Malware Analysis Report

2024-09-11 04:22

Sample ID 240627-t7g6yasekl
Target http://google.com
Tags
defense_evasion discovery evasion exploit persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://google.com was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion exploit persistence privilege_escalation trojan

UAC bypass

Modifies WinLogon for persistence

Downloads MZ/PE file

Possible privilege escalation attempt

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Executes dropped EXE

Modifies file permissions

Checks computer location settings

Modifies system executable filetype association

Enumerates connected drives

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Access Token Manipulation: Create Process with Token

Modifies data under HKEY_USERS

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Checks processor information in registry

NTFS ADS

Modifies Control Panel

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Winlogon Helper DLL
T1547.004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Winlogon Helper DLL
T1547.004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Access Token Manipulation
T1134
Create Process with Token
T1134.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
File and Directory Permissions Modification
T1222
Access Token Manipulation
T1134
Create Process with Token
T1134.002
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-27 16:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 16:41

Reported

2024-06-27 16:45

Platform

win10v2004-20240611-en

Max time kernel

179s

Max time network

181s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://google.com"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\"" C:\Windows\System32\wscript.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\wscript.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" C:\Windows\System32\wscript.exe N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\BossDaMajor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\BossDaMajor.exe N/A
N/A N/A C:\Users\Admin\Downloads\Bonzify.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\DreS_X.bat C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Launcher.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\mrsmajorlauncher.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\MrsMjrGui.exe C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Program Files\mrsmajor\CPUUsage.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\creepysound.mp3 C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\reStart.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\CPUUsage.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\Skullcur.cur C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\WinLogon.bat C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Doll_patch.xml C:\Windows\System32\wscript.exe N/A
File created C:\Program Files\mrsmajor\default.txt C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\f11.mp4 C:\Windows\system32\wscript.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A
File created C:\Windows\executables.bin C:\Users\Admin\Downloads\Bonzify.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\Cursors C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "205" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-200405930-3877336739-3533750831-1000\{B0760462-9B4D-448E-B06A-E37043D1F044} C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\BossDaMajor.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\Downloads\Bonzify.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 888 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 888 wrote to memory of 3160 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 5104 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3160 wrote to memory of 620 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Windows\System32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\wscript.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://google.com"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://google.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.0.1440679397\133061230" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1784 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bdb8f3f-4bd9-4777-9bf9-04085290e366} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 1860 1dfbc00e358 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.1.1243304402\2058297944" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55bac0a9-d940-48e5-aa82-8bdbc99b3827} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 2452 1dfa7e88a58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.2.1015157579\1191720716" -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3100 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a998b81b-0e79-4009-8e52-954864c446e5} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 3088 1dfbef4b558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.3.470806360\1313824128" -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5956048d-890b-4987-89c6-6ca4eec61b3b} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 3664 1dfa7e7ae58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.4.1388831841\849853913" -childID 3 -isForBrowser -prefsHandle 4900 -prefMapHandle 4928 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f3495cd-82e0-4af1-b780-a071ba26143e} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 4916 1dfc2628858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.5.1412920333\1091834214" -childID 4 -isForBrowser -prefsHandle 2980 -prefMapHandle 4868 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {810b477e-63d5-41f6-a742-a69af7590d6e} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 2828 1dfc2e32758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.6.206178809\541951376" -childID 5 -isForBrowser -prefsHandle 5464 -prefMapHandle 5460 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8149c565-58f9-4d78-ba40-d1deffb9a5c7} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 5472 1dfc2e33358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.7.1771888182\949673190" -childID 6 -isForBrowser -prefsHandle 5584 -prefMapHandle 5592 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {495047ad-d5ff-4a43-a960-5bb42b80cecb} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 5580 1dfc2e33c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.8.1716742389\655725462" -parentBuildID 20230214051806 -prefsHandle 2724 -prefMapHandle 5916 -prefsLen 27776 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d64f3c4c-040e-40d0-b3c4-824f2c0dfe7d} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 3020 1dfc4a03e58 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.9.2145268064\1711261164" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6140 -prefMapHandle 6136 -prefsLen 27776 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb27af7d-d93d-4e15-bf49-cd3c24cf90ca} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 3104 1dfc4a06858 utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.10.1961569137\372066242" -childID 7 -isForBrowser -prefsHandle 5176 -prefMapHandle 4876 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6848d70-4256-4a89-9337-e4110cccb574} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 10132 1dfa7e3f758 tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\BossDaMajor.exe

"C:\Users\Admin\Downloads\BossDaMajor.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\9ED7.vbs

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4a4 0x244

C:\Users\Admin\Downloads\Bonzify.exe

"C:\Users\Admin\Downloads\Bonzify.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im AgentSvr.exe

