Analysis

  • max time kernel
    290s
  • max time network
    322s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-08-2024 14:01

General

  • Target

    crashpad_handler.exe

  • Size

    615KB

  • MD5

    9f12b93fbe757f35df3cb953a52c593f

  • SHA1

    74e3808a94a78ccecdee9cb8b02eb0ee23ac9a81

  • SHA256

    d7fdaa84062bd7594fc5fc9a9eef37afe07f25a6c2e332e88bac1b35becb4c81

  • SHA512

    798b46eb29f0d3f849ee1c57ed16ebd0d4fa63f9ba10edefa8a26683b5baf43afe2213f46e5da4ce391af56fb3310c89e938f48738168c48dd0718494eaef203

  • SSDEEP

    12288:PWHL42mwBOrsD7AVFO5rxLEuuOdfj/Tua/rRe408RIE:OUzwBUsD7AVFO5rxLEuuOdfj/Tua/9ep

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Signatures

  • Chimera 64 IoCs

    Ransomware which infects local and network files, often distributed via Dropbox links.

  • Chimera Ransomware Loader DLL 1 IoCs

    Drops/unpacks executable file which resembles Chimera's Loader.dll.

  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Renames multiple (3280) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 12 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 27 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in System32 directory 47 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 9 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 18 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • NTFS ADS 9 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 45 IoCs
  • Suspicious use of SetWindowsHookEx 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\crashpad_handler.exe
    "C:\Users\Admin\AppData\Local\Temp\crashpad_handler.exe"
    1⤵
      PID:4448
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Subvert Trust Controls: Mark-of-the-Web Bypass
        • Checks processor information in registry
        • NTFS ADS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:396
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {256181b8-65e3-48c3-812a-55a9d45b7e7c} 396 "\\.\pipe\gecko-crash-server-pipe.396" gpu
          3⤵
            PID:2448
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8f02fbb-609d-4388-a65f-b3249aa2819f} 396 "\\.\pipe\gecko-crash-server-pipe.396" socket
            3⤵
              PID:1380
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3336 -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3324 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {931c3016-ff52-4b77-bee9-2aa5b0283cf1} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab
              3⤵
                PID:1800
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2660 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebc4c589-2afa-4e91-bf2b-d39bc2e1d6d4} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab
                3⤵
                  PID:3604
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4332 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4292 -prefMapHandle 4336 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb345663-e8fb-4824-a27e-fa217fde2dbc} 396 "\\.\pipe\gecko-crash-server-pipe.396" utility
                  3⤵
                  • Checks processor information in registry
                  PID:4572
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 3 -isForBrowser -prefsHandle 2860 -prefMapHandle 5240 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a5c4605-76d4-48a4-b159-74feae699090} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab
                  3⤵
                    PID:5800
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 4 -isForBrowser -prefsHandle 1520 -prefMapHandle 2976 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ece6d16-9af4-48fe-b1ca-3a1cc943fcee} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab
                    3⤵
                      PID:5816
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 5 -isForBrowser -prefsHandle 5880 -prefMapHandle 5808 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfb0c4fe-ccb2-4d01-9dfc-87baba59a7c0} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab
                      3⤵
                        PID:5828
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6236 -childID 6 -isForBrowser -prefsHandle 6224 -prefMapHandle 6228 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5617c4b7-dadb-4aa7-a680-6d553f84d3ed} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab
                        3⤵
                          PID:5172
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5784 -childID 7 -isForBrowser -prefsHandle 5720 -prefMapHandle 5736 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2301657c-b592-47c0-9b2a-bd9cb433be7c} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab
                          3⤵
                            PID:5256
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6332 -childID 8 -isForBrowser -prefsHandle 6112 -prefMapHandle 6364 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e8b257e-7d64-4089-a3a7-ee5ca4838cc7} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab
                            3⤵
                              PID:5244
                            • C:\Users\Admin\Downloads\Remcos.exe
                              "C:\Users\Admin\Downloads\Remcos.exe"
                              3⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              PID:5208
                              • C:\Windows\SysWOW64\cmd.exe
                                /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:2000
                                • C:\Windows\SysWOW64\reg.exe
                                  C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                  5⤵
                                  • UAC bypass
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry key
                                  PID:6136
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:1196
                                • C:\Windows\SysWOW64\PING.EXE
                                  PING 127.0.0.1 -n 2
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • System Network Configuration Discovery: Internet Connection Discovery
                                  • Runs ping.exe
                                  PID:6048
                                • C:\Windows\SysWOW64\Userdata\Userdata.exe
                                  "C:\Windows\SysWOW64\Userdata\Userdata.exe"
                                  5⤵
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of SetWindowsHookEx
                                  PID:3712
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                    6⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1384
                                    • C:\Windows\SysWOW64\reg.exe
                                      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                      7⤵
                                      • UAC bypass
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry key
                                      PID:676
                                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                                    6⤵
                                      PID:2988
                              • C:\Users\Admin\Downloads\CrimsonRAT.exe
                                "C:\Users\Admin\Downloads\CrimsonRAT.exe"
                                3⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1540
                                • C:\ProgramData\Hdlharas\dlrarhsiva.exe
                                  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
                                  4⤵
                                  • Executes dropped EXE
                                  PID:3860
                              • C:\Users\Admin\Downloads\butterflyondesktop.exe
                                "C:\Users\Admin\Downloads\butterflyondesktop.exe"
                                3⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:6036
                                • C:\Users\Admin\AppData\Local\Temp\is-GRCCR.tmp\butterflyondesktop.tmp
                                  "C:\Users\Admin\AppData\Local\Temp\is-GRCCR.tmp\butterflyondesktop.tmp" /SL5="$C0046,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
                                  4⤵
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  PID:2768
                                  • C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
                                    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
                                    5⤵
                                    • Chimera
                                    • Executes dropped EXE
                                    • Drops desktop.ini file(s)
                                    • Drops file in Program Files directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    PID:3400
                                    • C:\Program Files\Internet Explorer\iexplore.exe
                                      "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
                                      6⤵
                                      • Modifies Internet Explorer settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1964
                                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:17410 /prefetch:2
                                        7⤵
                                        • System Location Discovery: System Language Discovery
                                        • Modifies Internet Explorer settings
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of SetWindowsHookEx
                                        PID:4500
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
                                    5⤵
                                    • Enumerates system info in registry
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    PID:5568
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff853f146f8,0x7ff853f14708,0x7ff853f14718
                                      6⤵
                                        PID:5752
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
                                        6⤵
                                          PID:3548
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
                                          6⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:2104
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
                                          6⤵
                                            PID:2352
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
                                            6⤵
                                              PID:4012
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
                                              6⤵
                                                PID:4560
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
                                                6⤵
                                                  PID:5188
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
                                                  6⤵
                                                    PID:3624
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
                                                    6⤵
                                                      PID:6208
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
                                                      6⤵
                                                        PID:6300
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
                                                        6⤵
                                                          PID:6308
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
                                                          6⤵
                                                            PID:6608
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
                                                            6⤵
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:6728
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
                                                            6⤵
                                                              PID:6740
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
                                                              6⤵
                                                                PID:6748
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
                                                                6⤵
                                                                  PID:6980
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
                                                                  6⤵
                                                                    PID:6988
                                                            • C:\Users\Admin\Downloads\HawkEye.exe
                                                              "C:\Users\Admin\Downloads\HawkEye.exe"
                                                              3⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:6176
                                                            • C:\Users\Admin\Downloads\NJRat.exe
                                                              "C:\Users\Admin\Downloads\NJRat.exe"
                                                              3⤵
                                                              • Drops startup file
                                                              • Executes dropped EXE
                                                              • Adds Run key to start application
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:5556
                                                              • C:\Windows\SysWOW64\netsh.exe
                                                                netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
                                                                4⤵
                                                                • Modifies Windows Firewall
                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4560
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4956 -childID 9 -isForBrowser -prefsHandle 2780 -prefMapHandle 2668 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dd7f34f-ec85-4934-b9fd-32ebed29cbc5} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab
                                                              3⤵
                                                                PID:3560
                                                              • C:\Users\Admin\Downloads\Gas.exe
                                                                "C:\Users\Admin\Downloads\Gas.exe"
                                                                3⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1540
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6296 -childID 10 -isForBrowser -prefsHandle 7580 -prefMapHandle 5272 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92ac2e6b-1979-4153-929e-b6eef6e9bae4} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab
                                                                3⤵
                                                                  PID:2936
                                                                • C:\Users\Admin\Downloads\Netres.a.exe
                                                                  "C:\Users\Admin\Downloads\Netres.a.exe"
                                                                  3⤵
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:6292
                                                                • C:\Users\Admin\Downloads\Fagot.a.exe
                                                                  "C:\Users\Admin\Downloads\Fagot.a.exe"
                                                                  3⤵
                                                                  • Modifies WinLogon for persistence
                                                                  • Executes dropped EXE
                                                                  • Impair Defenses: Safe Mode Boot
                                                                  • Adds Run key to start application
                                                                  • Modifies WinLogon
                                                                  • Drops file in System32 directory
                                                                  • Drops file in Windows directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Checks processor information in registry
                                                                  • Enumerates system info in registry
                                                                  • Modifies Internet Explorer settings
                                                                  • Modifies Internet Explorer start page
                                                                  • Modifies registry class
                                                                  PID:5724
                                                            • C:\Windows\System32\CompPkgSrv.exe
                                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                              1⤵
                                                                PID:4852
                                                              • C:\Windows\System32\CompPkgSrv.exe
                                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                1⤵
                                                                  PID:5836

