktop.exe 3820 ButterflyOnDesktop.exe 1724 ButterflyOnDesktop.exe 3348 ButterflyOnDesktop.exe 2808 ButterflyOnDesktop.exe 3180 ButterflyOnDesktop.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2944 firefox.exe 2944 firefox.exe 2944 firefox.exe 2944 firefox.exe 2944 firefox.exe 3392 ButterflyOnDesktop.exe 1564 ButterflyOnDesktop.exe 4064 ButterflyOnDesktop.exe 3424 ButterflyOnDesktop.exe 2312 ButterflyOnDesktop.exe 3832 ButterflyOnDesktop.exe 2328 ButterflyOnDesktop.exe 1584 ButterflyOnDesktop.exe 3568 ButterflyOnDesktop.exe 3496 ButterflyOnDesktop.exe 3436 ButterflyOnDesktop.exe 4068 ButterflyOnDesktop.exe 1448 ButterflyOnDesktop.exe 1372 ButterflyOnDesktop.exe 2796 ButterflyOnDesktop.exe 2968 ButterflyOnDesktop.exe 1864 ButterflyOnDesktop.exe 1752 ButterflyOnDesktop.exe 3716 ButterflyOnDesktop.exe 3224 ButterflyOnDesktop.exe 2992 ButterflyOnDesktop.exe 2824 ButterflyOnDesktop.exe 2332 ButterflyOnDesktop.exe 1380 ButterflyOnDesktop.exe 2624 ButterflyOnDesktop.exe 3804 ButterflyOnDesktop.exe 3520 ButterflyOnDesktop.exe 3600 ButterflyOnDesktop.exe 2288 ButterflyOnDesktop.exe 4040 ButterflyOnDesktop.exe 1060 ButterflyOnDesktop.exe 3016 ButterflyOnDesktop.exe 3964 ButterflyOnDesktop.exe 952 ButterflyOnDesktop.exe 3752 ButterflyOnDesktop.exe 2080 ButterflyOnDesktop.exe 1812 ButterflyOnDesktop.exe 548 ButterflyOnDesktop.exe 2484 ButterflyOnDesktop.exe 3344 ButterflyOnDesktop.exe 1828 ButterflyOnDesktop.exe 2440 ButterflyOnDesktop.exe 1512 ButterflyOnDesktop.exe 3540 ButterflyOnDesktop.exe 768 ButterflyOnDesktop.exe 3160 ButterflyOnDesktop.exe 3856 ButterflyOnDesktop.exe 3220 ButterflyOnDesktop.exe 3788 ButterflyOnDesktop.exe 3820 ButterflyOnDesktop.exe 1724 ButterflyOnDesktop.exe 3348 ButterflyOnDesktop.exe 2808 ButterflyOnDesktop.exe 3180 ButterflyOnDesktop.exe 3116 ButterflyOnDesktop.exe 4076 ButterflyOnDesktop.exe 4036 ButterflyOnDesktop.exe 1304 ButterflyOnDesktop.exe 4056 ButterflyOnDesktop.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
pid Process 2944 firefox.exe 2944 firefox.exe 2944 firefox.exe 3068 6AdwCleaner.exe 3068 6AdwCleaner.exe 2944 firefox.exe 2944 firefox.exe 2944 firefox.exe 2016 !WannaDecryptor!.exe 2016 !WannaDecryptor!.exe 3772 !WannaDecryptor!.exe 3772 !WannaDecryptor!.exe 1520 !WannaDecryptor!.exe 1520 !WannaDecryptor!.exe 3960 !WannaDecryptor!.exe 3960 !WannaDecryptor!.exe 2944 firefox.exe 2944 firefox.exe 2944 firefox.exe 3324 iexplore.exe 3324 iexplore.exe 3564 IEXPLORE.EXE 3564 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 784 wrote to memory of 2944 784 firefox.exe 31 PID 784 wrote to memory of 2944 784 firefox.exe 31 PID 784 wrote to memory of 2944 784 firefox.exe 31 PID 784 wrote to memory of 2944 784 firefox.exe 31 PID 784 wrote to memory of 2944 784 firefox.exe 31 PID 784 wrote to memory of 2944 784 firefox.exe 31 PID 784 wrote to memory of 2944 784 firefox.exe 31 PID 784 wrote to memory of 2944 784 firefox.exe 31 PID 784 wrote to memory of 2944 784 firefox.exe 31 PID 784 wrote to memory of 2944 784 firefox.exe 31 PID 784 wrote to memory of 2944 784 firefox.exe 31 PID 784 wrote to memory of 2944 784 firefox.exe 31 PID 2944 wrote to memory of 2672 2944 firefox.exe 32 PID 2944 wrote to memory of 2672 2944 firefox.exe 32 PID 2944 wrote to memory of 2672 2944 firefox.exe 32 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 2764 2944 firefox.exe 33 PID 2944 wrote to memory of 292 2944 firefox.exe 34 PID 2944 wrote to memory of 292 2944 firefox.exe 34 PID 2944 wrote to memory of 292 2944 firefox.exe 34 PID 2944 wrote to memory of 292 2944 firefox.exe 34 PID 2944 wrote to memory of 292 2944 firefox.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/TheDarkMythos/windows-malware"1⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/TheDarkMythos/windows-malware2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.0.479777242\1773374893" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1188 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04104853-6c51-4451-84a1-19e0c9c03877} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 1296 14904758 gpu3⤵PID:2672
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.1.1553555180\851443775" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37619c27-0a6b-4351-9efd-206b506570b6} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 1496 e73e58 socket3⤵PID:2764
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.2.610961396\1124595800" -childID 1 -isForBrowser -prefsHandle 2044 -prefMapHandle 2040 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c20b3948-4ed6-4c1e-bacf-c84d5d7f1130} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 2060 1a6d3a58 tab3⤵PID:292
