Malware Analysis Report

2025-05-05 22:37

Sample ID 241227-vwrfxaxndr
Target Rain Sucked Up.weathersandbox
SHA256 3d21905f6d25412c3dd3862a9d00e2f0a26631ea061fea39ec8ceaa61a468ac2
Tags
agilenet defense_evasion discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d21905f6d25412c3dd3862a9d00e2f0a26631ea061fea39ec8ceaa61a468ac2

Threat Level: Known bad

The file Rain Sucked Up.weathersandbox was found to be: Known bad.

Malicious Activity Summary

agilenet defense_evasion discovery evasion persistence privilege_escalation trojan

UAC bypass

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Drops file in Drivers directory

Downloads MZ/PE file

Disables Task Manager via registry modification

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Modifies system executable filetype association

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Subvert Trust Controls: Mark-of-the-Web Bypass

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Access Token Manipulation: Create Process with Token

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies Control Panel

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

NTFS ADS

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-27 17:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-27 17:20

Reported

2024-12-27 17:26

Platform

win10v2004-20241007-en

Max time kernel

301s

Max time network

303s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Rain Sucked Up.weathersandbox"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\"" C:\Windows\System32\wscript.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\wscript.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" C:\Windows\System32\wscript.exe N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\spoclsv.exe C:\Users\Admin\Downloads\Gnil.exe N/A
File created C:\Windows\SysWOW64\drivers\spoclsv.exe C:\Users\Admin\Downloads\Gnil.exe N/A
File created C:\Windows\SysWOW64\drivers\spoclsv.exe:Zone.Identifier:$DATA C:\Users\Admin\Downloads\Gnil.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spoclsv.exe C:\Users\Admin\Downloads\Gnil.exe N/A
File created C:\Windows\SysWOW64\drivers\spoclsv.exe:Zone.Identifier:$DATA C:\Users\Admin\Downloads\Gnil.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\MrsMajor3.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\BossDaMajor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3EBB.tmp\eulascr.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\mrsmajor\CPUUsage.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\reStart.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\WinLogon.bat C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\default.txt C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\creepysound.mp3 C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\f11.mp4 C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Launcher.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Doll_patch.xml C:\Windows\System32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\DreS_X.bat C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\CPUUsage.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\Skullcur.cur C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\mrsmajorlauncher.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\MrsMjrGui.exe C:\Windows\system32\wscript.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\Downloads\Gnil.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\BossDaMajor.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Gnil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Gnil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\BossDaMajor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\unregmp2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Cursors C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "162" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.weathersandbox\ = "weathersandbox_auto_file" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\weathersandbox_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\"" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.weathersandbox C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\weathersandbox_auto_file\shell\open C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\weathersandbox_auto_file\shell C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{FCB5FC35-ACD2-4523-BD9C-97FB897E50BC} C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\weathersandbox_auto_file C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\weathersandbox_auto_file\shell\open\command C:\Windows\system32\OpenWith.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Gnil.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\BossDaMajor.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3EBB.tmp\eulascr.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\Downloads\MrsMajor3.0.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 3388 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1912 wrote to memory of 3388 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3388 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3388 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3388 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3388 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3388 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3388 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3388 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3388 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3388 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3388 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3388 wrote to memory of 3028 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 1868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 3832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 3832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 3832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 3832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 3832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3028 wrote to memory of 3832 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Windows\System32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\wscript.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Rain Sucked Up.weathersandbox"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Rain Sucked Up.weathersandbox"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Rain Sucked Up.weathersandbox"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b1a63ed-9f7a-4a0c-a639-edacaa540783} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2440 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4e8ab67-6cb4-4373-b0ac-caa699252a97} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2956 -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 3060 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b29c82c-b27a-47ba-b36c-47b75f638116} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3616 -childID 2 -isForBrowser -prefsHandle 1656 -prefMapHandle 1580 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1d09e87-9e11-4b3b-b159-ffd13a71652c} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4976 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4972 -prefsLen 33298 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b17ac990-cd27-4238-86b7-0a019242fe90} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 3 -isForBrowser -prefsHandle 5572 -prefMapHandle 5568 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {737ea630-36df-492a-841d-211e67dc0b69} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 4 -isForBrowser -prefsHandle 5396 -prefMapHandle 3680 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb634c38-bf57-4f70-b60f-d3d96d4ad322} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5900 -childID 5 -isForBrowser -prefsHandle 5976 -prefMapHandle 5972 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5017ebf0-7280-4dfc-b1c6-c535c5081f9b} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Rain Sucked Up.weathersandbox"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Rain Sucked Up.weathersandbox"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Rain Sucked Up.weathersandbox"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Rain Sucked Up.weathersandbox"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1820 -parentBuildID 20240401114208 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 20321 -prefMapSize 241207 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60176d05-ce1e-4504-b83d-73afc31c71b1} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2172 -parentBuildID 20240401114208 -prefsHandle 2164 -prefMapHandle 2160 -prefsLen 20321 -prefMapSize 241207 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02ad43a7-52f1-485e-a804-7ea918468d30} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2732 -childID 1 -isForBrowser -prefsHandle 3212 -prefMapHandle 3420 -prefsLen 25630 -prefMapSize 241207 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a555864-9ff7-4783-a289-7ee0873a81fd} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3404 -childID 2 -isForBrowser -prefsHandle 3156 -prefMapHandle 3196 -prefsLen 26499 -prefMapSize 241207 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f1c663f-f4f5-452c-b9f8-6a2ea48e359a} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1288 -childID 3 -isForBrowser -prefsHandle 1284 -prefMapHandle 944 -prefsLen 27842 -prefMapSize 241207 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85233c16-96ed-47bf-b399-2078389c02ad} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5040 -parentBuildID 20240401114208 -prefsHandle 5148 -prefMapHandle 3364 -prefsLen 33993 -prefMapSize 241207 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cc3e15b-2215-4093-811f-69cffa9e7c65} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3768 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2632 -prefMapHandle 2848 -prefsLen 38813 -prefMapSize 241207 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d37715ee-cae4-4da6-80c2-5be61b898aea} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3480 -childID 4 -isForBrowser -prefsHandle 3232 -prefMapHandle 3476 -prefsLen 32850 -prefMapSize 241207 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19e1949c-22ae-4a3c-9e0c-17262abc599b} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 5 -isForBrowser -prefsHandle 5696 -prefMapHandle 5692 -prefsLen 32850 -prefMapSize 241207 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03fa085e-bf2a-4247-bb60-a7928c105b4b} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 6 -isForBrowser -prefsHandle 5804 -prefMapHandle 5808 -prefsLen 32850 -prefMapSize 241207 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58a83742-a65f-4b39-bc0f-dcee683858e6} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6040 -childID 7 -isForBrowser -prefsHandle 5808 -prefMapHandle 5896 -prefsLen 32850 -prefMapSize 241207 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfd3b789-78a8-4dbd-9468-fb79079d6e01} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6148 -childID 8 -isForBrowser -prefsHandle 4720 -prefMapHandle 4076 -prefsLen 33072 -prefMapSize 241207 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5088bc89-9164-41fa-a7c0-56e4caa8a345} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 9 -isForBrowser -prefsHandle 5492 -prefMapHandle 5480 -prefsLen 33848 -prefMapSize 241207 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25c46c39-a7c8-4ac1-91d3-af1d89f1a2d4} 5168 "\\.\pipe\gecko-crash-server-pipe.5168" tab

C:\Users\Admin\Downloads\Gnil.exe

"C:\Users\Admin\Downloads\Gnil.exe"

C:\Windows\SysWOW64\drivers\spoclsv.exe

C:\Windows\system32\drivers\spoclsv.exe

C:\Users\Admin\Downloads\Gnil.exe

"C:\Users\Admin\Downloads\Gnil.exe"