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

                                                                  Filesize

                                                                  3.0MB

                                                                  MD5

                                                                  81aab57e0ef37ddff02d0106ced6b91e

                                                                  SHA1

                                                                  6e3895b350ef1545902bd23e7162dfce4c64e029

                                                                  SHA256

                                                                  a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

                                                                  SHA512

                                                                  a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

                                                                • C:\Program Files (x86)\Butterfly on Desktop\license.txt

                                                                  Filesize

                                                                  2KB

                                                                  MD5

                                                                  014a8639864fcd7bbe969cac86add7e4

                                                                  SHA1

                                                                  d7078bfd45a886fc9a779c9a71e97397681e68dd

                                                                  SHA256

                                                                  fb9cc5f7bbd888e920dd5ea422b35eb548eb63215c6f6617805736ea8eb0db77

                                                                  SHA512

                                                                  83bd3d716637e53f67ea1cce6e92cb60fcdc0c98ee4b0223d95047588ff458e0b76c152dd62822d1fe3cf56260cdc61e999f9e943da4bbe97766cc9cba631f7e

                                                                • C:\Program Files (x86)\Butterfly on Desktop\unins000.dat

                                                                  Filesize

                                                                  4KB

                                                                  MD5

                                                                  358192e6b48de9b5a35057153f3f6f5f

                                                                  SHA1

                                                                  a13e1f7face1b3c3c610512fdf9bae35e9710864

                                                                  SHA256

                                                                  d91a016ef8045ea7896abd45c4313ac81d69082cd47b96f5d5594006eccaa568

                                                                  SHA512

                                                                  0cb8177fa2917cd219314e588e3d76e902289021b436ef08611791679c9f47089f91b0dcb5abd0976b2900262fbba72cdc42893f7c1f15c45bf0d37e37ee4fe2

                                                                • C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

                                                                  Filesize

                                                                  4KB

                                                                  MD5

                                                                  6569c316a06004c4d1b134cb5b5a1303

                                                                  SHA1

                                                                  33c83185bdb5e2cf29db373fbddac22c870a6f63

                                                                  SHA256

                                                                  7e885a46136df0c4f484c5605142dd99756c0fc8adeea9a490dc2c143007b3dc

                                                                  SHA512

                                                                  abb6f0dc424cbc894111961da9553c7ea67e5cb65a6fc09fd67b141df69ed5e4c18d6d848e6e9649cbb62378e4b1d550161b1b7dfd220c8d86529797d98e10a1