C:\Windows\SysWOW64\takeown.exe

takeown /r /d y /f C:\Windows\MsAgent

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" -r -t 03

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa393b855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
N/A 127.0.0.1:51116 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 44.241.14.171:443 shavar.services.mozilla.com tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 221.5.120.34.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 171.14.241.44.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
GB 142.250.187.196:443 www.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 plus.l.google.com udp
US 8.8.8.8:53 plus.l.google.com udp
GB 142.250.200.14:443 plus.l.google.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
N/A 127.0.0.1:51124 tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.187.238:443 consent.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.187.238:443 consent.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 154.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.113.22:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 22.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\activity-stream.discovery_stream.json.tmp

MD5 265e3e17539af702f3e9e883e9e70a27
SHA1 e32f5c0991a0eeb85583479a87f3e39281301a9f
SHA256 6653966bab3704f6fd544b47385cb45004743a982d6297c45110e32fbd0c06a3
SHA512 306839dbdf1926c42c7aac4bf17c810c295265d1c47c6e7e65c42d1b82c54d0da47b3e3b452d314d22905dc1329c4e1eb87706fb76e3194e069f1c02818c4998

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\prefs.js

MD5 1b1d852926de37a8283dbf6afd1b0f31
SHA1 ad393c63723cf44510c1347fbbbb162f8f9b45f1
SHA256 4e723736b15ffbeba6220af39b49b7155bda498552b8c2776604bd06e0398bc1
SHA512 77c859bfa3510ec4361e4259532c54c7f07cb1e7fe0e13c278258060aff4d2e9c6155cf52db536565c54ee9945a9fb11cf46cf3834a49c24d14c610aaf7a3fcf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\prefs-1.js

MD5 5bcec13b1603c9b29df93852765c9910
SHA1 495b7f4f755a3e445ea5ba77e156471615d464c6
SHA256 aedf16c106e3f75f4b60401fc92d8a030ae63935be79c6dd7a2c72bfba649d72
SHA512 206d1d21ecdc19676e4cbbdc2a832b202ae08247666aebfe19ddc24ee5127813cbba24e3c386f91c7169804fefb8c1e8ebc9c841f65f76afd9c77e45bc89a360

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 dd6b346894728331641f6fc5508230ee
SHA1 b7fda366013649f6bcb4089ae20adae83f3f41a1
SHA256 913086689dbb0edf122bc4242efa866337fa7af229373109cda3da75e4b3868b
SHA512 abd68d134a10b8f5ed55b27ccae6c633cab36cbc375ab61c28b1a2b7d0a2d5f5476a1bd2990825d54ff9e73b624724e64e9b3e82aa0367c4b94007339b348326

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\prefs-1.js

MD5 cd3889d329d682f156028df514c56623
SHA1 c8376fb546d727de836c81f96f4202589dbbbd2f
SHA256 06d53ed2efc683c6fbc3029c8995080f6abec06646ba9095d7212cfd1caec0ad
SHA512 fb3eae8f4a26a7ff3f1734c15ddcc278c16891ef5d7c0435db557429607b026a9989551e1862d20cfaa1bf854ba5486709d705f68c02103d7e6f86b935f9cdfc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 88adab2f28f7abc43590542f9c726a65
SHA1 757f93954e8a67868db1d3a450f2ba281ce34a42
SHA256 1e77fd0e7d159aa335977d3ab8f9504b1f82606a97f87caf95a743b597820118
SHA512 b2827ed8b9910443c7e8e34a7edf7b9f12e220b3de8a352b7a925ff1d8d7bf3a7cf37b0179d2e1e57d1af04fd46b51f3a104cea89344bd503269eb1ac0ac64dc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5c6f7a5e41c5a64dec6a3caa1e9943ce
SHA1 6318ecd022040b77e31f40d21850997c9f9c1f25
SHA256 326c3393c17b40992e34b13ac936df4733eb3a03907c71812f53be7eab2ea259
SHA512 73e0722752933069d5c7ccba7d99e5cdc03a6eaf55f26ffc44ac297169ea5e737e6bd99596179a770c6636211faddb82588d1208a1376c7f9650071b233b4f12

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 51fdabb877cb742c4d269fead45ea440
SHA1 beecc53feb67a497d5a6885974f220d046111f4b
SHA256 32dc2aa461f386ee07c88fa91092ea4370c49d2e40f9b3713c7c82cf23905bce
SHA512 e48cd58db669cc7f44c15e07d97259dab949aa85cd75f01e1b2b702b270e0bbd6c6b8d6541110c0e94211275739ad7753a6681e880bd96be9f69948e9ae32bf7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 598530626534401adbb36b4dd8f4c5d1
SHA1 862ff41526ce38220198b3eec338af61dedfa885
SHA256 6f33443c1f6cb64db13cba17797be047082f73ea675d10df9b5ab0bec0dc149f
SHA512 ec37a884f2117ebcf58103b2f0b8e592266b66a9bf1b4d6c7d3431bd3c8a99fcafecfa33ce7b1fc7167831fa31146846915abe99ff0bdc49de82d69bbebe1f83