C:\Windows\SysWOW64\drivers\spoclsv.exe

C:\Windows\system32\drivers\spoclsv.exe

C:\Users\Admin\Downloads\MrsMajor3.0.exe

"C:\Users\Admin\Downloads\MrsMajor3.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3EBB.tmp\3EBC.tmp\3EBD.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\3EBB.tmp\eulascr.exe

"C:\Users\Admin\AppData\Local\Temp\3EBB.tmp\eulascr.exe"

C:\Users\Admin\Downloads\BossDaMajor.exe

"C:\Users\Admin\Downloads\BossDaMajor.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\BE5C.vbs

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x51c 0x48c

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" -r -t 03

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3887855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 99.159.232.44.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 127.0.0.1:54214 tcp
N/A 127.0.0.1:54222 tcp
N/A 127.0.0.1:54638 tcp
N/A 127.0.0.1:54649 tcp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 us-west1.prod.sumo.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 us-west1.prod.sumo.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 221.5.120.34.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 37.158.120.34.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.164:443 www.google.com tcp
FR 172.217.20.164:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.164:443 www.google.com udp
US 8.8.8.8:53 164.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 163.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 172.217.20.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
FR 172.217.20.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 169.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 csp.withgoogle.com udp
FR 216.58.215.49:443 csp.withgoogle.com tcp
US 8.8.8.8:53 csp.withgoogle.com udp
US 8.8.8.8:53 csp.withgoogle.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
FR 216.58.213.74:443 ogads-pa.googleapis.com tcp
FR 216.58.213.74:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
FR 216.58.215.49:443 csp.withgoogle.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
FR 216.58.213.74:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 66.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 49.215.58.216.in-addr.arpa udp
US 8.8.8.8:53 74.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
FR 216.58.214.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
FR 216.58.214.174:443 play.google.com udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 consent.google.com udp
FR 142.250.75.238:443 consent.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 consent.google.com udp
FR 142.250.75.238:443 consent.google.com udp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
FR 142.250.201.174:443 encrypted-tbn0.gstatic.com tcp
FR 142.250.201.174:443 encrypted-tbn0.gstatic.com tcp
FR 142.250.201.174:443 encrypted-tbn0.gstatic.com tcp
FR 142.250.201.174:443 encrypted-tbn0.gstatic.com tcp
FR 142.250.201.174:443 encrypted-tbn0.gstatic.com tcp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
FR 142.250.201.174:443 encrypted-tbn0.gstatic.com udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 id.google.com udp
FR 142.250.179.99:443 id.google.com tcp
US 8.8.8.8:53 id.google.com udp
FR 216.58.215.49:443 csp.withgoogle.com udp
US 8.8.8.8:53 id.google.com udp
FR 216.58.213.74:443 ogads-pa.googleapis.com udp
FR 142.250.179.99:443 id.google.com udp
US 8.8.8.8:53 99.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.113.22:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.113.22:443 glb-db52c2cf8be544.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 22.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.75.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\fbca62dc-3623-4c72-b1fe-d010334d1539

MD5 86e2f2606de857abc9a7ec2c7042270c
SHA1 21795606a94e81772b8faec82102fb06fdf6d243
SHA256 d1dfc814d7b6c3af3fe29f960f23d75e84d478d307b948d910c13243c1b9b6f7
SHA512 f50a4ba9c7753073dbca52fd9dacf7bd5c216ae138167fea0f09572815fbc43877461234c0774740cc9fcaba5aef3fe182dc6ef8e11c01cc9de3d2cadcdc0043

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\e71d00c4-6bb8-418a-8653-b3c56dd92382

MD5 3064bffd37df669839b6179f72f1432c
SHA1 cf89750a5e6cc049a814348a41ca7b13baa75558
SHA256 e14e6c8af272e377d78ff6b00dc12a458ff906e1e1ef1dcf055dadaf743c013c
SHA512 de02ccf5237d982d6603659ccf155434d084c53f892fe018edb3fe4fecfd06c4e6b6647032406be6874d28cbf6b40d72a33d7fbb0152b40a30ad597156217564

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp

MD5 e0951b4ed3fa62123df518d3d253b039
SHA1 5ec93d3f0fc5eb6ae3198de797502630c74cf0c0
SHA256 a999b3d14c6ce34bff2638f90d827a6025a10c066f84b8eb4b6d5d5dcf1a22aa
SHA512 cd1e0f0acc6cd60e23337ea95d7c96a9cba1404c314883e802f1ed25cd596ae5b449b2bd4f70dfa4710d889114a38a7d2e15b122b89b4b7a9845a09d0998b296

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\activity-stream.discovery_stream.json

MD5 d9d65953f324c8d3cb940aad925c755a
SHA1 f0854c170ee876d8f7b44c9951e6f6daa32d3d88
SHA256 16229971d4597cc36893358aba6f5f3b2d4e1de218f4b02569fd3a57f7e2f34a
SHA512 164f75d8feb8b59c7440bcfb509858857a64aab90ff3bd766c1c194a71bf933c50be18fb0a069accce0048b0f25e0a2204b2d7f2c512f322939ccb2669b9229e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\008641f9-b336-4867-8235-402f196b40dd

MD5 80a3c9fe4239eb3b1d53d47cf54f39e0
SHA1 1e441c36ce6320733c86b1ec09ccabb6bea60872
SHA256 5128038b783627049044c8c6fd20a0bde17e615c88eafe8e70080d9a2daafd04
SHA512 d26ef4515f23abc42d85b3f3101b27c3c4622893a4fdc12511ea7115f56b409c6a689b874c39ddecc71d4397c2df77a2e519fced9ab60b0d1502674ac737be81

C:\Users\Admin\Downloads\IhjFYQZl.weathersandbox.part

MD5 c229aa159dce2877a55cd579ac8edfcf
SHA1 6898ef0910f8c346ebcbbdbf840a4198fdd69339
SHA256 3d21905f6d25412c3dd3862a9d00e2f0a26631ea061fea39ec8ceaa61a468ac2
SHA512 12aa38200fd667e05bd53a963d89f06fdd1ea00e9edb55f18a1cb414e11e73626c97fa778b2b7f76803956d94abc3e813ebd5fa614012c298bd46b99b2d11e6f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin

MD5 4cea105199fcd5ca210b36d9ac860e02
SHA1 ac1e743f231a36daa56343d492f2e1367dc6e729
SHA256 b357b3fde260a6e99076862128e9126b509bfad11e4d40848349d1fc48e50f05
SHA512 36d64819989fa772db74a52ec5b47336ee26f3eecb37489c99235c9340b73cd6a3fe52d6ad984cc8934ca460d2e019602559efe0538f245c385d98d955da81cb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs.js

MD5 cb625cba421d6277f5f109d0692f0f26
SHA1 4e765c8f80dc273c2c189842ca1b6317eb3de225
SHA256 288d4ac1bac9eacf28d22255520d5269374b31e257fda093e2e5d8cb34690282
SHA512 c802e58a2049b0e01ced6ad7b1932823e685861eee1bddae2486a807030d3534bbc3204522f12c115c6e70c06d00e9a8e0b3f2bedd93a165852a867a7ca9e0fb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin

MD5 412d46b6fb9076b46f6855ade62b7b14
SHA1 674088f4d360e170b76c5a15a5eae4606b8715cc
SHA256 c7f80f011f475097a923a7fba53bc2895a3e8d3b1a10a928e8537fafdb4d81ca
SHA512 6b51a9552b37721d35221219232cc82e95a4b09c6aa7bd6abb00ee94e4255394d3a34a6745774293a00bd6a58ab63460993374e9645e4bab05db6c8e59e890af

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs.js

MD5 a104f516c31c597a3b0cad2c74d40bd9
SHA1 8564a93b3b948a6e4fac45a6c559ffee14681924
SHA256 028b287bc05988386d2de838fa26a765d9d5f81645ddac677b83b706e6b98923
SHA512 285b576850ddfffde654f5bedbb3cfa8f30263012a875e4ddbdb1f2bbfec5e9e8c99f06146a5602778484c9c79010afd563090120c3c3714b151066274bd4879