                                                                • C:\ProgramData\Hdlharas\dlrarhsiva.exe

                                                                  Filesize

                                                                  9.1MB

                                                                  MD5

                                                                  64261d5f3b07671f15b7f10f2f78da3f

                                                                  SHA1

                                                                  d4f978177394024bb4d0e5b6b972a5f72f830181

                                                                  SHA256

                                                                  87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

                                                                  SHA512

                                                                  3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

                                                                • C:\ProgramData\Hdlharas\mdkhm.zip

                                                                  Filesize

                                                                  56KB

                                                                  MD5

                                                                  b635f6f767e485c7e17833411d567712

                                                                  SHA1

                                                                  5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

                                                                  SHA256

                                                                  6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

                                                                  SHA512

                                                                  551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

                                                                • C:\ProgramData\Hdlharas\mdkhm.zip

                                                                  Filesize

                                                                  57KB

                                                                  MD5

                                                                  3e4eb12184d217df69a3b72241cae36f

                                                                  SHA1

                                                                  14c27638fdfcd87be5f37a7492d2800d3179a9a0

                                                                  SHA256

                                                                  fb35c696aaa9f80a9b02f78dba875e716a268b12fdba54eba6830492a215da6c

                                                                  SHA512

                                                                  133f42c65100d0b308c2e2c081d4f0a99e785c3eda48ba49df1945e9c398f8fa64b8897caa15afddc0921a6f7e27cc455dd2a770367f09381dc0cef7f201eeca

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                  Filesize

                                                                  152B

                                                                  MD5

                                                                  0446fcdd21b016db1f468971fb82a488

                                                                  SHA1

                                                                  726b91562bb75f80981f381e3c69d7d832c87c9d

                                                                  SHA256

                                                                  62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

                                                                  SHA512

                                                                  1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                  Filesize

                                                                  152B

                                                                  MD5

                                                                  9b008261dda31857d68792b46af6dd6d

                                                                  SHA1

                                                                  e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

                                                                  SHA256

                                                                  9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

                                                                  SHA512

                                                                  78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

                                                                  Filesize

                                                                  20KB

                                                                  MD5

                                                                  dd62255c6e72b80ce88a440481d3d22f

                                                                  SHA1

                                                                  17758b8673c033ecf7c194e5d1190bbf9516c825

                                                                  SHA256

                                                                  16921001068e64b8ac9935d54eaa1dca108647370c5987443732ecd4f0f56249

                                                                  SHA512

                                                                  19cb0414fa378f59229d6296a4165e3a073fb6c6b812969c7015d3f73e7738c70893346740396986c6148ca1fcd5e7a8021aed775c808eb67ee9d1b301f0ee76

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                  Filesize

                                                                  864B

                                                                  MD5

                                                                  4f1b572ed3536242329ca95399adeb5d

                                                                  SHA1

                                                                  ca6a429713a747f8c2f03163b7b7ed2755103082

                                                                  SHA256

                                                                  2ca1379df7d33f17698d34851041761a5a948cec023bb8877049068a541ac508

                                                                  SHA512

                                                                  d474da315ed04f554769ea4ff37e12e0a9499886f430590bc4d379aa724b3bfa524c31aeebfeefe208401a28b2a9c00188a87d6686788a9da9a1e7cce1863000

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                  Filesize

                                                                  2KB

                                                                  MD5

                                                                  a4056a92b61a8aad9744fdb4c0dde817

                                                                  SHA1

                                                                  efa22442b573338643119e5fda2f94bf74ba2bc6

                                                                  SHA256

                                                                  dac8b9126a47f8e006baaa428512cf118072975913bfabc87c2f262f475f7c16

                                                                  SHA512

                                                                  98523a2ca23ebb005b1f08c6e37d9f1025c30364eae052b6cb42b6d078fc07c16ff22ee21fc8f441b6836a7c729d7bb50eab752e81d4a823de3cb3ff5c8909f5

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                  Filesize

                                                                  5KB

                                                                  MD5

                                                                  ab694cedb68698927a1cdc6a9284f6eb

                                                                  SHA1

                                                                  5e8b2b3ab2d3a4cc42aaccfe3775f5b27658ebea

                                                                  SHA256

                                                                  f21734815da8c323dd248be989223e426b366452df43e2104a28d1997eb184e1

                                                                  SHA512

                                                                  d49987d10095f3f6231ec9e16780a75e741aa5feac0e194cff7a5a49ebdee16686f54c73935742239c67fa33590a2ee1678c490dc0b18f968ff58e78d6301239

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                  Filesize

                                                                  8KB

                                                                  MD5

                                                                  8e57c847e03b916d6ec69fe5efa1d161

                                                                  SHA1

                                                                  be9477dc4fcab101cc9452fba948c454fc4b2ac2

                                                                  SHA256

                                                                  776cd0ff88e9ae042a397126439e29bee75b0867428b17b4ac79a333e93f9d3a

                                                                  SHA512

                                                                  6a858430706d187b5afc2063991d3da3daf2ba6e5cdea85cd273d50855fba8e834233c2cad40faed0ab672ab03ca95a970a808bf8bcfb16eb94641f19d8779bd

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                  Filesize

                                                                  7KB

                                                                  MD5

                                                                  3b22e96adbdea702d15a619db627b483

                                                                  SHA1

                                                                  f8fb2b3e4b8b4d0e05e8ec89e213476b6bbc2a82

                                                                  SHA256

                                                                  30f1633d6f0d239f267653d440ddfd833479c8f593434ce6e47e8d08943eab68

                                                                  SHA512

                                                                  297bdb6ce320c485c68f627361c686b95b28bd42ec600ed2bd97e46c462a2b115b4e587b7d279ee4ee246a37e678b24f23f0d53a1674b4cb4dbb9417cd712182