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.3.1609375689\935486573" -childID 2 -isForBrowser -prefsHandle 2592 -prefMapHandle 2588 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {690bac12-a429-4081-98b7-e48e443a73b7} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 2608 e5c258 tab3⤵PID:1764
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.4.2077865477\1093218971" -childID 3 -isForBrowser -prefsHandle 3832 -prefMapHandle 3828 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef2c5fa7-5b9a-488c-807d-04e437b18560} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 3844 207a7458 tab3⤵PID:3000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.5.1869252976\2054031219" -childID 4 -isForBrowser -prefsHandle 3956 -prefMapHandle 3960 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {078ca701-7c90-4acb-854f-5a680532fb42} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 3948 207a8658 tab3⤵PID:1736
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.6.1317612750\210172822" -childID 5 -isForBrowser -prefsHandle 4108 -prefMapHandle 4112 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51904828-0dfc-44ac-bde4-bece100ad9fa} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 4220 208a7e58 tab3⤵PID:1060
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.7.613406270\1706871750" -childID 6 -isForBrowser -prefsHandle 1512 -prefMapHandle 948 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f57b6a1d-7125-456a-8404-ddac40d5ad5c} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 1628 150bd558 tab3⤵PID:2512
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.8.619529741\1690545694" -childID 7 -isForBrowser -prefsHandle 2900 -prefMapHandle 3012 -prefsLen 26858 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fea0389-f4bb-4507-85e0-497ff4474c3f} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 3312 20815958 tab3⤵PID:964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.9.1909432555\715270526" -childID 8 -isForBrowser -prefsHandle 4376 -prefMapHandle 4560 -prefsLen 26858 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac0bb870-c22b-46a3-8c76-10a23541b5ef} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 4692 1d913258 tab3⤵PID:3848
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.10.2083992852\738850644" -childID 9 -isForBrowser -prefsHandle 3768 -prefMapHandle 3804 -prefsLen 27558 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49002b49-0b92-4ae7-93a1-05afa400f39c} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 3808 1fe0e958 tab3⤵PID:936
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.11.2136085405\1615351314" -childID 10 -isForBrowser -prefsHandle 4844 -prefMapHandle 4808 -prefsLen 27558 -prefMapSize 233444 -jsInitHandle 632 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {395bde94-677b-4558-90e1-de15cdca39ee} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 4856 202b4658 tab3⤵PID:3460
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1c81⤵PID:3604
-
C:\Users\Admin\Downloads\AdwereCleaner.exe"C:\Users\Admin\Downloads\AdwereCleaner.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3432 -
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3068
-
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2032 -
C:\Windows\SysWOW64\cmd.execmd /c 194901727119092.bat2⤵
- System Location Discovery: System Language Discovery
PID:3740 -
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3836
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2016
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3772
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3988 -
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1520 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2332
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
-
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:3960
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
C:\Users\Admin\Downloads\butterflyondesktop.exe"C:\Users\Admin\Downloads\butterflyondesktop.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\is-U9V07.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-U9V07.tmp\butterflyondesktop.tmp" /SL5="$7015C,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:820 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://freedesktopsoft.com/butterflyondesktoplike.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3324 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3324 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3564
-
-
-
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3392