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\doomed\4673

MD5 9d3c70c2e2df49e1b1a28e307f20fe5e
SHA1 d304b3e4df0a0d9ea81af2e08cf9680c8eb0cf1c
SHA256 2a10a3c952d70bd92416e5659bdc1325f84ced986bf8f9dd15b813bb96703d35
SHA512 bbf743bcaa3f61d6964ceefa0d49ae36aee373124627837486219bc8112d365813cb0a7a67ef5f05f739071d0d3ea04c7e05c6800080f6630e3eb65622f73c12

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\2B1DFB3BF62868D7BE390097837204DDA6FC828E

MD5 fe55e9bc8ac28b9c960f0bfb23f1fac6
SHA1 34823a1e44bacbe019e56c917f10026e3c1f49f8
SHA256 cbdec3bb12687cda74a5725121db9a808cacf2312e1cdf9f8156fcfbb878961a
SHA512 733c3f2decec8d62cb7e6575b78147fc86ba2b1793e88274156d3896d10bf33ca6f058340420422870f361ef22f1a4a73f336580d16b2ee3ab46c4bb7671326f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\88D2DD145122466A8C6F39785D5A392BF5E86A0D

MD5 59eda17a7512e3ea85f628c566147211
SHA1 a0071827332388ff3d7baa1991713e8fad81dbb3
SHA256 1f1a4e219aaa02ca3f7dce39541d4a687f1c8e576edbe00842dea6081a343244
SHA512 14496986fbc3c8f56ece0bc8e67e670711d7ade75a5dd2e963cb16d53a685a6e530575464a66841d7b6fbb6eb6c194923f943701125e33f75b1db5c82c7699c7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\6C78A8506F2F8019B55A170A2FEA7FD9FC69B12C

MD5 8aaef3f3ea98b6edf41f8e22706f4f3c
SHA1 2c3c1f3870417bd9582858d265ca0214480f1ab4
SHA256 5324075fff7454141bbed5130cf93d2f7d888207b900e6b5e5407a3a3771ad72
SHA512 9000f003735eaf4df788a608463109adcc2b5859969e69638587d3ab7f1d0fff8b5f5a3c7712d89102a0cbf9e1007a545854836871987e3b31bab4b2a8795fe5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\07E58126644AEAE01A2252933A750571586D823D

MD5 bac0495290a43862a243e69598346dd2
SHA1 5891f8f169fc5c14660b559a771dcfe0e37f2af2
SHA256 eba1b17c3733bef1f0fef2113c8f210032c9b9b1d9bd94cb145b615e7ef48d30
SHA512 1e2f90d81b9fff6a655870f0a548d09907252849e5571d0278b9af00e99eceb7bee9185de8cc83c9a55b9d9838857884b55380687ea73013f8a05f3bef08c3a1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\7E70ED4B97A34E95EA37C1434415111DA60ADEFA

MD5 7013a386e15558c1e0c077b86ff08490
SHA1 5558c904b2376ac04b93aae37d4f5c21644ec7b6
SHA256 8372ffc176b8ce13bb07d47a27905ee092f15e6b878c881c38dbb0ca267b291e
SHA512 66baadca5069ead2d1c1e71076d33d4a11e560a63c6ed5aec305fe097d607fb125fd494eb584c2574276cdb0a59290ebd2045313db2a54cc87b752d962df3ad8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\F72B374DC96EDF65EB8F4062EF3DA2023F9F563F

MD5 de04d9cf881d17ddd69ccdfaddedc74a
SHA1 641fc089a5c64832d869b102068d33303dfeeb49
SHA256 0462fb6604ddfccef236e72466b1bd315709b8a532fbcbf1bb8ff9744584660d
SHA512 323216cef47661bad52a814cddd31bf06ef80f32543f3f29965949763ced6f469a292476b4a83ff3157d2654fb5723d5253a18b4bd433bfc59e592856a9f13db

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\91F31F756AA32DC0823EC30502996894D0DBC749

MD5 0ecc20cba600b14fdcffb226f21a3b2b
SHA1 33a963ae1ed4774ca7dd4f3bf34aee414ecf6835
SHA256 28d473e61b826c2498a1223c3ae0d1ec7e7ea504e2d2c108570961a622651b42
SHA512 aa62def87f4d17619b4f9514769bc93d72fe71eb480f416ffa4ee960affdaafaeca6da9100a91ec358037a7f26d7c6d1c292d952b4dda76652898e2dfdf0c181

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\68ADA6A2A4F2FDFFC709865AD2629FB4400675B5

MD5 74016950a32462a2794a38d09c4f8e70
SHA1 2248a1c0bd15d2629d84c3463a463000d62038b1
SHA256 0751e0e35e02fa85af9357d7c3d1e0b7ea17db8c8364532960adbd15ab2fca58
SHA512 4a74313b77ebc1d299500d80195c20f46adbf60a3db34f5e8d197fdc2d2d9ce8096ba3c49493c664b779ca7bcaf1e78a09cf789c436526637b5e9d4e5ec092d1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\44836238049E96471D6554497813EF38374771D5