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs-1.js

MD5 b2c5ae020842b7b64c9155e5360d1abe
SHA1 8ed1bb1a07d3ec11d0b0226f8e271e8162183ad8
SHA256 fa598b40ece16e64b2c448056e64b48877c9bacc9b4a460e5e2d8fd1dc1ad009
SHA512 459140647834d8eb66cab090e2ae996b23ba072bf10356b2618d329cfb04835b3e1b36cbc6f6c7c580c17872487b7ae86c8e6a91d699cebbd31c589af2a1dc88

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\places.sqlite

MD5 b8f18e5859cf8380e763f7accdea5473
SHA1 82402430dd2e2b5e973a17574d2349f12831a182
SHA256 8751d5fdd06ef7d563915535411a456e460e05dadf83eb38668d33047a87bbdb
SHA512 671037e65effedcfa6cd23fc0cc6e4b27639aa5d2d037e271d625f28b715aafb275fe2c394349b5b73b053ee5440df06f4eec84287482a31825bec3dfe276fa8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\places.sqlite-wal

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\sessionstore.jsonlz4

MD5 13c485264883bdff23b05c5f1f36643f
SHA1 7b543a35f01f57c07993d6f1702a03d5f9741995
SHA256 70726fa78416f401a2ba5ad18399049e0428764bf4ba2d7f19133a62e758ac7f
SHA512 5f80028d2326b52feb749e3e9bf53a0e462fd4fb32abe27203d0664dce48c4c0529895c6a4aba309a96ce7fb781c56f308d3a9824f8ef2eab72c02a0f9528ae6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\sessionCheckpoints.json

MD5 948a7403e323297c6bb8a5c791b42866
SHA1 88a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA256 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA512 17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs.js

MD5 3359d593aa449ffa035d5a15db3cd33d
SHA1 6c3fb6a3908be14eec18c969e98d08326a4368da
SHA256 6d457864b782b076bc6748bafbd6a9fdeeb85b289d9464a3fb3ee6a115da97f8
SHA512 cf5e081a902572fbd5db1d5ad1f9068ec0ada99fa83110bd9dca5f4ed4a81f4325c3fe38617ed05e8b6aa2c93f1834c583bde7a3d4d2979128d895ba5438b579

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\content-prefs.sqlite

MD5 b5acd9cf58ba89e643e7b2e839e0707e
SHA1 82c2b9cbea4acb50b446b786818287be7b0b8b61
SHA256 4d4fd87f1cdccc9f826ab7de2b3980db6fe4ed328f079ceb24f680557da9667e
SHA512 1fdaf5173a2fa956e3793b3643b44d928a4c81a1599bdf4b057396bfca5948ce1097194dbb5f528959c8cf4e34d058922828236c6060b41510e9ea2cb9ed424b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.bin

MD5 81afd74b8393aaa4a7af4a0f9dc3a4bf
SHA1 f56e2dbb3506d338f2b6e417ece5de2a8e0fcf85
SHA256 3b37f7e8810229cb1cf298ec0ab79622e27d585124ed30c5e5f36ea7ae5e7c7e
SHA512 9f3433b947e27448765d28808e5d7bbb50f32f531fc2adaf2c1e81834ed2e58ece7024be3e6b21c3b8c52e502833e768d60368ad48b57a8d0c659cfcae82f755

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\events\events

MD5 defbf00981795a992d85fe5a8925f8af
SHA1 796910412264ffafc35a3402f2fc1d24236a7752
SHA256 db353ec3ecd2bb41dfbe5ed16f68c12da844ff82762b386c8899601d1f61031d
SHA512 d01df9cab58abf22ff765736053f79f42e35153e6984c62a375eb4d184c52f233423bb759a52c8eed249a6625d5b984a575ca4d7bf3a0ed72fc447b547e4f20a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\SiteSecurityServiceState.bin

MD5 b2f5761281e78e5c83a2525d48e91800
SHA1 8530e9b6c2bfbf25129655fa36b90bcb99c0a749
SHA256 678bcaa68553cb004238a7bae4fe48bd6db8d36cb80b70bf03db1b73fb043a4e
SHA512 3219b2445397109ee29383fcd960997b1c5e506f8fdb1f75be7066532c97b656fa52ba2ce80490f7cf2bb4cbb9087ee73acddac4c1178c8caa1d810b83bc8ec1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\startupCache\webext.sc.lz4

MD5 126798c0032616f45514340eaa10b994
SHA1 28ca874474684703dbb643a444d7417c9f80de8f
SHA256 1dad14abc4eeedec39933cd0b58782f4963d8490f3447dfc2c1ba9bfab765fe9
SHA512 a8c7eebbf3d1aa828475b5d4ce37de8abe257d5195f9f043ea82e24f957f9d3d74649377c35cb11b1f5a9f2b23fb66bd864e3fce627a8c8aaae62b2a1d426712

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\startupCache\urlCache.bin

MD5 f0bc0772d1e5c2c45fa49dd20f37f49d
SHA1 30ac599faf9ed692d34ec28d087b6f28dbb7a201
SHA256 64d95ec8235cdc8f12481250a6cc59e3d5b929100d4afb8ad1bd2690a1522c37
SHA512 fa4ce4ca41d3c600e3742493df23ec27de744f7dad6b1084677a4f04e6e4555cb211070c2ac4f17fce9ce119242ac0b86921f88ad2a40a82e6fc2b4102cd6269

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\startupCache\scriptCache.bin

MD5 170b7b37fe29fad9bfcfa7c1c088f224
SHA1 9ba31b560ef0a82af19a3bb42e81bdd99c70329c
SHA256 c96a8dccafb859585ae713cec98683dbbc9a67119ef5a3b3136f69765baf33e3
SHA512 261975e1cc65784da3ced5f744f3e09bd83bf3302b9ab84a8474e10d8feb15fea4fb7e2c7afce97e4b521b83f0a7000d62ecea7851ad2be0e58c1845b17b05fe

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\startupCache\scriptCache-child.bin

MD5 182245e2424abb1498c41041be3c7716
SHA1 324e21d1e74adbb55071c9df79892aece754fbeb
SHA256 42ff48fd0bc943147ca7ab52d3b46d1beeef06aaec775c33e302effdda976506
SHA512 f28def2b4ce4b8e5ca627904589717d3d5f9643b90cddcb979475c02d25a97cc30818e0c36184c8d83c3b74624a2e3f0745dddca67a0e7c37314baa86ebfb885

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

MD5 7be5def353b8645332df2afc2a2cbb29
SHA1 57c45d0db3d4654b2e427aa6d0d428e61a77d71f
SHA256 6fc8fbefd1e78e984ba061ce304d9af20fc08f0489ba0243564483b9f0e7f37d
SHA512 01fb8f9e145e73476169277fd037e2909d1e8784e235b63caae87e8cbe19bb3bce819276d88f6ae83a97701ec2fa1ddf96944f0b9061e98df0a35aac9db74472

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\cache2\entries\D49E954446CEE917A204471518A37B68E94BF628

MD5 ed50d4d8f56b5c7ea73f15ddf30e079e
SHA1 a580175c866886da42569da5ee41bf127c18be84
SHA256 827f2d329f434ff6ef2469639a2f2d48de6a49933b2ca0256216463c84061851
SHA512 643026f0d88988c983a225b6b2790fc0a44064b31b84ec59881186deadcb7abf4aa85beb91903f48422e79e39eb0a44eec482071e15c0971c027eca7056ecdb0

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\cache2\entries\7BFCF32544F467F973AF267DF4EB4842EDED0C1F