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1564
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4064
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3424
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2312
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3832
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2328
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1584
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3568
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3496
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3436
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4068
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1448
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1372
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2968
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1864
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1752
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3716
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3224
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2992
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2824
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2332
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1380
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2624
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3804
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3600
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3520
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2288
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4040
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1060
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3016
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3964
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:952
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3752
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2080
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1812
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:548
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2484
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3344
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1828
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2440
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1512
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3540
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:768
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3160
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3856
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3220
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3788
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3820
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1724
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3348
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2808
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3180
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:3116
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:4076
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:4036
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:1304
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Suspicious use of SendNotifyMessage
PID:4056
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵PID:844
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- System Location Discovery: System Language Discovery
PID:1932
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4072
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2368
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3844
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- System Location Discovery: System Language Discovery
PID:528
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3484
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3760
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3532
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3772
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- System Location Discovery: System Language Discovery
PID:1540
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
4Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD581aab57e0ef37ddff02d0106ced6b91e
SHA16e3895b350ef1545902bd23e7162dfce4c64e029
SHA256a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287
SHA512a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717
-
Filesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp
Filesize35KB
MD59fe6d215b346456ba3a918f60b53adac
SHA141e5153dbca41dacccb6947d453ca7eb208e254e
SHA256f013dfcf7dd5a2d77f7c42646e0ccd7b465fa3baaae0b503145b51d00961542e
SHA512c03b53255558b56bb8b864c805489b98aa3fd585b70322e648f95f143468baefe93f6abdbdf2be05b1cf7e71527ed4cdd90e3e9b481c2d0b06170dae9ff57e3d
-
Filesize
27KB
MD525497e55781a38f3cee26f2ffbdf0ab3
SHA1945be2139345c21d508cb5ab490abcad180f75c6
SHA2568475e2cb53ce7349f407d40b7e06e7c213dca851bcd06a71f7d208b6f0e0a183
SHA512b630988046c5a5fb594a2cae759e2a185028b397f3293711f313f4573e31e0296f96c0987f7b7d405d58d5c85d4c7f3385a87fb2900774f7d97336fe6042ac62
-
Filesize
15KB
MD52a9a4b44d463ebedcebeb57adb8b9b5a
SHA1d5fbc7761c32006c577f2161cec4a41df1456740
SHA2561fa6d88a60ed817874c5a879eaf08e0113467ea0976eb5feb3367d80a66bd360
SHA51245736358a0279fd95cdf4fded909ae3d8a46e8d2c795a7c8e990058f31dac89c03eb75d0899ba6bd8cee82c3f4b78511710f42288eb571b2ce4733f01c7c80b9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\01ABD05F24B7C929E9BBF7B620E2289C4EE00CD6
Filesize59KB
MD5ec2d5585dc1d5fb7baaab0311cac8520
SHA1cc05826de8f5a1236603b0f27e673944c2fd9b35
SHA2560f2f3c5db4d05bb3363a1143ee022c39487cb86eb35efc2f84d191ca1dc2f9f7
SHA5125062e6d269257748815a74d2b5df730ac621989377457e667626ff8850d24c74d398cf678bfd0af6035fb7cb8c197fbe80d3d05d9b738058e84f5a31b87c40ef
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\04355154CAD8B65EC8E4140B42ADFE628D7FDF7B
Filesize17.3MB
MD5eddf0bc75fcec4488b2e40c7e7c3ab9e
SHA110c6d97bedc09812636b18edad3c82b622101450
SHA25633925b013bf7fafbf94f83bff47bb6d9ed4d266c29dae3e49031364bd2715514
SHA5126a0db627d44e4206bdf2656c9278a3d4ee91deae99dd75af8382f00f3391fac5687a294c49beaa4982c325da3ff66e348ef865b64d0c6af985ff00af04475b4d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\0781B10CFC6F1C873D99DF0A70E97A080E54F225
Filesize79KB
MD556c51ba62f13e4e9ca25a52001f5f112
SHA1d2d3fc7a5ad43f223e3bbc6527b88fda4320d682
SHA256ce9994669709af7813124690eb43fa9058d305d34188b43d686ef345dbdebcfa
SHA51206baccc029ae796488da859497c042373493aa6f184b1b0110b1277c8d10a9d321ef136c2398f61a952a89fe9f48e0c3fba32e3ad93a6876c3343b85814c8689
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\1243152E7867EAA24697321508C34F9CEF98EF1A
Filesize60KB
MD5ef850cfc1a5cfe19fcc2c5f4b69e515e
SHA16d5ea71d0a80f82f7a59c37126bd8c6c4babe58b
SHA2566fda97a1a4e9fcca7fae583389d78a73be1371c9eaf2bbff815581a1697718ab
SHA512cace4c7aaa33889080bffb4e5da7a2c7f8a03de1acbf1fe2bb58239b5b9d3963571da04bac473d3e5a1138120480c4dccffa543a5bb55d5e7b9bd2e57fd4643e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\28137B1FF368A8704130B996D2AC119598F8779B
Filesize55KB
MD5c91c6ff41e5f038741f2fd84b71e9a2b
SHA12a4101db79c8b2ecbc244592212a7ea7c6c389ac
SHA2564a682581b5f8f49ffdc365010241dd5ecc2d42f667f1872a1d3423297b1b02e0
SHA5126fc7f33fc5d779035acff08ee4143ce6aada1fc6deccb19adf03cd2aa25322efd67e14decf4df73dd3f9b23d190e0160b0b5ca429f98959cae2b9825faa8a844
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\3736461AABE8C5CA9B449B237E5E9010F61FBF5B
Filesize257KB
MD5ad122d104b42caec2ff3939338573aea
SHA10d759d2b21f5218fdf959b9928ea2d502c25d027
SHA256e6463f400bba3c311d094a1b77cd16ecf799c292f66cbc0a84afcf28ed8f7c1e
SHA5127c4d8f80f669f543c41e919b110bf44b87b7d85a20afd67d6cbc531b95731cd67f87166571daf185876f745c5989fe766f5eee79d8801d04dcc2f167ad719c9c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\45C13727B6DB444F70F2FAA20129C63BE433735D
Filesize35KB
MD5d126c5fad4e53f88deffa6c0cc7f0f9e
SHA1b952e7dcb8f1b0f968d455f35ee7d6a1a35fa1c5
SHA2564e63a36a537211d5329f2930d3d2bddfe0392d55d45ec3488317291fb0f6f49c
SHA512a11bba5a2fcf9ccb5a6ef0022194fdc41ef0366aa853603640eb8fe457becd5a59ae7a0caf6021f7bdabec248987c5e9f01abcf3649fe1271c9603e9a85cda10
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\4D4386A3EB4B0132D55EE2D2B2D53436C940606C
Filesize177KB
MD5581020ec82f9975e76a4cd768d46f422
SHA1b995b1e7bc2c0d3b89e314468ebef810140c3d5e
SHA2565b426e6a501528fd6b15fea768f8e0da335347c00e996ef2da70eed21c1534ce
SHA512b9ed8784f9dcc75020304a476d925d58ec45467c3c04c2d31a9b498e98bda489e4048dba065b10dc65802cbe577eb0c2ea08bc28d7d3ab49308fe374a1840737
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\519BCA8D3AE219A5B894AD416EF90CFE45AEE07B
Filesize40KB
MD565dc62d110a999a220a4a285a4ce06f5
SHA13f82cf1b8aee77fd6cc14218ee60ce5bf8e2909d
SHA256cc7dc783bc62bd49937e51cb6898b86d69791f71c6dbf355e562c6a3ef744bca
SHA51295ef7d9fa2a1dae7d2230aaef68e0731803ce3cd9d352ea0acbb4d9a0e68051650d8cd43d815fb7c217cc1e473863838588c70bec9729fe69b53ea0d3fa3ee0e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\66782FBA1F6ACCF1A20CAC2E67E1031351E59F75
Filesize274KB
MD5762bd2de3320f0488554cf97237c5b5a
SHA1e1137169827d137a363244b533950f3c8fed81d7