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                  Filesize

                                                                  16B

                                                                  MD5

                                                                  6752a1d65b201c13b62ea44016eb221f

                                                                  SHA1

                                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                  SHA256

                                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                  SHA512

                                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                  Filesize

                                                                  11KB

                                                                  MD5

                                                                  ebcec5983d98f9f16e4af2b8eedd2964

                                                                  SHA1

                                                                  0b3639b6edfa79b6b784624dcdb7f03e82422c7f

                                                                  SHA256

                                                                  59382da9425594047ff6a74f02281c0c397e5e6796e5f9b26d90007ad5e51e63

                                                                  SHA512

                                                                  043e49a67e8076d2696b67c99fa5d10cf037b80ad92b12d90b6a7a741bbf3ea6ad68c0cca8d3801b51eb7d39b124401cd98df8e4e17e89088db3c5dca31262ba

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                  Filesize

                                                                  11KB

                                                                  MD5

                                                                  d4ef9352f08ef94cda9d0f48bcb6c773

                                                                  SHA1

                                                                  1b65c1a90e7d5ba52233d341eb07ae92805abb7e

                                                                  SHA256

                                                                  c41d68abc1dff7176e6cea7a941641a5f59322fee7d9b1d0891e294507d96a6e

                                                                  SHA512

                                                                  37968a2faa2b89af7f8e41841ed3862793f993f3ca03924b0e68e97a4fb6bb210a1ff3a6768468d0517bb84b8943ec4139d20b5ba5ca4f67618aa11fbf02cb4f

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\suggestions[1].en-US

                                                                  Filesize

                                                                  17KB

                                                                  MD5

                                                                  5a34cb996293fde2cb7a4ac89587393a

                                                                  SHA1

                                                                  3c96c993500690d1a77873cd62bc639b3a10653f

                                                                  SHA256

                                                                  c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                                  SHA512

                                                                  e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                                                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json

                                                                  Filesize

                                                                  33KB

                                                                  MD5

                                                                  5120d25ae113d269e572def866f5e9fa

                                                                  SHA1

                                                                  6d871ad0514bd79adc3ca775ee0ba40399819d0e

                                                                  SHA256

                                                                  f5a4b2f9c8fd24ed652c749eac645d718bde338b8577e850aa6e7170bb982a27

                                                                  SHA512

                                                                  c413d0e36b54654bbbb28a553b8f5f995462f1e02504bc0436e260e3c1f53e7bd2780a8b4e51aa4f07f79042455625264dc92311ae5917bf8adf6038d119a1d3

                                                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\959CF48BAAD235E68169923EB0513440CADB4E07

                                                                  Filesize

                                                                  179KB

                                                                  MD5

                                                                  9f1358363a45f33cc0b5b2a87c6395d4

                                                                  SHA1

                                                                  7f12deca47996fdad35a97974161191e541a518b

                                                                  SHA256

                                                                  68afb33a889520e95f96881599269bd527192c790937d3e9b517a5d82d6adf9b

                                                                  SHA512

                                                                  7edda482f3ed27c57662f368171ccf6c35604cdc865d42e04e70c96ad3d6280b3c67ab863fcbdc10709b17181eeb2428d4f2a13de023bf8a04f5bbb224508968

                                                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\jumpListCache\5tOoRgqM2WFj6Vw1c4rO2_+YmkxFZjW5qiS0f5iJu1w=.ico

                                                                  Filesize

                                                                  25KB

                                                                  MD5

                                                                  6b120367fa9e50d6f91f30601ee58bb3

                                                                  SHA1

                                                                  9a32726e2496f78ef54f91954836b31b9a0faa50

                                                                  SHA256

                                                                  92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

                                                                  SHA512

                                                                  c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

                                                                • C:\Users\Admin\AppData\Local\Temp\install.bat

                                                                  Filesize

                                                                  135B

                                                                  MD5

                                                                  90022f82afe48963cc42547209f18f96

                                                                  SHA1

                                                                  e60698c77e7df4cccc493f2cfa6d76f7553d71e2

                                                                  SHA256

                                                                  046509f2b672f0f5da1b5441649873c736d81853701b67094bb319b025afb2cc

                                                                  SHA512

                                                                  6743f17da515c61ba1ab3df53077929d6f480f84978bcf8ae61880015221f245fde6e3a2ffe3dc937f80b37e8774dcc61838ee4ed461658b3a44f02cc0469208

                                                                • C:\Users\Admin\AppData\Local\Temp\is-GRCCR.tmp\butterflyondesktop.tmp

                                                                  Filesize

                                                                  688KB

                                                                  MD5

                                                                  c765336f0dcf4efdcc2101eed67cd30c

                                                                  SHA1

                                                                  fa0279f59738c5aa3b6b20106e109ccd77f895a7

                                                                  SHA256

                                                                  c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

                                                                  SHA512

                                                                  06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

                                                                • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

                                                                  Filesize

                                                                  2.8MB

                                                                  MD5

                                                                  1535aa21451192109b86be9bcc7c4345

                                                                  SHA1

                                                                  1af211c686c4d4bf0239ed6620358a19691cf88c

                                                                  SHA256

                                                                  4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

                                                                  SHA512

                                                                  1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

                                                                • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                                  Filesize

                                                                  479KB

                                                                  MD5

                                                                  09372174e83dbbf696ee732fd2e875bb

                                                                  SHA1

                                                                  ba360186ba650a769f9303f48b7200fb5eaccee1

                                                                  SHA256

                                                                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                                                                  SHA512

                                                                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                                                                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                                  Filesize

                                                                  13.8MB

                                                                  MD5

                                                                  0a8747a2ac9ac08ae9508f36c6d75692

                                                                  SHA1

                                                                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                                                                  SHA256

                                                                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                                                                  SHA512

                                                                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                                                                  Filesize

                                                                  20KB

                                                                  MD5

                                                                  37b6301d140666b52c0be03805162761

                                                                  SHA1

                                                                  fb86c061e4a9ab47b5019c5d00a790de2907267f

                                                                  SHA256

                                                                  4b60d4c650a2b95f8872c9721815f670f058d017fa7df9b862870b1956a65d81

                                                                  SHA512

                                                                  256b569933ff33b7a6090bfb5a236015998d52debf17e851801c3fb1fdd098c4ccb4cd73f731ea9764f452e6985dd2e949c9b9da466c8a2a7369a1f87c7a7c22