MD5 99a8872d4cc58025081e840fb53a9fe5
SHA1 2dd6df08cd15436057abe90b59eff5f8102eaa5a
SHA256 2840fdb049fee6fea9b2a911a8c82271717152a68183b35fbec3069ed1b141ec
SHA512 20a13b660ba8c7d2f039c7109a4994f134e21456faa3181cd7a313f8585d5dd4967fc55a8a4ef685f080131b6775852823dfa798a637c65029ec119e13117643

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 355de9a8b519e1c0f24444c7baa17c8f
SHA1 45b7f607462b90e90319ebf3addea8ffe47dbebd
SHA256 354030d9a994f3157bf9c2ec955399b28d4ef5972075df04d4d6253fba522c19
SHA512 ee3ec58d3ee390d65350cd0ac006494838ca58d6f79c18c4f4dde24deb2af5bdfff2f7b30f307146a74f57a400357af99a81d808858b69d844e0ad82180972e2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\cache2\entries\37373F56CBD822F5FCF64BA01E1320A0924D8460

MD5 d44d3ca1497954f74f7e51be3a4e49ae
SHA1 972cb881af998d1aea04e1b14606ae5e16dca584
SHA256 ffc1cec33fb53132868e313d2c301de8da324d79d5f6a5f8811bb7cdd52e7ce8
SHA512 aa1bafd3e462fe20a6521222fa516bc2f471de70d924a02a39ac4a0bae5995adc318d283052684e258696ff15e068425df98d1d03c8dc74f4c100463ea60a099

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

MD5 9aae586f5731e90fb0dd1300633dc66c
SHA1 7240ef1e96b168690bbcbe30702d35886ec12f3a
SHA256 f4ecff25aaec5e772a8bf5f4e5b631575a250655ccbf85ae2f3f7288f7ed3133
SHA512 e3660e43df746a6aa632ae8bf7a6afcc1934e48bd12a7cfbbf8e3a146853d589410ab9fc5da8189259cb8dc47e9734cbf8d573f6f12063cd6c511915242eeb4a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3

MD5 24997d11bb09b1579d16eeb3b5ee8362
SHA1 12be610107d1c5cc2fd9a07658f72863a8dca1e4
SHA256 37aeba4cc19ef266f9c95774273c01db71fbf02138626f2fff406ceaa8b7a939
SHA512 a9c2ab07999096161a1b9ee533bef041d15dfb0c6d7fee579f5bf51a0a1e736fc5a3f814a7bee3252dc715e25920ef6fb746789342355ecc33429b4e8da03f42

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\targeting.snapshot.json

MD5 646291e7869078bfb451e8c44da0dcea
SHA1 2041ece6addd461e0b181f47a818d9fa91c2366d
SHA256 caeb0b9b606f9f994f7021020ffd6de23ed68c87561d265ce3100471f24fe17f
SHA512 ffebc08ded9a3d7e1d739d3840461f1548fae8d32690c7c559d5d3ac6f9894ec66169b5e0ea88e04009038a33824d9ca630aead456510f3e8cd6c7114f9c921f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 66dc202f321d33e3a994f17e4fbef451
SHA1 131e2982593704c36439c4ea432b8ad1aeec2682
SHA256 9b586971d1ad031c8063c22cf1fd40a5b6710e78f9f0af5bd1e5b17a68c4abc9
SHA512 6087e220b27f4254e18a8a521b00aee6d3c820efb19ddbaf01dbdab31fb97954c6ee63fc5238d681aec24d079dbeeb8177111b19f3cefcf5c1926baf97a32411

C:\Users\Admin\Desktop\Old Firefox Data\6ir3v68x.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm

MD5 b7c14ec6110fa820ca6b65f5aec85911
SHA1 608eeb7488042453c9ca40f7e1398fc1a270f3f4
SHA256 fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
SHA512 d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0

C:\Users\Admin\Desktop\Old Firefox Data\6ir3v68x.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite

MD5 e64a92cd69822892c752f68affa36b57
SHA1 cacd157ba2efef4a0de409dac98ea6c8fe8ece27
SHA256 df58217d4a0a4bf8bad49c350bf345a03153752977208b3b3f62536b03b73170
SHA512 58f7255d4d65a5300a957f0603affc824bf8c460d21ce9a26d465a1f0ab4eb72fe26c17d8d44b314ca4335eb93624ae07aa37eb6c58217e387ab8feecdb3e02b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

MD5 de271fe0c12655104538234216a5a8b2
SHA1 3f5000611ea2c1aa95903273e1cd448f159a249d
SHA256 e6322108ba0dd65b18381482ffbc38212ea9923ddcaf58d3d81ff114cfa28f72
SHA512 eb3dc2f9ffc0741911ac3bbf9751e067d8bf759b217edd1aa9239eba9eb6a51bd9b9ae9c485b2db951ae8df205661b7917b53fbd5fc6298e7508edf7e66e6d50

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\protections.sqlite

MD5 d7e5433a87ae3a30de4ab9adc47023bf
SHA1 4edaec48083abd90bc532ba8dd015fe209b0e439
SHA256 c2da29c9c40900e9ae211f9083849b86355850faa503062d14ced549563f273e
SHA512 9b28c36dbe02dff99519fac684c8cb88b8a40b06454524ebf79e576bd22cd94ae0eabb2655aba32bc118767f645d4e12da06764ca5d73c4e42fc2c2e0c343961

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\xulstore.json

MD5 3c7edbdeecdb47fba617e3d03c36b0d3
SHA1 53628ce8c5170810fabafab8e001bfd971d47825
SHA256 c3db6f2519b071b7441022f9ed508b0da5ba40295be0ee449a27bd6146595d04
SHA512 bbf56ea374114173f7de198cd71ac6e75276b0f30926c6690db512f45ac2e54d099d990c285578f702696494d2884d8550e5dddadeee01077933034ac3817842

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionCheckpoints.json

MD5 ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1 b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256 792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512 076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\prefs.js

MD5 3df508784804ed9673973a58826fd607
SHA1 04483d8d484e527fbf956313adadb9de8f6206b2
SHA256 aa56122fa8f37922711ff1de01c47cb2ed898750dbed54a12e86da6944300f85
SHA512 cde7101934309ec21d67c9bc4b6c9b898e748a48cc76505162984fea95b1af8bc7f346d240d4ee581211fc1158cf302e709ae43d163001c790237c101e574e41

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\key4.db

MD5 3e92cba80956f0b249c06eabd105c5e3
SHA1 fefcfa15e05d93cde098b3abbfb5e32f096c0872
SHA256 9c8415646e8eecb8bccb4ab2b9672485468a8d77b5d2a26be8421cf38100140e
SHA512 e7a4e56fb36f852e8faeb48cba6203f3c040b9d82a8e42bd2c53c16cbf12ca4d86456d2706a812f8ce7ccee9594eac0e91eab0a55598825a7a34198de92dfb7a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 63038e1eb5ded9e9180b84ce2d85657a
SHA1 f4a8586926e004690f1981636aacf4dc09f6bfc0
SHA256 f500bdc59cc3ad0ee18447d5ceb262e73e4fd1147987d89150e295cd9cc7c212
SHA512 ccb165fe3adc977bbc1e703af3ef5181ba52b21a04181f1cbd90fc1333144d3dc74c6f9e3f51b1c2cc57f85c634da2bae8a6db72ab955e155f875548115b0bf2

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

MD5 7d1d7e1db5d8d862de24415d9ec9aca4
SHA1 f4cdc5511c299005e775dc602e611b9c67a97c78
SHA256 ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda
SHA512 1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\datareporting\glean\db\data.safe.tmp