MD5 975be4ab20ebc238cd46cf2ed5283fa0
SHA1 681900124340c5032fd61a5e8e8c0d0189466637
SHA256 7f1144e28cd3c113c94fae81a97cb2933d719d901bef5db25000e4c5e3906b17
SHA512 c5cc5091d806f406d1d46bc8a01d3f5daff07228252be70105401ae4d4134b1933d32008e03d06739d943bf25216678d7e638a406e0fb8dee91dd8802da0a52a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\D35C09500437DD22D7C72D16F29F6C78D8E3C45D

MD5 b193145fac3ad4cce843425ad7c63311
SHA1 86eeb019ce36580d3e98ad22a4425ef734ccdb4d
SHA256 bfda22a39cf18a2039be572e901e763334fbf46171bb7068c1b085a489f5818d
SHA512 c86eb93deaa9403de5ba8fabba934d82864cff8d9a8e685f5ab5a1ed7f95de1d96c74763ea2895f1f59c35588548291a0e034fc3aa4afe0f8a9e25fb548bf56e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\9C76ED03235B16036B6081E7D29AFDB1DBD86F69

MD5 370e6fdd611b5397ffc6f7a389f0175e
SHA1 095e95fcfcc1c8a87190e83b1cc3e6fbd1772820
SHA256 a5c5e3236e7e1183d177e578190815acaaadbfd7c22830236f2ef9783de7d918
SHA512 1fbc2c398db4c9c6a0f290cb1dae95df2595e3bbd7fc637a5725461bb361f74e100937d157cabf5f103b0677a3f7724f2372e70a4ef185ba85a3119668fc00e0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\9D052D1DC54D0E3995CAC53B82BA9B60130EBB01

MD5 8eb88669351a044fc8809b89ebfcbad6
SHA1 922c60b330d68f525357b466c8d7817a03ab8a69
SHA256 79ab873238cbd81e78de8507056e6acc9012c57a29e5fa01dddda2cb469c7a33
SHA512 88fe8f766a9bdf827f05d2f27bc2927c9bf5a15c175e80f422ab70369cf1577c564e750b858eecd22ea90503e64a00d6552fc46e4c65f69647d85b05809e68b6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 494cc51f1cd4260010804265367dd768
SHA1 f00194843ec40d939268930e7c990ec7f6c57881
SHA256 646956de7e8d306a0c80b1a96e160eb36c3a3fc599581367f9b386a71b73899f
SHA512 8deb511d123bc11e3c7cd6e2da8bdcb264735bb5fedc92876a087c2dbed76af754c305a37750ce8a0ac7cdb4e325b2f4a8670aa7ae5f7f66c497cc74307a7f72

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\5DEC88E851B1525C84FB6E075EF537EA79320CE9

MD5 0f10ebb6eea2acdd68f724747c4fc148
SHA1 8565aa63ecedb645cded7d9fe0a332ebaa7ac97e
SHA256 5241c02381d0d015f5038519e48025d00ab2cc39fdbddccd34a7f4c71ecd7137
SHA512 aa8aeda12583956588ffdff4da0ece332bc504edba8912193869e87d69e1de6ccb8fccd3a54afda7a5c1701f28097b7c63684fc85c09c8930056e339b75f4765

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\doomed\20252

MD5 2f67a050563ce7f8cf2df784dc8c3b4d
SHA1 3d2c0e1a7c52376a59ebecc82cbe30527f5b0f9f
SHA256 a0a2e166a31400224bc4b9f2df6f1c3f04606a5d7c72eb2da07a6ceba5758ecd
SHA512 5f4780a3c83046811377206194fa52fd62ac44f3ddd57af0d1b653e854c173f1b8d76abb87ca54defcaf3523040caab08c73d64050277551253d080971388052

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\C32ED2DDF5AD9B08466B5E29BBB468DED054B2D0

MD5 c8b52973587d7ebe008b79d393edbd8e
SHA1 be80aad67e8f0848f2631d447d1f6f7730949e33
SHA256 712511047a9d070df9cf59368b434b56f03f6486d56bd1aedeabb0e0035558ac
SHA512 4c6ba6894f40e4158b6331dddd82ab50377d28d4e4011e4223e861f20e0271dc5534c706d5dc7841f1ac85390896f98d76f16ee8199e7f5042c815e2952b114d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\51B2CF5B56A052651F21DB6D6473A6FAF433F0BB

MD5 d043dfbd64aab4a7d25a1e0a62ba75f0
SHA1 f6f4363e1ca3f76698852639150052ddee72ae8e
SHA256 b2d77094d1054f9b63bed3a75e0880c09f8d1b32144558a19dd33478735d0e4b
SHA512 d8f066188f3bdad5d86c0bd22e0dd88763ddb13484c8e14c0f12de4226fbea5fec30b57bfbd3565d61837950774cc960b3cfa4bd2a9b6ac8213bff3c4cd2cc97

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\E8CC5E82F3EDEB71ABC5E9F37D58E778DEF61F2B