                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                                                                  Filesize

                                                                  19KB

                                                                  MD5

                                                                  ecd24da2f3a4285235c21f4a4cebb6e4

                                                                  SHA1

                                                                  4df2521318666415ed387eb3519520c445314234

                                                                  SHA256

                                                                  4a5c33f4a899b93e0697eb01b7b82b9a0bfca53820faab4940c4e823708dde4c

                                                                  SHA512

                                                                  bcefdb3c16d6df8a4b0130615d3f29d14ebf8cd65cf14f717728c8db2794ab0b1bd0a6e59290d0eb299676f1862fae492e085bff08208fdbaedf8b7c21cbcf0e

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

                                                                  Filesize

                                                                  7KB

                                                                  MD5

                                                                  4c27f397d4e64efecd06450b26545f16

                                                                  SHA1

                                                                  975cde2380061a74854b4558a076087b18f16b41

                                                                  SHA256

                                                                  e77a018d20858bb68789ff659e507f0d3a30b354a2f7dd43493ef335731d0df1

                                                                  SHA512

                                                                  b45b339612c3972c5ca936f9f56d10b79ce18e7f0e87089d068633c24bef76f55e0e05edfdc5ab471fa6573948f0cbdfa5a0b8c40e29a3dd5ada0d0fa91d3bb3

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

                                                                  Filesize

                                                                  14KB

                                                                  MD5

                                                                  b1df77774465e0fd3f802db52acc9af1

                                                                  SHA1

                                                                  d0eca8115e844f14a2a6709d15527efc98b3f346

                                                                  SHA256

                                                                  347f3a0d9084f9edd7061d39c2dabe88d1b4752aad972671c6001597c444bf9a

                                                                  SHA512

                                                                  21b4f41bfbda2397e7e4b58a90ddfbb469b1e15cdac2cf50deb46a93855fd65c6363fc2ad203ae43608bb2b612b6abae410455e4e94e1c0dd4a145aa3bd14bbd

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

                                                                  Filesize

                                                                  13KB

                                                                  MD5

                                                                  0cd9bdd4ab3ef8784f254f121c2f11bf

                                                                  SHA1

                                                                  3d20c604c233ef95a7178cf63b980ad582a5f005

                                                                  SHA256

                                                                  9abb6b0afc8eb3c101796a79249a05b13113daae786cb93ffea8f84f49939dc8

                                                                  SHA512

                                                                  7e820658e5eb8122eba68069c96afd81dc91dfc40a57c63dab34f5dc2935a349019bc373907a151187f72d26065ef59589a157c40c7c02e593bfbf0ba7987aa0

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

                                                                  Filesize

                                                                  17KB

                                                                  MD5

                                                                  ed4874d418581d64c528459578bf329f

                                                                  SHA1

                                                                  2becea961540722621d16803ecae9e1097a8876b

                                                                  SHA256

                                                                  dae3e30dc25d0a15aaf1fae5ecaf5f111246efa261ac884b0bd79911ef0b312e

                                                                  SHA512

                                                                  7e531674a64f299591553a286e8231c732a62654d90aac85221646b3f2fd1cf76592e084cf22240286abd9e3d6a7b9f166144de15073ca2b939254f3e154f979

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\SiteSecurityServiceState.bin

                                                                  Filesize

                                                                  3KB

                                                                  MD5

                                                                  0198f27014b1c11d06085579e54dce44

                                                                  SHA1

                                                                  1527bde0713ba9f847ea948b667585f9106a4bcf

                                                                  SHA256

                                                                  bcf664200430af7a00c14e06bf8e6b0ec9e087705e0ae4464bf25ba16b9aaa8a

                                                                  SHA512

                                                                  fdd614af688e32b451678e2d734f85a35f350fc2283d1515dfe53cd9d0bc8cdeeaa78f993ba96ead230674019aac6a0cdd755ca4d5398780f4e60156b0c73786

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.bin

                                                                  Filesize

                                                                  7KB

                                                                  MD5

                                                                  b7f2aeeb357e813d0070fe7081d27bb8

                                                                  SHA1

                                                                  24d71c4ebb183c70aff9a55925554d9d6cb31a64

                                                                  SHA256

                                                                  a977931f200b966488e063e6373ad2cc8efbe691a90ed2eed37365869ba95586

                                                                  SHA512

                                                                  99b4a3e1ef562ff5669aef55c571f8057bcb2aa30b72eda9c0de169da91ea039523c12e0977cc453e3ba6e043855bef086a86d2ea1876f0cb9738e6adcc1a6c4

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

                                                                  Filesize

                                                                  5KB

                                                                  MD5

                                                                  c02ed35a4c2c1acffb1a3accd5cecae1

                                                                  SHA1

                                                                  d73b4e80ea69797b1bdaecc5c3683ec01e671bcf

                                                                  SHA256

                                                                  945dd0d1c59066d4589547bd14b39d9e058683ba218d2db1b69489afd0eec7f1

                                                                  SHA512

                                                                  35cb5f3538dc08960b6ee08a37c6eab4921a8fd7b8883d154ed7f151ef184682d7af74bba87cd3fb85a29fba10fcaa38f963867baa512d7bf2e54a38febef69c

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  73bd1e2e4b04a0e6cce88672e61d8ccb

                                                                  SHA1

                                                                  ac53403e1fc752e2fd72bbf17f6e83501bd1e2eb

                                                                  SHA256

                                                                  f93361746d5bab05b7089521612476650cedb5dd57aaf8438fc1b2a3e34bec53

                                                                  SHA512

                                                                  029073071bcb700513b5b6f2916b351d5d5665fcd54c6adfcd04e89e5d16f2996e418eeec071357a47c65ffcc5add1dfc05918bb82cdfeedc4d4a7e837e0b9a1