SHA25602cb8f95f4d43186e9def3c0a56261636d3742ac5e2209a607513a833a00c93b
SHA512a90df32b133a0bef9c3462700e40d80e74618e5c272aaa0fdb7e0b81c08bc222a10d1fd365174766cbcd53aeae1c0be2672fb85c8cbaeb69d909219f767cb0ad
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\7F30F53457983F11F2D61636C9FB5706ED9AB60D
Filesize49KB
MD53d7bc3a6d04e3c8a68b3862794b521ec
SHA1c19d373b7ff68d6d2a91e4e89b84f7db6ebc8eb0
SHA2564e3713f9cc850dca6a6aa5eff0eaf6f21b9f356a7a46b23217388fe5c94fd0eb
SHA512ef5dd7253d9da8cb5a137d4f62ef5d4d1132ecc14ee9fee582cd0349f080374abfcc6fce044dc50e55ea1c1c5e3ef32f5487a668101b074c484e7e2a87f6d82a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\80285EC16EDB2FCB53FE4D6500B0396AC776DCD0
Filesize664KB
MD59ac45132d339165e1ee6cae1951dcbcc
SHA1238f1a102181d498b90f22eb584180bd08657900
SHA2568b37ed538eeb7f305f350c548f3e1578e02a3567f77ad2a944f8e905df0fbdb6
SHA512cd3423b8bbd10a1171240269eba09f87dbc5b71a92ecb993c9b70822f84a0f5b9fd127a114643539b5d69b3e7417a7824eb34286b03d125d6ad52c07c724fcb8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\ADB77CF89BB7C3EACBA0400910D8956D4F8A5D23
Filesize1.2MB
MD5ebf7b89f2f7d0aa8aeac682f39bfa7b8
SHA13a03d28d7e0fbfcdac4a38bf05784f809957f160
SHA2566ed62762ce019f37d2a415181a1590d4ff6cecbcc28150097b7955cdfdf38cb7
SHA51256e61b5e8603ae431ee27d100ab91cd54a4ed47b3a598c7850d7326b06fb4f75e8936c2474535b2fe91d93d48f10032c759dc2e5985c8104d27994c79aa0e7b5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\BD518506D48E5D9A2A1A812001B343D87149620C
Filesize175KB
MD55dbd75e5a8550976042587e17a943fc1
SHA1655cb076f5ddc588e97ccbfa6bd0858ac30fa5ac
SHA256ddcecbe8553b4ad49b4b0be24b9e70a25408c7cf2e84a6b6b13c74b81a646b36
SHA512ff75be2ce49f4637a1f82be8c96abb7e76aed8fe900b7db21e16cff7cad938b4c32ceabdd3b498e7c57d0d72c9c3fb8d7e8ca8826100e8d4a64fa61853043c7f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\BD5BDA6CAA71A9585CFF4439E6C1BD696837BD13
Filesize47KB
MD54f6e33faed55a332bd71e2013e8cb1a5
SHA1c9d9011902ace90dd36cbaeeadaaa1017b0a385c
SHA256fade62db111fb3f3bdce1d4f3b22ad9cad838bc93085afc8691a18eae0b6d0e6
SHA51224cfdef7ddfe348b4b52dea5a895f045af2709ddeb2ec4abf789a93aeee1235dad09bdb5bd270c39a6cdc655f78b19b094ae0b71daf44cc1bb507d5cc03bf212
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\CAD1414BC30A3580B4299605CCC55ABA9A6E1725
Filesize97KB
MD5e2cd5ea8e9573624ef8cc6e2ac036e08
SHA1bd1fa1f0bda084f1c57794be1a009b141e8550f1
SHA256f3ec49d87895270307b2d7f6524cbd8715f7937c4dfec89eb9b070f87ffc7957
SHA512863c26481c3d78623729f4c1a8a00cad7030d1c5118d979e7f48a0282c396ef41428f69ff4b61e6822d2216b689e4b81678d0153c19a698b931b5ca95ba48ea2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\D105AB5F954C0907C9073BF810F90A3C36C6D3E5
Filesize841KB
MD51fff62ae5948d3139415c130f4b3a8ed
SHA1f5059edaa9e35bd564e740f85dab7bfb61cece4c
SHA256393746504e8e0f8829823b1c58a10735e71b6ddf6233703db981f2a86976d4f0
SHA512756ecc798f0180e4376bdbae7428a82b4638b98eda19a535f3ead3dbe6ff8b460a0accc9c39a8f8e53192e9ff81e40fce5b4afd1735c18bd9c9ef08066155fa4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\E44D8EA2BB95FA202605B58E615B3400B72A14D2
Filesize38KB
MD5809da194224c9def90124e0b0058499f
SHA1bbe0852ddcb415735161fb268422c641996ce5c0
SHA256dc1a282ced42da5b13121a2bed5b4cc6d14c1e04ec071d9e7125bf14606a40b9
SHA51215d4a53078cb2b6fb9b6e2ac4783127c979f309aa417f16d9798ee515157900949f6e85b6f6cda5d5f4586170dad2df25fe5e5bb9e6a200bb45ef53f7b535e05
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\F54E7030F181831909BFCE5EACACBD3D867BDC0E
Filesize99KB
MD5391943dfb18b84d31b911cbd2c9f1707
SHA1cbedba1f64e571a0e50eb7ef6082f11944b636d2
SHA256d05502791a53394c61abf3c083538480752be81f27ff7484a27f8bc2fd16288a
SHA5123da874ae85a31348ce88b07ae95e2b95bef369566216cde0ff9eed2952ea4982c227d4c62f920e7a55ab2d8e25934925a36a397bbad5f361435b89e6cb4e3716
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\jumpListCache\dLbLlPingj8ibP6GLQ2PZQ==.ico
Filesize25KB
MD56b120367fa9e50d6f91f30601ee58bb3
SHA19a32726e2496f78ef54f91954836b31b9a0faa50
SHA25692c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf7a7fe9.TMP
Filesize9KB
MD589e7cac284782f0cd5582bd36fd2504d
SHA13d219a79fc0ff1868a5af250ab1e33f261ce436e
SHA256b71682079e3ce4201543da5e937cd3e06d2296dc17a49d16bb7713cd8855e398
SHA512068e0562937bb8b8247cd15dcd058e130dde7e28cda84a2e7213c514120bff3785f11f8a36c1684511582ca96d57e9fcd8f131eb13dc18636aa8cd2ef785f459
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R0G68C4ZD6NDI5R7K19D.temp
Filesize5KB
MD58dbe38cabe9fc57b1df80dee492ffbfe
SHA1621bd4a3ba3874ff84d71bfba4913d780e92a59b
SHA2563239403a99a7e02cd96d4666c38361c1720f4686b5e72f44c1042ef7a1bd367b