MD5 82d835381e56ac1f077d55779bef12b3
SHA1 b7cbec1f1119f5978fcca3eda9bc73844f82ad94
SHA256 00980248a8229f4f4a449c3b81412fede9d4c2c087d5ba4dd04821409f867b43
SHA512 4cf37f27adb7ce255ea67ab2b563b053477f92115bf108a403706623b7f69eae8477d1253ee4147d97f4b547b1568daac06e125dd9e12a3e6fa220315becef2e

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\B86B02EAB8400C58B2F4F42B69E218D9C5FB9327

MD5 5667102c5b30de8460e8566ad7c5399d
SHA1 bcb0116e4f859dfaf6247912289062ae3fd17887
SHA256 6ec9e82f81bcd359fa6fe49d92b5340870181766972666d749a70d3be4b03cf1
SHA512 6849227ba676b8f00dbcf1d0fb71cc438a0d555ede3f9113abb6f00c5e5a36a03d65fb27a968b64112830b982a4d1c7c4904613a66313ff8e1e2b5d2a9a359e6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\F4DB32A33BA8ABD54C2F4557A74CAE91E42459CE

MD5 a8971fe13f591f83e6758eded8415188
SHA1 a77a001cad0d1e3718447a749276186d28226c3c
SHA256 f6b7db18ecaff453610ceeb910e0c553f460f297aa3a2a89cd41ac3f0085be8f
SHA512 527c323e67c7b456d77c5ef911890f915ba1e814a515a64950eec1a66e58eac03caba201d93142c6f8cc9e57f67d1632619615d77f631c7156ec7c584b1fa67a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\A6C74BC2260EAFF823C7AED38BBA607C962CCB55

MD5 50c78f277c6e16a3fb7f2d90ba0b5f70
SHA1 04212ca48c27c7b75c0306dee08fcc0fe1b8da64
SHA256 b8f0087334c3cf17b6e4f7894eb9c2dddcf83db9d0e19c171907035dfc3fa2f3
SHA512 e1c298097aee2c5fb1ae27eeb09930e837d85e3e14e513908ae84b7383414d8d9c4183ac2f30b6d9d47af957a4834103ba38e81063406dff7b639ebcf8529af2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\jumpListCache\lczTAPu1NtBdqcby1QBSfw==.ico

MD5 696eb93b475c96a7cf01a890fde64e5f
SHA1 e24c32e9c6373497fdfb6f7e99eaf77de1204e40
SHA256 407685cb81b34c4bd75405fa830d8aac1ff053362acfdad173290cbf261be640
SHA512 b9ca6beddc8b9014a96349326607e51a228940f529f1753e311139b22b97ef86722be217c0635e707e0e1fc58220e1d26ee217907c6d8ffff07a4054e538115f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 f35ec1f9ed3ab12bf24a4250748e8eba
SHA1 ae927302d2c0f4d73fe2713595e862a3901f2902
SHA256 27f6d74e3d13b27c98707d04f4efd6b7ec1992a917cd99048471d9a8b9d1203c
SHA512 e42e03c74bba0b318e67f6028afbaf4d16d175520cbe75d49bae5f0d33a2e10d885d0b4a0151035a52275dde3bc1361157feda845eeed829a2e5586d99845775

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

MD5 38ff71c1dee2a9add67f1edb1a30ff8c
SHA1 10f0defd98d4e5096fbeb321b28d6559e44d66db
SHA256 730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a
SHA512 8347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\prefs.js

MD5 35d767102cbe6be0ef943487a1b5deb0
SHA1 840f771c21613bbe248aacb2b964eab96f4122fc
SHA256 17cb432a6eb1579da16f0f6412cd70526065af1caf4dabcc5e19bc2a21819dae
SHA512 f9bd5ec423ba316f00a0412a56587bad01d2110ed7343cadf3c0a50c64e55361aaecaeb27698bc77d9fd6658e0f9c1484b815dfffd12a2324274ed1b58b5a574

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\doomed\1720

MD5 828ce33c5faf89a0764e39ead5fd3a5c
SHA1 6c84eb931974d02d2914652062626d7e6e32ea3b
SHA256 c92a2fc813a8fa8d42f432889f232e92af9e6cd56c6ffa335df53b1cf1b83b2c
SHA512 1fcb383eb4c06709a41d875090a7c4ed2b09118ad33ec9c7d50bdba5216b9d6589fb00e624293b2d60b122e03fee25d016e14edd3799ae352ef7dd89c546a49c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\2D657FE540BA9C8C2081D7184641304E3FA9FF90

MD5 7f42ab66daa01a43270f2c895572856f
SHA1 07bea460b23613e1004788c70997f210600293ad
SHA256 65f954abfd0b5c8a9559d568d277a45a67eeae82217723c1f2e9186bd406bdde
SHA512 bde60d831b84fe19740e6311c0ff70fe875c240d069bd6dec8c8fc62ae3a5310b7ad9ed10c699944439e4fe4380eebea10e2320c311e55285196d42f04f6dac9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0gx8chzo.default-release\cache2\entries\923E72F35B3BBFFC103FA20006A56F6A33395FAD