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  2650a0ba839eaaa4a516a991a71dd217

                                                                  SHA1

                                                                  4f09d5a09dbe9ca3d3dc865ab67b1ad8cb9ab078

                                                                  SHA256

                                                                  efe0670fb7382e5e9507c3bd869305dcc523148b9abad7d7ebdcce8947bcb003

                                                                  SHA512

                                                                  525365b2ed2fd2c9d3b6979d157d286dc91aae084968d4a15e6c447f59b4d6e0be4a0850c83aebf5a0f84f029890d05e141dc35f04acb8611dca91938a41aad1

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

                                                                  Filesize

                                                                  55KB

                                                                  MD5

                                                                  2daa9bdb4ecfac0f2578c1a37a7b852f

                                                                  SHA1

                                                                  e4dfab5ac13c74a3e65f6be371a90fa788526ff4

                                                                  SHA256

                                                                  16be09a9221eef2c1062b76d7376aefd7a98fb1b5cf575f0fdb5ab666013b075

                                                                  SHA512

                                                                  39f8d754296d87e33cf07086bd250f71b2576ae99859cafa06c989ac543a1b15e18b740f2f6040f1630fd6c1901d448f4ece13feef8b9b136282f4558ab58399

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

                                                                  Filesize

                                                                  55KB

                                                                  MD5

                                                                  e79b6610d8dcd0b1079f8cab10b8b6df

                                                                  SHA1

                                                                  0e672b670201622a8eb11c467942d2f66ded1b39

                                                                  SHA256

                                                                  3cfd583f837a278bcca231eda8b18f02cc05935d9af34eb0b27591280295b4a9

                                                                  SHA512

                                                                  c65ce3c39f2c55e7e15f98ce51c4b34298fed2c70257ad606f9c28e96f7188054f0a94c4bd9ab39ba730d63a09488b5eca2bb06f0ed7e4740d6465853fc9e04f

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

                                                                  Filesize

                                                                  58KB

                                                                  MD5

                                                                  e24807ec01764abd2564db396f8085ec

                                                                  SHA1

                                                                  eb1ee114a8848491f1497e9db1225c180805ccbe

                                                                  SHA256

                                                                  6098b421e03ba700e892c56e610c024226a017ab0327211b7fd42326592f95eb

                                                                  SHA512

                                                                  a13c2fabcb470c4b10acc98d1c098c0b2f19ae23ef08837d81c7714180b8ff5059f40e941e71f5552136a08a2eaecfd26de57c7f7a73980de72c7fae86ae0bee

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\events\events

                                                                  Filesize

                                                                  2KB

                                                                  MD5

                                                                  77d6a0599a15cc6e1a5e9af7f3e6d591

                                                                  SHA1

                                                                  1d3917d2588903daaf549c8ba41af70cad326c5b

                                                                  SHA256

                                                                  3ec4cbff03ed2439e5646249485e51513044fbcd6db26e9ea37e3770fdc84aa9

                                                                  SHA512

                                                                  8c71d289f2c7147e376f38c0750eb1dba3a8751fa1f23ba2cc1a14f127454ced7ffe684e9fa41277579130961417d6b4d71628ac27b4ca810bb0131ee8f59efe

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\3a335481-108c-4aa3-81b6-8aebc7cd5a6b

                                                                  Filesize

                                                                  671B

                                                                  MD5

                                                                  97d55ae547b08aec3186336d970d5a09

                                                                  SHA1

                                                                  ebeabff8c5576b12a1af116cbde012984a0bb0dc

                                                                  SHA256

                                                                  5db53c5ae8049f7f6464b372b4e630d944276d92efdf08b15f8661d06e6e3192

                                                                  SHA512

                                                                  e6b73eecbed7347e6dd23592a3095dabe305cc02d7e854bb74cb67f51c5da4fb98a4363eb441c1bf72e2603bf7b16104ec6e189a4a798f3152f275eb738c4456

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\4bd3c9d2-e6af-42ed-b781-501730d0de83

                                                                  Filesize

                                                                  847B

                                                                  MD5

                                                                  e34c393a22da386a44b3016cd13c29ab

                                                                  SHA1

                                                                  fdb7e71c42ff3d45e2ff6f153d9be681b5a6bb0b

                                                                  SHA256

                                                                  3f4085a6649d125cd4b9f4b393d2934522497613206ce82d72939fac849e9924

                                                                  SHA512

                                                                  0779a5c428b32d3528df9ba9731698e5d296ca9fb64f6b02af836ab59e8a778fd4619405ef9981204f7943965ef64b259a88e21c2b21d8eaff38749fbfa22df1

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\921e5dd5-d8da-45df-8261-aa91b5e28d97

                                                                  Filesize

                                                                  4KB

                                                                  MD5

                                                                  05a4566eac2b9dc76fdb9d48b11b5fc4

                                                                  SHA1

                                                                  8303b86df537618ed9dbee77b9b4d117c554c8c9

                                                                  SHA256

                                                                  e255d2a511bd5c2744c749a0ff486725db40241dc049fdc7414146322b868776

                                                                  SHA512

                                                                  f3b66571be792a7c64b1d9155808a1273ff5980da97d582aeff5394d5ca068d45221c92e6f9122ccb7aa0b34dd592ed18803bde7f230e0f16279930e03ad2988

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\c68c5061-ac17-4626-bc4c-f9290078ce5e

                                                                  Filesize

                                                                  982B

                                                                  MD5

                                                                  4e8d9e3e9c59466fb0fb9d4b8d1177b6

                                                                  SHA1

                                                                  5efb2c0a678a952785e31b62b9032a5dafbdb4c2

                                                                  SHA256

                                                                  537b5cf6840079b24c2b96b8bdac36c27e924976990f062759d415349573ccd2

                                                                  SHA512

                                                                  281ed6a784a5327bdeb5a5c622a9a8ffd9f73bba6e5e9c713596fd664e4e3bc65c1cb8e222a1b7d876aa8908f99b231063d96aa22e48a3310ccec9b3a734f405