MD5 22964538ba87a318fb244aba78b852a7
SHA1 e2f43caaaa3fe0ecee7e93b5d859fba749349267
SHA256 f7fa1e08708e3603d5645f46d988f5b4ef2657ab8ef3f966452a650fe214732a
SHA512 80b4e100f2b11cb258a45bcc2fa8550c51b14fbc147eaa6be22ba2fcb4c2a4b461e7517282a207e0831a75d15b8c0813406b2cc8f5a0afe7b7b655e57b2765f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\datareporting\glean\pending_pings\fdd8b4ef-adde-4d16-b61d-8a8de2e02087

MD5 08edbdb8d3cf2d1b2a9bf7137f78df8f
SHA1 9e9622a419c121546f121f0d2cab5098241d09f4
SHA256 06487e1769bfd748d90048f02df539106657e8eedd2c5cc88a97682b6f2c0502
SHA512 13f183c1d94c96efdf7de264cbee5f41541248ab6515a619841319d2bad7e3d16648a978be3276605e1b111112a1237a786ea5b4341e3dcc8490c90da94da630

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\datareporting\glean\db\data.safe.tmp

MD5 7c3848621e310c63ff95489a18169f17
SHA1 0e359a581e6d612a4827a85c5f8c1f0b65ee51a7
SHA256 2082c5954b30429f590c1131c2ec5743032a6d869f4e056d31537e9082d25617
SHA512 ee9e707f71935f3868b06d3337edda3e779eb5b72b215a254c78659ba78fc92227117dc63fd5b85a4b73d76971a4754b13ba29002d79d917af94e9734fa1ed06

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\datareporting\glean\db\data.safe.tmp

MD5 e48c5b26ec9d4a4d1c8c9fb957321b4b
SHA1 2435befa4b1750899fcec5a1522faacb2129a82d
SHA256 f30e252a22dae8d15ac73ca3db6f1581bd97078396599e3115494aec4be8315e
SHA512 c54c339d9b79f1caa55e5460b7234a7d776c3834cd18af2907af7f79f1ab33ffedfadfb5919bc3a73ac09a364c1ab7f94b1c5ec4d378c097cb62bb9b3cd7b062

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\datareporting\glean\db\data.safe.tmp

MD5 cf2babf8a2968fc66fa9df80ba7a8f7c
SHA1 cd38ae10a6bb82c24ace536774f1ad10195e627c
SHA256 c81c34c9cb56de5d3768dcde0458ee19ec7d073313c9705f8c029218d047fd30
SHA512 19bb1ddd2c08757ff5cdac8bdc4de22a1186e7906feade5c4ccc71eb5c972a1f0e307f292415a6467aa21a6ceaadc1fe19bfed0d18a50ae03e6871b6dd5ac864

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\extensions.json

MD5 eabec3b410b3d1b2e40089cff529cdf3
SHA1 e0b0b6a9deeba887def44165c99c64a4d3ecd06c
SHA256 92e1c525bcf4561dea364ece3074be947d083d49c4bb161baa9014503b9c0b6f
SHA512 92c48e442b37bd6d1832cc2935a4a20b54cebb72c3474230fb75e7b5a45014ff9952ac898eb4a07f5710dc1df05ea6174420f3e8280a07313b49ccc4b566a345

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\prefs.js

MD5 72054ac41319794a15c8e1b49d18b096
SHA1 ef1817a3235549a30bd8b09775ec84f81acc9ea2
SHA256 5a702ef0814807cb4a64d4083a747d0cdc674257b834e22d8e75eaa01d06273d
SHA512 f407a9cf9d5f1dfd0abf1b9147c653bc23fa44cc08396afe7615807fffeceac5a6cfcb2360019750ceb1265dc95462d1f7a137bb7b344f5cb4de9213dff66c05

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\startupCache\webext.sc.lz4

MD5 c960781e0420a90baf5cb92db4715bd8
SHA1 7defed1e4268848abf4547e06a4c278485619b67
SHA256 fb0430aa6dcaadb09ce0727fa31e8465f6d9e4dcede5aee9d690dde984dd777a
SHA512 3c71d285e0200fcaeb92d1fb083d1a0d62a0492029dc83c66afe7cb10b1e69e6cb948e855d5a9ebd58e62685b4fe889879f9672ef2dde7ddd26df86206506b98

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\prefs-1.js

MD5 57205033231a0c993593e38c901b6a7b
SHA1 04f32188eaa5eb4c569f8eecc1deeb9880b54643
SHA256 1318aa201274451d7f0d157631f97515577c78e0d74884149cda9b136f71ac44
SHA512 77603393d31249346b8b321eac85502ac7f6616e6a2193fc6ee3744df274f64fabcd459867b3963a82fce3d7c4292c511604150d37317d7b1d15e1e846eeddc5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\AlternateServices.bin

MD5 58394f455f3745e722fd3f75cbe6f670
SHA1 964b251ee1882c07efce73b29b5d77e7e875abb5
SHA256 5283194a18f1263c5ef4103a2eb5e257b83646b796b5ac81961b89167960240d
SHA512 4ae388149a3d427586222aaa96c26e3f0d7e789b798d04c1d4288e2208804ae66add296440f18f08d579da92e7ce27eac0bb66d93ed18892e996087c46eb86f4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionstore-backups\previous.jsonlz4

MD5 a5094cfe1bc6359cfa3a70b759853585
SHA1 2881874b277a6fe7db79075b10a1c36a0a7009d0
SHA256 b569a236a50e50b3c4a916d99c788ebe991ccf308470310499bf6d449ef0ba7d
SHA512 f802e4d63d99b7efa3bb9cbe3f2443bc3a6ea3239f229e809247e07282d7a440d5ff8be89df67d4bf5ab9ea48203eae9599e63b10e968ab0b2586a995386f50d

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\prefs-1.js

MD5 77ccd895f1135a3aaea3e6baf7b7d72b
SHA1 a09aa81b819b82c48c078ff0abca13ac5758b9ed
SHA256 3c629a1f5774ccf7dcfebf2c47d24d5f0ce2b6e166fbb17a9608491d0656d9ee
SHA512 6a674e9efd7689e68acc43ad729a28c509b2c232087f14d5ff1f897f0272e633cac50b4111fd28a8cecb6f781a4c32edfbeb293329b9c8286144ef950d28a2d6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionstore-backups\recovery.baklz4

MD5 b21d0501be23aaa5cd03c8fabc470349
SHA1 2c1ed5baf89024f1972a494a3343a536a51080c9
SHA256 e543ac215dfcf954bb725edee07d1712fde3fc32f42c50a854b47b006362de92
SHA512 24ad9febb8947d6139498fd7bff96b59a6c0161e9e832db54c90e50a9901f4bd3b219f65b89e04c8fe0d330796692529b5c19a3d0630f087fe56177ea364339d

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionstore-backups\recovery.baklz4

MD5 b754d650bb2d5373e6cb8b3ce037daf6
SHA1 96de76acf9951dd2a6297b577a31f140ed4c8d48
SHA256 b59209682a33a9a898d557d3be48f7e67b474ba038957b80b9e89026d8382a60
SHA512 2649eed32d6b2d87e3183ef8dc862c2e317c770c71b32243d27d1ccecf901a4576fd4b76c583f3da930e19d1bc493ddd4f0e504a93b11fca34dd023bd338fac1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\cache2\entries\4A659374F8162DE9561EA239DEEFEF98343DF04A

MD5 b0e80538c26d11d4ff3b8a0804737c79
SHA1 ffcf9ff71d223081094830e1ab9e748e8b80ff48
SHA256 b6fe170df3397b28d39e889a98cf614690ebc734e7def25d08df9060d806d21b
SHA512 f832eb0e46b9db85cccbda22c6091b6e39aad8d35cac30d30e58d17c4c7f14ab0323f6e23be2f0a17a1d703e74d17128968f2b2e298216ac62824c1a37bfad3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionstore-backups\recovery.baklz4