MD5 f1e1a6b2d4e4c5ade30926ee7f8ec94b
SHA1 f5d8e6d8d6637ae4e1228f721e82f263a70b70a7
SHA256 75385dafaa6a4a63192a4a0a830c808e7bdbd87107f02500e01df0d61cada5e8
SHA512 f45ca3a8c2ead0c423b0c2f30129273784761c2ee83e24e134e3c170d69cb978b0c4e12d09ad92700703baebf9909d215d6cbe0f53dd42f71b9337822ea1b02f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\storage\default\https+++github.com\ls\usage

MD5 d4ed1efbd3833c3138c5358ff0b7bca1
SHA1 5bc2db8317e97640275ec77e47733ead576e2ab6
SHA256 07505ac1d1a4756addb83790cdbd27d69e53f2fba7f4ba005086722786cb7520
SHA512 a552cadb51c6ceb8e641f5cd3bfce970f510a4d5a64dbfeb3af150c18e1212c3d668caaa7cbe33ef3b1f7c5b15b4993116dc1116da766e546f54d599334671a1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b0366c0bd263cd3d566071a71ff839b2
SHA1 7fd37583213dcb40ba38b5f52cc8f9e31b96891a
SHA256 62c8b1503e788ec12be0b8dc77d34241bce6d18e5ed89c3eddc4f4bd8b57983e
SHA512 086a7ac6ed3f178496261de07b8b01fed5c92631407d11eea820677cd7055653ab057351e06a98ada829e57b087dc415843153001062a1e6d3bb2ae22debd27b

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-18467

MD5 fba93d8d029e85e0cde3759b7903cee2
SHA1 525b1aa549188f4565c75ab69e51f927204ca384
SHA256 66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
SHA512 7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\prefs.js

MD5 669439acfc0b84a02184df5747f54a59
SHA1 72b85822460dff71ac33d6ea91e5617876f0aa3f
SHA256 d07a759e158eab64e0d09fd4616ebb9d97fc0d80575424ac726490a8dc1222b3
SHA512 ce314d88cdefc31235f3f8e4643f02da43d090e4771f3b0220d45fd2ac65b91c2a78b49e2641aab94af56f46ac6288c6aefd16ced5736fd858be80bfe1012425

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\9ED7.vbs

MD5 5706bc5d518069a3b2be5e6fac51b12f
SHA1 d7361f3623ecf05e63bb97cc9da8d5c50401575c
SHA256 8a74eead47657582c84209eb4cdba545404d9c67dd288c605515a86e06de0aad
SHA512 fb68727db0365ab10c5b0d5e5e1d44b95aa38806e33b0af3280abcefae83f30eb8252653e158ac941320f3b38507649cce41898c8511223ee8642339cfece047

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\mrsmajor\CPUUsage.vbs

MD5 0e4c01bf30b13c953f8f76db4a7e857d
SHA1 b8ddbc05adcf890b55d82a9f00922376c1a22696
SHA256 28e69e90466034ce392e84db2bde3ad43ad556d12609e3860f92016641b2a738
SHA512 5e66e2793e7bc88066b8df3dccb554351287dea18207e280b69d7798ecd5cdc99bd4c126c3e394db9f45f54bb561e6688f928de4f638c5eca4f101dc2cea54a1

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\mrsmajor\default.txt

MD5 30cfd8bb946a7e889090fb148ea6f501
SHA1 c49dbc93f0f17ff65faf3b313562c655ef3f9753
SHA256 e1ebbd3abfcaddf7d6960708f3ccd8eda64c944723f0905ff76551c692b94210
SHA512 8e7d98e6d0c05d199114d2d6ab8da886aed68de690c4d79643868eaf051c229fff94c88d937adb3da5e31fe48116613cf79dd00dda30f296746ce0a8aded9fe2

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\mrsmajor\DreS_X.bat

MD5 ba81d7fa0662e8ee3780c5becc355a14
SHA1 0bd3d86116f431a43d02894337af084caf2b4de1
SHA256 2590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816
SHA512 0b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\mrsmajor\def_resource\Skullcur.cur

MD5 cea57c3a54a04118f1db9db8b38ea17a
SHA1 112d0f8913ff205776b975f54639c5c34ce43987
SHA256 d2b6db8b28112da51e34972dec513278a56783d24b8b5408f11997e9e67d422b
SHA512 561860907fa2f53c7853094299758232a70c0cd22c6df3534abd094c6970f28792c6c334a33b129d661a46930d90fd8c98f11cb34f3e277cf20a355b792f64f0

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\mrsmajor\def_resource\f11.mp4

MD5 17042b9e5fc04a571311cd484f17b9eb
SHA1 585d91c69c3f9e3d2e8cb8cf984871d89cc4adbb
SHA256 a9b0f1f849e0b41924f5e80b0c4948e63fc4b4f335bbdf0f997b03a3aff55424
SHA512 709076c6cef8dd61701c93e1fe331d2b1a218498b833db10ee4d2be0816e3444aeebfa092ab1bd10322617cf3385414e8fdb76fd90f25b44ac24d38937b4d47f