SHA5123375ee5ddc39f18a4022c487e30ea54242fffb709cc52545870527d75a0d4ebe5a31bcb502dbf00dcddb8217652d80f6ea416a2e1c89f99c31b3e31467ffa9a9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\AlternateServices.txt
Filesize1KB
MD52fda5f089ee35160de66fa4baaa9e5f3
SHA1afe8ee2b18e0986da355076d3530ca49ae2eb969
SHA256d9b9961d3d5bd35183abe976b8a7d4199b2be630c3e24d96e87e4a5cc7b8efd7
SHA512290f715aca5d92c4f4f735f3eda839d4af3f8206b25692aa0efbd85486ef74591d2aa963a3750aa2357d2958c83dacc7301c9809a29c8c7e98149b7262af06c5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\SiteSecurityServiceState.txt
Filesize642B
MD5f559067564c91b7ea9a187214ea81c96
SHA1cd4c2fbd568a69c0b6f3a4205a36b2f69822ce53
SHA256419f6dadc09837a781bcd6800f07d13388e80ac4dc74561ab5ae61ddc4fb6264
SHA5129a13df051653658129225c03272751028b28b3c0995acd99cb2f25991624cb40d7e7ca4109363cf2d94fafcd0bae36d841d319d3a04092dea0ebf619220a662c
-
Filesize
224KB
MD5b49411d5ead5c1fce38a6b7cbba9d839
SHA1b2a21ac4bd2036d04823a449222301dfb90e1fdb
SHA25655a5d2af5b117db2a4b8469da92c68f88fb8af70a7e588000d23946836157e33
SHA5128acd4c9794b71e4b3e43b8b29e7451248ee3743172608cba8a9f09f7b385845047f1c321670e870658e9a524d5f6b9f8fe6b3c23270c5073726b0a7f4b8b486e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD57a2f82ae0830894954eb892c56d9e86d
SHA1c0c018e2a1922d9b4adc56cc0b02c1b33c5d691d
SHA25662ec1c7b3a97a5036c59bf92f7311e3e2c0d8b46b2ca16cbf3264b226a4d5652
SHA5122b90ed8cd5f71dfe24b20a5112bf40171d4d8b45b1775f37d381c9e0d34b11909a06f84ff2475bce764866ec74cdce6854bf06ae049356329a707011a19ca2ba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\684c84fb-5536-4149-a578-d887c6673673
Filesize12KB
MD57b1c41fdeca5bb82e59987088deb53ce
SHA14b58190b1ce7343363c555f418056b706182c652
SHA256d32eaacb46dc959f7f09ac59e8a0280c7650cabe6337ccf1ac0b41f0633b0fdb
SHA512cd0078d9e654c91b706141824c04c1350d37edd4b9647b033166e86934101258ff1adf6ee2732e6408ec7a0f3f2dff2d5276e39d33b8adf3324290a454c3dc71
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\e97a65a7-8235-4076-a1fe-fbcbbda3e46c
Filesize745B
MD5e704beb752686d24866c5e1dc810d005
SHA1471b8c2a50100a5895c68cf53257da10a84cd9ad
SHA256c666151a3551dcdabc2d6a86fe48353e27ea7177f341399762329bf328715fb7
SHA512d66fdcfef26229c3fbba4738b24c5a0492856c65b81add8fca71b78dff92918672fbfdca365dddb1e074d9e62223d1e79f26478caa1714dd7252bdc61a53cc84
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5941c6f6989c36ec53fab9fc798fcc8a4
SHA1ecfab702366b4ba64db92967d798c14e5bc8fe43
SHA25668c0d49068231d21494618c0b9742d2bbda8451656107945fc6f3dcf2b5d3b76
SHA512fbc6ff1212c4de5b4e9ede5160756ec53ffb0702b2b990bcc62a64556a0790b5997766ebfcf2bd9b2df65f31b8bdf565a5973bb0bbfd36071bc2afc8d2bd24a2
-
Filesize
7KB
MD5792cecb2a4a5fca7743def51d52bc224
SHA1bd8a97e5bab6f414cd95cebbfca7a40b01311ea0
SHA25682f1d8d4bda7aa951e282746f461103e84b75587195a88215848e811638d0462
SHA512ff3c1ced5e4af9a8d258c6b2e1081a1d839c4be7d3b4087dfdc9878c42a940b48a31d11c50d8b60d936b39f1644ef3b1d7289fc0b4c582b0621d3a2227cb72ad
-
Filesize
6KB
MD55421e0cc82cd13ac1fa36b2b20f53e2a
SHA1ff7a43d02cd67db26a8a3fb7190459c0c03cb117
SHA2569ce97a88d9f5c85868b56a2fcf899945e7658bcf7908f13248a94b1b8868e2db
SHA512c8c9d8f897499c3da7e159beea229c934efb70c4efecd430d1bf55a4c24ff1961b29957293c3e18ece7a7661d894fb710831367f7ea72c5bf9fa0ed6b60fb4d8
-
Filesize
6KB
MD5bd6e7323c062c11bf8c7b9e835a29761
SHA1b2a9da3206e65117fe5d7274dc8b566f87582a11
SHA256d1450c4af0e7b8802f06698f137abc67735ca21b77e0f3cd5b80fa957b255366
SHA5124e8d70f6f98238369120eb4b0cf39a6c4834f25fbd0982bd4351b7cf2bd2d2ef1ce3f5efb0a4d029e8de4529e862524f0e1fd0b161fc3ea8ba540e00b632077f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize9KB
MD51c38717b40346612067305cf71a701fc
SHA12259a011476844176fd0c287ca6e4f69dfaf9573
SHA2563aa1f9e0d3c7484cf1f67ce25b85e099983c30d52fbe2a948923a9eb2f864639
SHA5126c798dcc44d79939a8167ca7aedeaeb4a389951e4a7c4b68e15a07bce7982e595d80d32ce502372294995a49d473b439f7f45b93e7250489d34f191d22191604
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize9KB
MD5c102f9f8ebe929359f51c17ec5471e09
SHA12289b4cf3f054b925ef80bb993d6052dc3ca1db4
SHA2569f33a8f0e7f40031872c708dc78f31b17c26bb25b72034310897b4562939ac75
SHA5124b335aeb5ec3b35976bf3b34170a681dc1a08a66a05c657b31fd4d91c6ce819a7821f8d1c04b3f506f6ac9d1bdd1e9ce9aea5820f46a398c5d369d2bb87df106
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5d8f815210efe829d86c9c6c24af7fc3a
SHA104048316dfc4c5bd649e150ab444a89283f2b54e
SHA2563352ceabb7f6a0c31ce0338d14f8dc786cc1132f0ca51bf4030d7ccdb63065c9
SHA512cdf4355f9846364ae7fd599581ecc4d0c1de4724d664f1bfc57a453ef6cf4038bf3665896a977202abf98762ab7e0bb1f0875ac9f9c6f2792f3f2d378426117a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD573ae5ffec1d0ee4cf72a8eef39d47e2d