MD5 a9da0ebb8ab582f0b227c24187ec0bb7
SHA1 292413a68db6b2fdd82a03e6d6dc667efbdef14f
SHA256 2e72c31ca0f73f8021ffdc36894aaf7c216a5701a56596729a04367c6fcbe9df
SHA512 0ef4c5018385281ecc770b34a64a3eff029e783a06c0d12d98c284cd4c833460209bc9832fca27605b84b94f0b29883324045d6f52f0e770a053475c57fae3cc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionstore-backups\recovery.baklz4

MD5 6779c592bcbf4f76833bb43d6b9776f8
SHA1 64c302650f9aa4fa0ace562014dfccf4fe2df2b7
SHA256 8bcc580fa82f42ecf03c69c7c428751b8890be43fa027e53d23e7b4c9a48c542
SHA512 52a96637d3359414c825d26ed6433b6fd29804cd3b9169a48be637f36531a9459d44f726d41bf9da6325d2b4fcfc092ab9478546c387fcd9f958a8535de62845

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\cache2\entries\F1787751DB3D62F3F009431C617852EB32E531CD

MD5 f40dba2245c4bac64d27894d5d0ac3d5
SHA1 0f337c87dc714097502a295c75acbfdf17675ffa
SHA256 6c30282e0f2a2663c951b81a3df219d23139bf64f45b20995d5560193f6bbc82
SHA512 6af48290b354d26f35980209b5aa85b2e2bb1c1d3bb2962d98c2232dff5a05e2fb291a599d0a144e2fffa60c67f868f40526078a4e792f4306aac9fa6148ff4e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionstore-backups\recovery.baklz4

MD5 9d4c1a13bebf4334794eedb1d0716461
SHA1 63faa25667716d0f6e4d18ebf3d49dfc98cb9820
SHA256 7a3cef546c0cf3e55853496ff5381355315af0329b62d97c2f40ac3ab10431ae
SHA512 414d17927e308e4b5346af057f929536666d64c0a38c82428f521545ef0b9da99f18ad70339088ffb94d88d932150bf6057dc99a413fd451c5979794a1168f0f

C:\Users\Admin\Downloads\Gnil.Sj_ebott.exe.part

MD5 37e887b7a048ddb9013c8d2a26d5b740
SHA1 713b4678c05a76dbd22e6f8d738c9ef655e70226
SHA256 24c0638ff7571c7f4df5bcddd50bc478195823e934481fa3ee96eb1d1c4b4a1b
SHA512 99f74eb00c6f6d1cbecb4d88e1056222e236cb85cf2a421243b63cd481939d3c4693e08edde743722d3320c27573fbcc99bf749ff72b857831e4b6667374b8af

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionstore-backups\recovery.baklz4

MD5 c8a5245de04875fc6977a3518742e53e
SHA1 5f0b0bce0fe2fb0dbe3fe7d1506689920a0712d2
SHA256 a3e3517b57ae1cc83c55e4d48941313c24f6162235a11a4c7ecff2af282c2bdd
SHA512 9e1d409e5cc73b32a91a495370b7fad29eab368537c417015f0d674c3ddc78f276330e01e75d6fda228463c237c13b668be9a8bcd5b5b735fdf742179fe505f5

memory/5228-1733-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5456-1741-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5228-1742-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\drivers\spoclsv.exe:Zone.Identifier

MD5 be8a73363fc4d08354678e960fb37485
SHA1 ae45e77914758ac030b028a121242096e4501e85
SHA256 5a80fdbb6da9f449cf528a27b18a876271dc0fb32b928079dddbbf5858780540
SHA512 01378c9ca880be5e2032aedece4e4d3700011f904909bcce1b4cc163761d0c2db78996834b464a14807474adfcb6dffbaf0d057f48f3041e1507cba85b0c6ed4

memory/3040-1755-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4140-1756-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionstore-backups\recovery.baklz4

MD5 11294fb3617005382471f2f955105efe
SHA1 71507f306dc15a335f1bd8e6985f4b47eee7a610
SHA256 3e678ba1f3dc816fed41a70a57b561a8fb9c2f3d1c6b176c93c812988afcd924
SHA512 a1ea460a2ab4a7c152e7ca439f1fa9f41c2ea980d20181644aff25fb961df9ff34e6073daf337dffc2e3d28c65cbbdfe3727407319c36c17b56f92d82381f969

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\cache2\doomed\25734

MD5 3f35f50459e6cc223523d3a338e1ec46
SHA1 52abba150d6584ab1e8355c862e7265b56db6af0
SHA256 8c58d977d07b246a23262ee6bc070a5a76158f3791f434c354adac3449621860
SHA512 d4dabbe12cdc60a4245108b0749637c182ff60b3c5dd464380809a76005ce4b8e1ff0a2872b373e52edc675ce5e9a846c3ebd1ed17adbc6aa42ce1044122d568

C:\Users\Admin\Downloads\MrsMajor3.jJnRJ1BY.0.exe.part

MD5 35a27d088cd5be278629fae37d464182
SHA1 d5a291fadead1f2a0cf35082012fe6f4bf22a3ab
SHA256 4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
SHA512 eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

C:\Users\Admin\AppData\Local\Temp\3EBB.tmp\3EBC.tmp\3EBD.vbs

MD5 3b8696ecbb737aad2a763c4eaf62c247
SHA1 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256 ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

C:\Users\Admin\AppData\Local\Temp\3EBB.tmp\eulascr.exe

MD5 8b1c352450e480d9320fce5e6f2c8713
SHA1 d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA256 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA512 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

memory/3736-1833-0x0000000000EA0000-0x0000000000ECA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

MD5 42b2c266e49a3acd346b91e3b0e638c0
SHA1 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256 adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

memory/3736-1840-0x00007FFD2FC30000-0x00007FFD2FD7E000-memory.dmp

memory/3736-1841-0x000000001DFD0000-0x000000001E192000-memory.dmp

memory/3736-1842-0x000000001E6D0000-0x000000001EBF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionstore-backups\recovery.baklz4

MD5 c09e4e804a7d10f69f4299aaf620f973
SHA1 db0982d68fad6dedc613249a9b2119d9bfe3c3c6
SHA256 dce468962701b0d256b0d378f2ef29523ef05680c5e254ab83513908365845b8
SHA512 efb43ec61ed721624ab7baf535a9a7742bef6a031b79f3fb9e3420c64ad870f2181a9ba4b09c6d6069e99146c8f104c008af542d12892ce18cbccc72020837a6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionstore-backups\recovery.baklz4

MD5 cd2af1a8935dcdbb9903872e66f47d5a
SHA1 9208dc9a2a8d04a54999b43fda5f6ccc1e7994d5
SHA256 7956d65cf052734a24c310cf6116f702007a44a4aa98877c635ef6b60586b65a
SHA512 38b37782d7dab98eca77524a953513fac1fc06319362f90ae81ad35ecdfa1474baa6efc3897d55f5961202e0ea64f8403c12071e48452342def2fdebdde123cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 8e39bc2249592dbbc2268c5b12394a74
SHA1 423fc83c7709b0acf6e6ea4f3cc4621864922975
SHA256 33f58e2739b76c3789b6562ddd5588f41b0899af3d99f7908fd70dd5c8667e68
SHA512 d2f3cfc26ae0b9173575aec37725934000ad74c48b76a0eccfbe80539e3d9b3925e7ab0e0789789594eddbdf3a6d8f8f57a88efe101ce6f432e7b1775b19331b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 998cf3a463ba478156c4448ae92ffba2
SHA1 1fb4688932c470173f9ad8e980a0584f1014470e
SHA256 4a9591d4b928d9a6a85e7f2e15cb9dccc4752f2067da89fd8f4e8143993408d2
SHA512 31d411dbbafd557827746e956b049ae23dcbe8ca006ebb0213871f62c05a08517f5df1e69116987d29ae78a2077412f34f788e509c22d0d657e0f8e819a6e915