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\mrsmajor\def_resource\creepysound.mp3

MD5 4a9b1d8a8fe8a75c81ddba3e411ddc5d
SHA1 e40cb1ee4490f6d7520902e12222446a8efbf9a8
SHA256 79e9a3611494b5ffafaa79788ba7e11dd218e3800c40b56684ccc0c33ab64eac
SHA512 e7a28acb04ca33d57efe0474bb67d6d4b8ceff9198198b81574c76c835d5df05d113fc468f4a4434580b1b58189f38184c376976604dc05d1424af1721995601

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\mrsmajor\Icon_resource\SkullIco.ico

MD5 c7bf05d7cb3535f7485606cf5b5987fe
SHA1 9d480d6f1e3f17d5018c1d2f4ae257ae983f0bb5
SHA256 4c1cfbe274f993941ac5fa512c376b6d7344800fb8be08cc6344e6c16a418311
SHA512 d30952a75d94dd64b7bd253ed72810690f3550f2262cfaaef45854fc8334f6201a8cbafb9b175c6435f7ce0499567f2fa8667b4b0046bfb651bf61eb4278e6c8

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\mrsmajor\MrsMjrGuiLauncher.bat

MD5 c7146f88f4184c6ee5dcf7a62846aa23
SHA1 215adb85d81cc4130154e73a2ab76c6e0f6f2ff3
SHA256 47e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963
SHA512 3b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\mrsmajor\WinLogon.bat

MD5 870bce376c1b71365390a9e9aefb9a33
SHA1 176fdbdb8e5795fb5fddc81b2b4e1d9677779786
SHA256 2798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc
SHA512 f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\mrsmajor\reStart.vbs

MD5 0851e8d791f618daa5b72d40e0c8e32b
SHA1 80bea0443dc4cc508e846fefdb9de6c44ad8ff91
SHA256 2cbd8bc239c5cfc3ef02f8472d867dff61e5aed9fde8a3823cda28cc37d77722
SHA512 57a9d1d75dbbab842060b29f01958f7e6b27d0175ff9a3f7b97e423c1b4e3fae94547a569c2e5c88224fc5dcc785f5a1d49c61199a8c7b3afeb4fc520600df40

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\mrsmajor\MrsMjrGui.exe

MD5 450f49426b4519ecaac8cd04814c03a4
SHA1 063ee81f46d56544a5c217ffab69ee949eaa6f45
SHA256 087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d
SHA512 0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\mrsmajor\mrsmajorlauncher.vbs

MD5 e3fdf285b14fb588f674ebfc2134200c
SHA1 30fba2298b6e1fade4b5f9c8c80f7f1ea07de811
SHA256 4d3aa3ecd16a6ba46a9d6c0bdacdcd9dce70d93585941a94e544696e3e6f7d92
SHA512 9b0bfbb07c77d9e9979a6c0f88b0a93010133f7dd3cf01e1de5dfbe812a5ed920e916d16d6a32fe21b9ee4b5425e61a616ded1aeeb35a410d4f77c0f9392ed0a

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\mrsmajor\Launcher.vbs

MD5 b5a1c9ae4c2ae863ac3f6a019f556a22
SHA1 9ae506e04b4b7394796d5c5640b8ba9eba71a4a6
SHA256 6f0bb8cc239af15c9215867d6225c8ff344052aaa0deeb3452dbf463b8c46529
SHA512 a644c48562e38190720fb55a6c6e7d5ccfab60f362236fe7d63caebdc01758f17196d123fb37bd11f7e247ce8ab21812165b27496d3bd6ca5e2c5efefab8fb03

C:\Users\Admin\AppData\Local\Temp\9ED6.tmp\mrsmajor\def_resource\@Tile@@.jpg

MD5 3e21bcf0d1e7f39d8b8ec2c940489ca2
SHA1 fa6879a984d70241557bb0abb849f175ace2fd78
SHA256 064f135fcc026a574552f42901b51052345f4b0f122edd7acd5f2dcc023160a5
SHA512 5577e20f76d6b1cccc513392532a09bdc6dcd3a8a177b8035dc5d7eb082e0093436068f92059e301c5987e6122c4d9aff3e5ae9cc94ccc1ecc9951e2785b0922

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 fd8bb7a509aede3f2b7f6f55f9ec8edd
SHA1 6f33fbb9f1065821313137a81fe9264a72c8f3eb
SHA256 5768aea9d510114c67b90b79b37f3fe7fdded1928c6d5cb2adb97dac18f15bbd
SHA512 fefc9c6e142d188b2bf4cadcf0acd5279d23754f203b4ec49c8aea73b53f032c5bf0bb8eefe2a9c69f42451a18f1e72e4764bafbbbb1a15bd81caff4b0efc6fe