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\d1f61ab8-a5be-4d98-a37e-82acdbe7919a

                                                                  Filesize

                                                                  28KB

                                                                  MD5

                                                                  0509abea012c97b939d99a928368b671

                                                                  SHA1

                                                                  44ebe0e2ab012d5a71c39a6eb5a22ddab70b1dee

                                                                  SHA256

                                                                  4e57665955dd33ec96b514304aceea1f924725d5b24f2e022f1d75cf6da96d05

                                                                  SHA512

                                                                  776bddf0597d9f475349a3f83263e01f79872355d504ff0a89f2b9382eccb13da31eaf4174c29ece0d4b06bbec593c22b0dbc68f66239e000b885c40c6fe6d96

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                                                                  Filesize

                                                                  1.1MB

                                                                  MD5

                                                                  842039753bf41fa5e11b3a1383061a87

                                                                  SHA1

                                                                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                                                                  SHA256

                                                                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                                                                  SHA512

                                                                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                                                                  Filesize

                                                                  116B

                                                                  MD5

                                                                  2a461e9eb87fd1955cea740a3444ee7a

                                                                  SHA1

                                                                  b10755914c713f5a4677494dbe8a686ed458c3c5

                                                                  SHA256

                                                                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                                                                  SHA512

                                                                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  445832e68cbe83e8478e025ede8ae9f1

                                                                  SHA1

                                                                  c70b2afbb5325698ea4c0ed48ab5eea2b5b2102c

                                                                  SHA256

                                                                  f02d2a10cfa68ef45da56d24e59e4cc43806d61111ef7c4055b2ae343aa52459

                                                                  SHA512

                                                                  04cc9c1886c8ead9bfd7317fe656ff0637a1cf8ef81a4caacc5c9a481906962ad3374ab524a951cfa5b4a6d84ce931b72e3ad45a537ddbdcbae1cff40ead402d

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                                                                  Filesize

                                                                  372B

                                                                  MD5

                                                                  bf957ad58b55f64219ab3f793e374316

                                                                  SHA1

                                                                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                                                                  SHA256

                                                                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                                                                  SHA512

                                                                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                                                                  Filesize

                                                                  17.8MB

                                                                  MD5

                                                                  daf7ef3acccab478aaa7d6dc1c60f865

                                                                  SHA1

                                                                  f8246162b97ce4a945feced27b6ea114366ff2ad

                                                                  SHA256

                                                                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                                                                  SHA512

                                                                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

                                                                  Filesize

                                                                  12KB

                                                                  MD5

                                                                  5334f27f0a168922eecf5421b0a9e8be

                                                                  SHA1

                                                                  f83b1c915dca03e5ce2ee19978f34ec23463495c

                                                                  SHA256

                                                                  e8ca418cc1b81b9635da38406c087b76cacae5fa0fa56cd605474ce43cc9ccb5

                                                                  SHA512

                                                                  3a60b6bf413f6532642f20a2206532397893845255413e6bbb38dcfd8b7e2d979e146b0a6aa66dd8c1fce3d770bcebf9abbd856810a147a5ebfbb6df6a080488

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

                                                                  Filesize

                                                                  12KB

                                                                  MD5

                                                                  9cdd24ea13d68584267a46410507846c

                                                                  SHA1

                                                                  100799e2d60a5eb526336d15ef9a80a31feba909

                                                                  SHA256

                                                                  ab1df8c7123909cc75eb9528662c665583d84512a0c5634e21fb031190900195

                                                                  SHA512

                                                                  3f94b92f79c292ff14ac7bc9a9ccd8cac24ca4cb37d94bc11638ccb336763990bdc98697ccdc42419a34c6dda1f814418a1f9b0be3aaf9889a488143644f415a

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs.js

                                                                  Filesize

                                                                  11KB

                                                                  MD5

                                                                  208d382607dde2e3fa18b6da5ec175aa

                                                                  SHA1

                                                                  e8cf87292f1a7b7e41b23b425e5e3be62dfe1d57

                                                                  SHA256

                                                                  43d4e4f3d3dcc2a0a18d4025480e144b6533790554fbe9a2040993ad482ac3a5

                                                                  SHA512

                                                                  9eaf61740b1d0835511398b726d99272390e94c88859197408c1acfc73609a94c3925155ea81718ffcbee98bdbd09507239ee48171cbfe757cd1b61184725de3

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs.js

                                                                  Filesize

                                                                  13KB

                                                                  MD5

                                                                  f19cb74fcf3d3364fef85c78996d95f9

                                                                  SHA1

                                                                  2b6226394897c4dec7c7017155098346814c9bdf

                                                                  SHA256

                                                                  9ea078f3bd7f9aaadbc03d48ad6ad1c34121a4354bbf4b5a6511d93848137362

                                                                  SHA512

                                                                  02747efac95339a0af97f2904c51cfdd19ae76c598adf199bad2a340155a3f78b0434c6dc73801126a526ad9c141bd1c83b93e20f622cd3b55e522d650104329

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

                                                                  Filesize

                                                                  5KB

                                                                  MD5

                                                                  56d3e346a3e0c57ecde3e64a64dfa23b

                                                                  SHA1

                                                                  89461c146aa4676f2736c62e68f96c528c86e582

                                                                  SHA256

                                                                  e2f2ee9ff2df8b5d631077365d9a3fb2ad9a7b0fadfea751da3c481d8426b86e

                                                                  SHA512

                                                                  36441432967cf207cd7ffab3752846acd77a4c1aec02ef0f4ef2ee70dfc196479d8566119d3e25bf81a5d21cf60fc297c61d9b5d5eb3d9660b1d69e168ce88bd

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

                                                                  Filesize

                                                                  7KB

                                                                  MD5

                                                                  ae41149f86ac89d6998c998ede538185

                                                                  SHA1

                                                                  e143580a0e214a143830a108e9a177812470fe61

                                                                  SHA256

                                                                  5345cce7a2e14237f45bbd574771dbbe45086569659b40722eaa953b0d313f3b

                                                                  SHA512

                                                                  ffdbe3b2721613c95ed7e99c83b4f323db127a6512f99fc825f5adc9f14818cf53829552b8276ba844fb299b162b0846bc54a3573b4064ac9f2c12d4edd955b7