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\jumpListCache\uZoJeFYfhz7QF09giKAQgCpNcNWDdh4TQ5SQKSs+Lxc=.ico

MD5 6b120367fa9e50d6f91f30601ee58bb3
SHA1 9a32726e2496f78ef54f91954836b31b9a0faa50
SHA256 92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512 c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

C:\Users\Admin\Downloads\BossDaMajor.V65qpF_7.exe.part

MD5 38ff71c1dee2a9add67f1edb1a30ff8c
SHA1 10f0defd98d4e5096fbeb321b28d6559e44d66db
SHA256 730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a
SHA512 8347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\BE5C.vbs

MD5 5706bc5d518069a3b2be5e6fac51b12f
SHA1 d7361f3623ecf05e63bb97cc9da8d5c50401575c
SHA256 8a74eead47657582c84209eb4cdba545404d9c67dd288c605515a86e06de0aad
SHA512 fb68727db0365ab10c5b0d5e5e1d44b95aa38806e33b0af3280abcefae83f30eb8252653e158ac941320f3b38507649cce41898c8511223ee8642339cfece047

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\mrsmajor\CPUUsage.vbs

MD5 0e4c01bf30b13c953f8f76db4a7e857d
SHA1 b8ddbc05adcf890b55d82a9f00922376c1a22696
SHA256 28e69e90466034ce392e84db2bde3ad43ad556d12609e3860f92016641b2a738
SHA512 5e66e2793e7bc88066b8df3dccb554351287dea18207e280b69d7798ecd5cdc99bd4c126c3e394db9f45f54bb561e6688f928de4f638c5eca4f101dc2cea54a1

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\mrsmajor\default.txt

MD5 30cfd8bb946a7e889090fb148ea6f501
SHA1 c49dbc93f0f17ff65faf3b313562c655ef3f9753
SHA256 e1ebbd3abfcaddf7d6960708f3ccd8eda64c944723f0905ff76551c692b94210
SHA512 8e7d98e6d0c05d199114d2d6ab8da886aed68de690c4d79643868eaf051c229fff94c88d937adb3da5e31fe48116613cf79dd00dda30f296746ce0a8aded9fe2

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\mrsmajor\def_resource\f11.mp4

MD5 17042b9e5fc04a571311cd484f17b9eb
SHA1 585d91c69c3f9e3d2e8cb8cf984871d89cc4adbb
SHA256 a9b0f1f849e0b41924f5e80b0c4948e63fc4b4f335bbdf0f997b03a3aff55424
SHA512 709076c6cef8dd61701c93e1fe331d2b1a218498b833db10ee4d2be0816e3444aeebfa092ab1bd10322617cf3385414e8fdb76fd90f25b44ac24d38937b4d47f

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\mrsmajor\def_resource\creepysound.mp3

MD5 4a9b1d8a8fe8a75c81ddba3e411ddc5d
SHA1 e40cb1ee4490f6d7520902e12222446a8efbf9a8
SHA256 79e9a3611494b5ffafaa79788ba7e11dd218e3800c40b56684ccc0c33ab64eac
SHA512 e7a28acb04ca33d57efe0474bb67d6d4b8ceff9198198b81574c76c835d5df05d113fc468f4a4434580b1b58189f38184c376976604dc05d1424af1721995601

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\mrsmajor\def_resource\Skullcur.cur

MD5 cea57c3a54a04118f1db9db8b38ea17a
SHA1 112d0f8913ff205776b975f54639c5c34ce43987
SHA256 d2b6db8b28112da51e34972dec513278a56783d24b8b5408f11997e9e67d422b
SHA512 561860907fa2f53c7853094299758232a70c0cd22c6df3534abd094c6970f28792c6c334a33b129d661a46930d90fd8c98f11cb34f3e277cf20a355b792f64f0

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\mrsmajor\MrsMjrGuiLauncher.bat

MD5 c7146f88f4184c6ee5dcf7a62846aa23
SHA1 215adb85d81cc4130154e73a2ab76c6e0f6f2ff3
SHA256 47e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963
SHA512 3b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\mrsmajor\WinLogon.bat

MD5 870bce376c1b71365390a9e9aefb9a33
SHA1 176fdbdb8e5795fb5fddc81b2b4e1d9677779786
SHA256 2798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc
SHA512 f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\mrsmajor\reStart.vbs

MD5 0851e8d791f618daa5b72d40e0c8e32b
SHA1 80bea0443dc4cc508e846fefdb9de6c44ad8ff91
SHA256 2cbd8bc239c5cfc3ef02f8472d867dff61e5aed9fde8a3823cda28cc37d77722
SHA512 57a9d1d75dbbab842060b29f01958f7e6b27d0175ff9a3f7b97e423c1b4e3fae94547a569c2e5c88224fc5dcc785f5a1d49c61199a8c7b3afeb4fc520600df40

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\mrsmajor\MrsMjrGui.exe

MD5 450f49426b4519ecaac8cd04814c03a4
SHA1 063ee81f46d56544a5c217ffab69ee949eaa6f45
SHA256 087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d
SHA512 0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\mrsmajor\mrsmajorlauncher.vbs

MD5 e3fdf285b14fb588f674ebfc2134200c
SHA1 30fba2298b6e1fade4b5f9c8c80f7f1ea07de811
SHA256 4d3aa3ecd16a6ba46a9d6c0bdacdcd9dce70d93585941a94e544696e3e6f7d92
SHA512 9b0bfbb07c77d9e9979a6c0f88b0a93010133f7dd3cf01e1de5dfbe812a5ed920e916d16d6a32fe21b9ee4b5425e61a616ded1aeeb35a410d4f77c0f9392ed0a

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\mrsmajor\Launcher.vbs

MD5 b5a1c9ae4c2ae863ac3f6a019f556a22
SHA1 9ae506e04b4b7394796d5c5640b8ba9eba71a4a6
SHA256 6f0bb8cc239af15c9215867d6225c8ff344052aaa0deeb3452dbf463b8c46529
SHA512 a644c48562e38190720fb55a6c6e7d5ccfab60f362236fe7d63caebdc01758f17196d123fb37bd11f7e247ce8ab21812165b27496d3bd6ca5e2c5efefab8fb03

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\mrsmajor\Icon_resource\SkullIco.ico

MD5 c7bf05d7cb3535f7485606cf5b5987fe
SHA1 9d480d6f1e3f17d5018c1d2f4ae257ae983f0bb5
SHA256 4c1cfbe274f993941ac5fa512c376b6d7344800fb8be08cc6344e6c16a418311
SHA512 d30952a75d94dd64b7bd253ed72810690f3550f2262cfaaef45854fc8334f6201a8cbafb9b175c6435f7ce0499567f2fa8667b4b0046bfb651bf61eb4278e6c8

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\mrsmajor\DreS_X.bat

MD5 ba81d7fa0662e8ee3780c5becc355a14
SHA1 0bd3d86116f431a43d02894337af084caf2b4de1
SHA256 2590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816
SHA512 0b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2

C:\Users\Admin\AppData\Local\Temp\BE5B.tmp\mrsmajor\def_resource\@Tile@@.jpg

MD5 3e21bcf0d1e7f39d8b8ec2c940489ca2
SHA1 fa6879a984d70241557bb0abb849f175ace2fd78
SHA256 064f135fcc026a574552f42901b51052345f4b0f122edd7acd5f2dcc023160a5
SHA512 5577e20f76d6b1cccc513392532a09bdc6dcd3a8a177b8035dc5d7eb082e0093436068f92059e301c5987e6122c4d9aff3e5ae9cc94ccc1ecc9951e2785b0922