SHA1ac19e9f5538c33607ecdd24aed146f63c425e49f
SHA256f5385e2806a989648e50ab723d23a2c065c3197010012979316f48642dfa9325
SHA512917a9170310fc4a1815b476ebe519a565c90fc36a2d79fa24cfa207747c5afe498a235615a98d6baa2b7947c327ef0787ebb358935629fa77bb76ad7c6ce51ae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5740569c6a40c331271a3017c9117c88d
SHA1670c5344ab0f0d3eb4e3fd390c9a73644f192937
SHA256921ce706250c9800eb48c4488ed8c73b05ba8dd11c80afffba3f0e21cc5c6184
SHA512f86971f938776892fc3ebcd6cd2d6b78ef1c74a50b85196d7d831c3e8151f40cd1a650e2d30a41c51c5a6805db252ae35e45f1c4b8a4fc245bb0aeb0c503bace
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD5a44da5a098432db1273217e924208160
SHA13ef12f62a89b29d15d7f28e965a23ea3ac37f6c5
SHA256c22d2af67e2bc71543652bec3496ffd760a1297c56a4c004e3153846ee96b090
SHA512ff5574637f757d26e177f353a3238dff6e1e027a422487b709fb0a9b6df7063aab844bb2fee99b6e2d1e8c74878e33c97542a562977f78431ad1b5aa69ec345d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD5b0bbf9b74edcea697798c4261de88d74
SHA1343449e74ff61b24a7f7546d8a9bea9e4beec12e
SHA2566c4e2ebc39b42584b937fcaa58371bd2f66537a3a8c206806b8b11e026d0a8f6
SHA512ce48616cfb37a97fe80f1d51022eb37844ad63211f1b6d60404fe131d771d35f564c0bf6b4b815e172ca22eba7c91d2244dfa498786087d1f99d6e0810a727a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize9KB
MD5d4696a458af00ac70e89f8200d355a13
SHA1089d0584f42801d04ae7711b30eff3c28bb50ee7
SHA2563ea5ce2d9a5541c6231857ab9f89f79f4fe8e94615a6ea5d4e98283d1e9cf521
SHA512866bea9fd570ebb5ea1b014ceb57808e1da84580188c41ff5a527ea82c74ed8f6e327c16a519bcc942fc7493adda479b5842705638c1109d96c83733d37a29a8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5dfadd152aa75d98cd760b867b6cb7c2b
SHA1a15aad3c2ade230d44621f81f89036540882b52b
SHA25646b34783b75c8b07af7160aea752fd4a2d5c520e1500d03a0100685cf63ed6a5
SHA512bd5a3699bc55cdd698419a3f814e0c3d685de1621f4ed6f9c926dbc1eab3b7f739980e42a8a550fff0516a2cf0abaa328a5accddb4c5fa88d2e97d31be52eb98
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD50565118292408a5af56d5ffed47d8355
SHA153ac3b02277e8a8b651b44bcf326729539b4f8b5
SHA256f37e92eabcc76e657f1a29973f32ea8751fc9024cd74fbb3f787c7899be1e062
SHA5127c918f3918631a8b7695c4f23193b45cba3f7051777b9aa3599362ab605ea97c99c5174f5ae64d9a85e40f56df8b2774735778eff86c87cd3880144230c57323
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD51a7ca382446ad4212d84a93fe52a2497
SHA15cec59397eafcebfef7d7a3165e5363ac0ace26b
SHA2565a7a819f834f6cd0bee34120799dd8638ac94742267990c25a6e2c01fa9e28a6
SHA5121402136d72651088cf4cced3c9825b9d0a9ce971b3fe61349199a6e94dd1d3c74b5f0f7aca9d37ba8efd1e13e8d07e53d873016e7f2aca88036d3b5f62479130
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5f21939bb0d645c20eda123bdc180cd8c
SHA18290b8a8aa7641b9022720512c26d64491333dd4
SHA2566955908c86e4a4038e062e243542bc58d7b5d8ad1828b7dad061a958e7bbfb31
SHA5125cf097f171d1a160f34da9d5c7357690e9f895f4704429a4447b10b04ef39a0dfd3a93ee27df6e0e44edcb0a7406e273bd1534f29f4ff9c025eac32698879ede
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5d40056d2625e73c0c392b1e0e0a93c5e
SHA1403da086394e4f743e25f0353be8a864b31bae73
SHA25600e60bbd9d68903838fe9eebdcda87c34146e4cd9dccd23cf97b6cd7a839f96f
SHA5122d7b046a2aa96b9c4e458d337b9a073609a71ab4f769684d75414968a408e6779b19738f3045c1105f9ad67bbd546110109185787932461101c76a677049df17
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD560f9f5d432edf1617be34ef4008cebc8
SHA1ab27d3e3e5c62ecb141867c7648cfe689b14e7d5
SHA256be33a7cfdcf952b138257a8ed12466df5e879afabb6f8150f90c144d7b7c77a3
SHA5127aee971073c7ffb5a85f1f4fad4777e7b11639e03dae193fc46292b6dfde9fa9c7d6044ccc520b6ee62ad20dde8e9d984454b1617ff042134e655971718ff52c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD5d32e34513ad14aa9cccdb0de556d3a49
SHA138a341f85be29f7639bd721c104b77b175308ae5
SHA2560e3c34a9eed7be95360b39cd0bee345ce10a1bc6c0a3d486119f161da2fca52e
SHA51230361eb0c4ee6f9ec77d6861b72b3a761cbfee3e99af24abb61690af03e384a291d135a3b8a75150527aca50e0de9f9c1bb16088af46df24e7fc5d556145716d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize9KB
MD55123eb2dc0e47698099090e30bedfd4d
SHA1097115be65e4b562ecb7ecdda6d40502c2a34cd8
SHA256f05cce96bc60a1324dff8be3fbca77f82e06b517f01e2b1c486e586163bdef1f
SHA512efd39996dcb7d3dfd6cd5f3d57ddaf0b41e6b1866ccc73f263b5acb791a2e5ba5fc0de9221fd97a97e37c9f2d2e545234865093efe35c2ed8d0daf0e25078837
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize9KB
MD524a40b7e46e9043de7354ab8e531c958
SHA171d5000506767445488bd9304c7875cf1cfbcc01
SHA2562b36a3718dff3697edb147514757d7b34e21efeadee57921b7ab3fbb9193d4d3