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

                                                                  Filesize

                                                                  7KB

                                                                  MD5

                                                                  4e538180f8751d62be8da0b705eafbd5

                                                                  SHA1

                                                                  6ab027c9b7a5bdeed151c80c65b84c0645495115

                                                                  SHA256

                                                                  e85e7c63f749355116189759861ebfd0a1a1841860368cb721ab234f818b0876

                                                                  SHA512

                                                                  319b059429597184936c3096905ed3ac2238b64c32faea407ffb90f74b1899aa4c82439d0a9ccf9796b3e1b7fed6251c6224b0bfb37b9920fae8ed24e9256704

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

                                                                  Filesize

                                                                  10KB

                                                                  MD5

                                                                  5494a0bf0ae5d9e70f24654990386e6f

                                                                  SHA1

                                                                  0fa20d232dec997785d79b6ef706e13e7cd6c027

                                                                  SHA256

                                                                  988ba3f1936b72e48b8b86950092c4604c535916d40934e68745fddf3862b7a7

                                                                  SHA512

                                                                  9ef2825edf6fd5874d9d6ca1b824cec8a362261c25e7201a5d52a37c353a480189b246acd6f2616d40f161e099b177a78200603f5cb1c82f007a2ca270e0a079

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

                                                                  Filesize

                                                                  7KB

                                                                  MD5

                                                                  80e2d0a4254b9a97436e5f125ee68002

                                                                  SHA1

                                                                  a3f0818fbe51286d1820360959e968d1143ea262

                                                                  SHA256

                                                                  c749ac55f328e283fc9590b8cc6821fba60faa7cf5858445ec61d71bbf15ecd4

                                                                  SHA512

                                                                  305683a1c72ebfc82c1e329968c85e26ae4a37ee070e7ca38a45eb3056268d443807ca43cf00c3349ef6e3c77be40ab79e0a8bdb4bfeb8acd6fe14fbe3797cfb

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

                                                                  Filesize

                                                                  10KB

                                                                  MD5

                                                                  b58cbf4bd216a6c54cd835a125de515c

                                                                  SHA1

                                                                  89fab78862d210dea72f03092fcd8d988d044cd0

                                                                  SHA256

                                                                  885177e588156b69ad94d237b4a035beea17b0367d3d934acfd685ed421934a9

                                                                  SHA512

                                                                  55d8ef0345f33978e5e9ed83afebf078231ec7435a656a3dc500552f1472c57863779095e1de69ad08e5c5fa65671b39026b38eed3c9eb78d09b87e9231d4880

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

                                                                  Filesize

                                                                  10KB

                                                                  MD5

                                                                  684c146fedbe092fd06efc181d39eb16

                                                                  SHA1

                                                                  8e4a42b68b3db528568bbf1497118ea9376f2ff2

                                                                  SHA256

                                                                  c6820080116e9111cb50dd78918ab12a5428aacff1f873464833c29853d1a1e6

                                                                  SHA512

                                                                  29d6b5809ab997c1815a83148b69361889a7c2c45deb25eb1fa3ed5c7d209d72bc95609e691f3be5a3f313b61a391b571aa730674b083544110c631cb28ed782

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

                                                                  Filesize

                                                                  10KB

                                                                  MD5

                                                                  7f0b792e816503185753bf77ab204258

                                                                  SHA1

                                                                  ac8cf000fd3076d7b2d4c7a61a35ca1481d7d0e4

                                                                  SHA256

                                                                  a2d793962c340b9cf0c30cfdcf3ac8d2ac842e5e70c56bf845f80ae758c47289

                                                                  SHA512

                                                                  ba95ceaf47da3948076c72d1e4f719a8bc49763f6ddf5efd0acc5f94084c81afc7acd61c814398ea1fc83439f6778d36f37958968902299e3863875a65697f2e

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

                                                                  Filesize

                                                                  10KB

                                                                  MD5

                                                                  71bc7a563f46bedba3cf99203cc0007b

                                                                  SHA1

                                                                  71f03ec824a124d0465fdd59583cbe05eaec07e3

                                                                  SHA256

                                                                  eb9fcd4dc84847da5320d11980923f4ccfed7451acd9fef8b32725153d260939

                                                                  SHA512

                                                                  ef0f8028d558d4d2f8d8325ae96912e1e38f6b43d610e6ca881cb01d616493a639c2d4e9a37bd8cd3540d77fc8a7fa8cc2d917f323d0277bab74efd832300499

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

                                                                  Filesize

                                                                  7KB

                                                                  MD5

                                                                  c0aba4d1b64fb9da68795a4ad1ed5451

                                                                  SHA1

                                                                  f90340731708600785eb1d07f8a94b5fdc77174a

                                                                  SHA256

                                                                  edac3b1d67ba83ebe67224a89f2f0e36fefb49c0b9c760092bb5fcd1ddefe439

                                                                  SHA512

                                                                  6e7ff9611e6c91d5e2b5431a81c6b334f3e793d0aad44455122a9bfd1039dfd32ed591ca5af33735fad6633657308e3039f445823a2f9f437882ebddf8e006a1

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4

                                                                  Filesize

                                                                  7KB

                                                                  MD5

                                                                  d24ae6ea332bf15723be18774118204c

                                                                  SHA1

                                                                  d861471108095ea17a62e849ca2b89078c1a5cde

                                                                  SHA256

                                                                  82ef3b680c01dcde089460bb5b5084c05a69c5bab3c9a51e866e5b0e05b7f88f

                                                                  SHA512

                                                                  84031ccbba636d588cbde3e7ae9f25f6c36079551eb9ebefee90f6efa6a66650200ebd2b40b8ed50cc2069ba96496ce17fd0a6a737489551ae182d8a5495ec74