C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 5.txt

MD5 e20f623b1d5a781f86b51347260d68a5
SHA1 7e06a43ba81d27b017eb1d5dcc62124a9579f96e
SHA256 afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179
SHA512 2e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 5433eab10c6b5c6d55b7cbd302426a39
SHA1 c5b1604b3350dab290d081eecd5389a895c58de5
SHA256 23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA512 207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5 90be2701c8112bebc6bd58a7de19846e
SHA1 a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512 d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 8c756216302305c4d18e1696987abd8e
SHA1 9088a0d31d5793b9e7a79be39341f514ec776d74
SHA256 4a2eb3fce7cbba15d7b1940711066b2eea5ff7aa06d0e56c6e2d38323bd0639f
SHA512 dde1785c0657e030ffc962eb0b397383d1f81fd9b3a740d87ad6b0a59b1ec85372ebd1264640f917f22088baca70d3e14069e255af900651c13911456b20b9ce

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

memory/4844-2074-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/4844-2073-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/4844-2072-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/4844-2071-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/4844-2075-0x0000000007880000-0x0000000007890000-memory.dmp

memory/4844-2077-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/4844-2076-0x0000000004D50000-0x0000000004D60000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\datareporting\glean\db\data.safe.tmp

MD5 03018b62f5eb571acf1491bbfb8f5751
SHA1 07a81d71b2ca7f244936aee3e8d72cf6d57a1aad
SHA256 ca14734a9db68481cb42878b0e11edd8b07df21dbf6ade4ab5fce564ce79bfe8
SHA512 f7a8fcf9ca46e64ad2fb8b23aec2ae1d217a749decbf831ddf404f08109043c0d49b68d8b34c8844e4e4bdbdc4d8784de5fec6d6c94fa22d766fd95665f61bb5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionstore-backups\recovery.baklz4

MD5 474b3e9d8b2f1e29f8dc23fca666fa95
SHA1 fe0c34546a108c8e3809eebe9e70aeeeaf3551da
SHA256 9c413a887850db46c5555d68f4af8d36c06774bdd7e54bc24c6b5fd1d39cff48
SHA512 740bd68c1a66967b4e5054ed9da5a6289a87401324daceda767619c56d3a2c5b6af82e2a1f31ca701155ce14e45bb3b935a3d173d780f3d068f59fb76955ff51

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\datareporting\glean\db\data.safe.tmp

MD5 29f026de809cddabbd6309f09f67b1c6
SHA1 b600919ae902ff3c1fa264ae6b3b7ecd8d89a2c6
SHA256 fb62d849f854075d355e68b265579aa151eee19749a0249768ed909cb8f91beb
SHA512 cb9e70baac6007ecaf7433235e61ef5f92f96472afe5a3f7d8e37996e3382c320a1b5e2b1dcdc88095a5a5586cf70f769c282a1d8547935f67013123b962c938

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\datareporting\glean\pending_pings\18505663-4bc0-42d6-9110-608e4f06aec3

MD5 c42acf06d9b319adf209e1d9b4373b40
SHA1 88aa804e89b3cab1b3d75401bfe37f8caae75d79
SHA256 20342cb215643d92f3343c27640d5355f4be2ff66f38442a760e34ab6788ddf5
SHA512 9661316cd44cb1f2a00aec36f34bd5f88a97da522dd0f11055802848a5b63b42375196a7bf7d315d6f90df2b5e7dcbe38ed9508d2b891dcaabd705e971de3f52

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\datareporting\glean\pending_pings\bf80421f-9724-4042-b30e-e77512f4dda3

MD5 99043834b80b9c4dc7e6609e05ceeb01
SHA1 916a048508e32dd723351761bab34dd9722ba68c
SHA256 b6246a1729842037e6994a27ca4ed28de82696d42de311f41d634e16b4df7fea
SHA512 4397ef50c4fba7df42438c8fb2166e0710e87f8f24e30f2e0b5b4e81c843c29062080458a22c76b4f61ef57e1a85b0a1a19e87a67a2f5f3913444397b3224a81

memory/4844-2130-0x000000000A540000-0x000000000A550000-memory.dmp

memory/4844-2131-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2132-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2133-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2134-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2136-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2137-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2138-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2135-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2141-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2140-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2139-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2142-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2144-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2146-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2147-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2145-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2143-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2148-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2149-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2150-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2151-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2152-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2153-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2155-0x000000000A540000-0x000000000A550000-memory.dmp

memory/4844-2154-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2156-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2158-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2157-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2159-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2161-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2160-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2164-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2166-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2165-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2163-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2162-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2167-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2168-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2170-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2169-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2172-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2171-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2173-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2174-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2176-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2175-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2177-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2178-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2179-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2180-0x000000000A540000-0x000000000A550000-memory.dmp

memory/4844-2181-0x000000000A560000-0x000000000A570000-memory.dmp

memory/4844-2185-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2184-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2183-0x000000000AAB0000-0x000000000AAC0000-memory.dmp

memory/4844-2182-0x000000000A560000-0x000000000A570000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionCheckpoints.json.tmp

MD5 c8dc58eff0c029d381a67f5dca34a913
SHA1 3576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA256 4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512 b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\sessionCheckpoints.json

MD5 99601438ae1349b653fcd00278943f90
SHA1 8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9
SHA256 72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a
SHA512 ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\prefs.js

MD5 aa573f3249eb430477d3b510b0ace608
SHA1 4902882fc6beecae650ff912ecaed388aaff5eb3
SHA256 2f05df3a6e25feea1762e62999f3bb25a4c222370557448bbd60978c371d353e
SHA512 7076122bb7481f9c8e3476ffd961af89bf60b98323db56f13a9164a692f21c7254a7cbe0a5a34a2d70f7d43966d1366a4c8ee578315c080b96bcac04ee0fba39

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\favicons.sqlite

MD5 acb042ddd6c026e25573267332e42f74
SHA1 973bf6f0c06f8657d0b5cd89543543de77e07ac2
SHA256 861f9f90b990c570b28ca98057aa7a327954fa0369b3df8b1e52bd2b2aec4e08
SHA512 4c31e66c9c9c661c7d56be96ab57ecef6fe34a56dbfe45490e2f88e234dd1812648018f0c88ceb2877b1aca3190d74e6ed45a748b15a7d36a9ebdbc4d7495c5d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\places.sqlite

MD5 aacbc2dc1ac35279cd8c04cf14bbb885
SHA1 cac6ed5d48729e00c90e811e4f1af2c7aacf06a6
SHA256 df45fed7be49c485136328b886c9eaf3a0ba9d988d64b05ae86e517b88052574
SHA512 659c19b0f7bd82780d965a45e90bbb825c665939789bc6b481a1283b190064bc51374ba1a0ea78a549b3c7ffd0e3c2e01e8bfbf0366967111b9a8f990e141e53

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\cookies.sqlite

MD5 bae4d729bece9e8768374030ad5ed9d8
SHA1 c7a93c836fbed0fa22c46f13453dc41ecc0ee914
SHA256 0370eb334372a2faf47f65e8e39ce1456731493a294f87ee421870c25c173a8e
SHA512 c001adca723b16884ec6ec5408312498ed69bfeed09cb08cb1468bd6c95c657ea125fc1ca3e678ce52ac30c4d64ff777d129e4ec8b1c04688d22f5122d84794a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dopz0zdo.default-release-1735320105822\prefs-1.js

MD5 04a0736053f0b3375cbac07e5017898e
SHA1 d492a268c46860580c94691fecf22100414387c3
SHA256 a55a6b91a671d16a68a8d9d0cd49190a8a9a5ca868a4a714495bb7044473920d
SHA512 1b82b1d3dd53d33acdef61dd8280efe7e5478661ac954bf5858a381bfc43b904b0c72080b7365090f6cf5aac9ea40f8212925d7c397b8bc6f2532837425aaa8c

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-27 17:20

Reported

2024-12-27 17:36

Platform

win11-20241007-en

Max time kernel

444s

Max time network

446s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Rain Sucked Up.weathersandbox"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Rain Sucked Up.weathersandbox"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A