SHA5128226c8abd840bc5ea83ede64066a85a6b3e0a14c50f675c84864cd1e0ca8d2fcd1ae4a35395311bab0270c9d140d6330febd7ee3b80098d1ce86330b279f7648
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize9KB
MD5b5476d47cd865a54fe6d22194009cd01
SHA1bc8751e5d3d294a2af3699007bb86934da1baaa0
SHA256361ce1ff9af7b8b23b89447696c74a122e4f67f7fc1a8f380a8ed86da1ee678b
SHA51216801307a12fd075bc17b4223149a82ac06fc37754b9ba361f64b55f3dc4d77e00302bf3bd69da741e283f0b6c693f7297d70aa9629b292c58c45d0279869b02
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize192KB
MD512cf189b4ea3add4d22a5a0d13007151
SHA15ae29fc7d955e5cd1dd1cdb8ab35c9ff06aff369
SHA256251aad2a24fb8fb8f67ef25a36a312256b886586b35c2c02757659101829e73b
SHA51262929776c4fead7c504cb4ae9265f5d31f860baf9b26761db5420539585833fd79286705b8abc815f77f3532f9cedef7250977944601641d7545f4d257fc79b2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD53dc733f51b6c47c0e57ae7035b9abacf
SHA1d4c28a6f9d4bae9e297440a46726a2cb3e2504ba
SHA256aafa700fb884f14becaf86a0eb9df79dfa15885b2ebe11cabe5f48a3a5d9e0e1
SHA512e02670f6fa626a21ad150e0e0e589ba9f1f7a1fb921dc28f4117dc0a30a337b9c9b165dd0a30da864fe4dbdf130372e846648792a0bcf5aad4e8d28118101067
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
672B
MD5b64295575797326f3f1ff287e48613f2
SHA16d5bd1279205d8ff35c292d176c724a0f1f77968
SHA2562b20d0e5162d57908839aa2e4eb59d7f5dc776c3072d8be12c8a5d3f006a3ee0
SHA51273170c748723a874dfd2bfb3dc18b75b6f7fd0d0fd101edeb1b702f49d107bc15f1b682af344ab2ef4cdbf0d9f78a1b47e16d7b25bfeccb0b8ba42ae694b23d9
-
Filesize
136B
MD5913c4393db7d56ff55eb9765cdc7503e
SHA1f64f25f58127d7aee2c056e8705ad80dc0048876
SHA2560881248fd21a28a4fea7214ff9047d7ecd032b920e162d6ef4e5bbbbe09e6469
SHA512af77e3c8c22f0f61384f1ef4f49486c84125eb1f1ec98385db1a6dec2d0429d9251c87c0710390323303e757d08ed0d6edc2171b4fe023d5ce4b6a0015fc8d6f
-
Filesize
136B
MD5fa196ae4d0ff645b57b1d042c417f92b
SHA1be7766e3d964f288854d76d2f51b0145c3c0836e
SHA25635f4f46fd90a42cad7c8aac0dfdbfb4349891615b0338f11c96986941cade84a
SHA5121fd493242c8b781e2c121356c280bc9a2931e8ed454e30c2949e199ace40e497fa84bc5860aa190bdd38bb23ece4b478ea39108646a403524f5b44c385fb4430
-
Filesize
136B
MD573cefe9d973372d951a063bd7d53acf6
SHA14519ce0451ceaac04d7de81c2d3fd8149bc14e13
SHA25613755d78ab159f94920208c38a3c19dd8ecc1a87ea5c4eee55c6d330b559cce4
SHA512a4a02298325a81942dcf4161886c6b2879f2462310fa7835ca0ca24afe08faa0abd541330864fa5ad8cda02d4485d08eb72b05b50c9fdfc12601dc25bf45a6b1
-
Filesize
318B
MD5a261428b490a45438c0d55781a9c6e75
SHA1e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e
SHA2564288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44
SHA512304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40
-
Filesize
190KB
MD5248aadd395ffa7ffb1670392a9398454
SHA1c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA25651290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e
-
Filesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
Filesize
201B
MD502b937ceef5da308c5689fcdb3fb12e9
SHA1fa5490ea513c1b0ee01038c18cb641a51f459507
SHA2565d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1
SHA512843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653
-
Filesize
628B
MD5246a583da8affec17bf6025da5962de9
SHA18507b7eacffba333387918433a7afbfc2392b019
SHA256083022b371b1d0ab3870b498419e706ce9690be5b4c464259c25e00cf2a7cc13
SHA51212eb848eb91730d118ac524819bfecb87096130a922f39ad72d82d8209f865024ad756d17774e97c4a7aff416853a9e2e58d457e36cf0cac23286983004237a8
-
Filesize
44B
MD52bca6fe2a657acf1ab6a3dac0e768414
SHA11d5400935e7c0a38f106e6c36f4fe90f1e640eac
SHA256e64f9d7cd858be66270385923eeb1c8ed6c4b8aa6c1b72d0bf11e766dd01f770
SHA512331159232ae147a4d1e84d1bd9bc5259c5fc301a6dc8819835f0bafdcba82d4f13b335c0750f8e96eceee3b960a9a6e3110780ab24710aa19d455219c7782645
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
493KB
MD5c9aa54a56f3eb4d3e6d7a5f89b8b4d84
SHA132e1dcba1a3ec0aaea893295c5b2ccb21fef163c
SHA25648282b0754f2c6ccf87606d03807d0fc06c461fe279f2c910e4288fdf616b899
SHA51236fbb9b2d843d93a52bd9422db0282ff4345aa38c83a0c40c59f3e1db0efd314cb16f9767a8ed476d2830fa214257ab80c250bcdb3139d2e07a80c7da310ce7f
-
Filesize
698KB
MD51fee4db19d9f5af7834ec556311e69dd
SHA1ff779b9a3515b5a85ab27198939c58c0ad08da70
SHA2563d550c908d5a8de143c5cd5f4fe431528cd5fa20b77f4605a9b8ca063e83fc36
SHA512306652c0c4739fce284e9740397e4c8924cd31b6e294c18dd42536d6e00ad8d4c93d9642fe2408f54273d046f04f154f25948936930dd9c81255f3726f31ee65
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
688KB
MD5c765336f0dcf4efdcc2101eed67cd30c
SHA1fa0279f59738c5aa3b6b20106e109ccd77f895a7
SHA256c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28
SHA51206a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891