C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 5.txt

MD5 e20f623b1d5a781f86b51347260d68a5
SHA1 7e06a43ba81d27b017eb1d5dcc62124a9579f96e
SHA256 afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179
SHA512 2e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5 90be2701c8112bebc6bd58a7de19846e
SHA1 a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512 d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 5433eab10c6b5c6d55b7cbd302426a39
SHA1 c5b1604b3350dab290d081eecd5389a895c58de5
SHA256 23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA512 207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 37cceebcdbe6829b5e4705b60b76c112
SHA1 9165edbc0afcb353ae834c4296a879a9378ce68f
SHA256 ad3dbd0830f94d2347b9780a3d726f4077d7bd2550fa2bdc6fe4e0dc242359de
SHA512 e6a79443e8b85f2e57e55463079bb0594c6cd11d7ff8398a772eaa0154ca70255c5323fdcad4e2abc3e4fa9066cd07591f6ae5084df7ced4ae1d1fb00839b54a

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 709c13d95dc7b37354fb6989bdf7d57f
SHA1 73efc69bda5a436823d574039b129d9388bae821
SHA256 560cce6125bdba3866d4b438a09dbba7bba7b8ee663f03c4bc68e93108125803
SHA512 d1aef37b3821eaff826a20af917f5c6eec76105a9c8761335fa255f665781a597631d0697c8068c459e8f53d1435d1dbff6d3fee80c9916684d3c6e5a45a7179

memory/5532-1027-0x0000000004510000-0x0000000004520000-memory.dmp

memory/5532-1025-0x0000000004510000-0x0000000004520000-memory.dmp

memory/5532-1026-0x0000000004510000-0x0000000004520000-memory.dmp

memory/5532-1024-0x0000000004510000-0x0000000004520000-memory.dmp

memory/5532-1028-0x00000000091B0000-0x00000000091C0000-memory.dmp

memory/5532-1029-0x0000000004510000-0x0000000004520000-memory.dmp

memory/5532-1030-0x0000000004510000-0x0000000004520000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 a3ddb74504fc947cc460e9eaebd73db0
SHA1 d6e9f15f2ed149a0f7ee5753a366b5ce084ed96f
SHA256 08270aa3b1c253f2b96a749d85810ae372bc22e0f3eeb08933037df40f4fb154
SHA512 0e0228cc4d46dd8f42fa4cc3f3e82451ea9381ec036fb29c8df1d60857d12bc1e4c83567900163186ca001395cdeaa11f835922e53bb62feba67fca771bc286a

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 7b2f01ef5d3743c0ba3d88fc4cdf6d0f
SHA1 c567e11f638b6dbfe4cfc5117bf005c88a0b4a67
SHA256 1bb664ad6caeb5499ad99a5f33b91594d106d7cba1a1c2b2d6e022a68419d3d9
SHA512 1b58296b54c48670532baa497881fe8c4f02cabe62ef11e77956b006eeed16eeed68fbe638da7b296a3c71996c0eaf3b7d466c641a6abdba94e90a1807fb4e9f

C:\Users\Admin\AppData\Local\Temp\KillAgent.bat

MD5 ea7df060b402326b4305241f21f39736
SHA1 7d58fb4c58e0edb2ddceef4d21581ff9d512fdc2
SHA256 e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793
SHA512 3147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\sessionCheckpoints.json.tmp

MD5 700fe59d2eb10b8cd28525fcc46bc0cc
SHA1 339badf0e1eba5332bff317d7cf8a41d5860390d
SHA256 4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea
SHA512 3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\sessionstore.jsonlz4

MD5 092a1dca1ccc61573fc51c136ca382fe
SHA1 03b9e7008d78f178455d60ad449d2c8eaaab5eed
SHA256 5d557918de6ec6181908f8db4928839c96b06111f189f72045b9978ef6160a9c
SHA512 b1fbcf78029ec714019d72d6db0cf8d3c9198ba9a3e0b0c9c04bfde848d667f98600eab3a244254f396d5caef42736ea32a827a1926c1d9c0ce892ac6d59d33c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\prefs.js

MD5 528eb28e9fd3e5d8120c8a1160c4f09e
SHA1 98c5128aac8cf94bd9b83fb938935eda6b85b72b
SHA256 d01fcafa007589741350a672b4dadd939a84caa16b8783c675364f356d2b4697
SHA512 daccf281976aa33067dcf422468b3e7fdea4103bbdd9f51ee061d519ed3946e38dd1a7d06a7102fe2f9e1c780d5cdeaeddf3ab4c8cb0baa499b966aa68c66f3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0gx8chzo.default-release\prefs-1.js

MD5 a4d7a91c3c8dc14a3ecb7318e226ed66
SHA1 de950b652d394c03432627a1cc22e6109300f5c8
SHA256 10f1f2e8c04765037edad6366d01181c7948269f36dd165ffe5470598befaf72
SHA512 43df57e46a9934e95d6c3d7f5f13c7652d13ceac6c865f10ed8b13e949bb30b9ce5fbead1cd08b2a7860b8db992133ca3056a14af2a60085d52c79394330097d