Analysis Overview
Threat Level: Known bad
The file https://github.com/Da2dalus/The-MALWARE-Repo was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Downloads MZ/PE file
Disables Task Manager via registry modification
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Modifies WinLogon
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Sets desktop wallpaper using registry
Enumerates physical storage devices
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
NTFS ADS
Suspicious behavior: EnumeratesProcesses
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 02:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 02:40
Reported
2024-03-02 02:52
Platform
win11-20240221-en
Max time kernel
688s
Max time network
707s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\MrsMajor3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F580.tmp\eulascr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\000.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F580.tmp\eulascr.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\N: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\O: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\A: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\H: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\I: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\S: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\T: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\U: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\W: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\E: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\G: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\L: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\P: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\X: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\J: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\K: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\R: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\V: | C:\Users\Admin\Downloads\000.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" | C:\Users\Admin\Downloads\000.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Control Panel\Desktop\Wallpaper | C:\Users\Admin\Downloads\000.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon | C:\Users\Admin\Downloads\000.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile | C:\Users\Admin\Downloads\000.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" | C:\Users\Admin\Downloads\000.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3084248216-1643706459-906455512-1000\{DD63677C-BF2F-4B76-9C0F-D6A9C4D43A38} | C:\Users\Admin\Downloads\000.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\000.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 278809.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 942188.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\MrsMajor2.0.7z:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F580.tmp\eulascr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\Downloads\000.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\Downloads\000.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\Downloads\000.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\Downloads\000.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\MrsMajor3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\000.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\000.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\system32\wscript.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffae2d13cb8,0x7ffae2d13cc8,0x7ffae2d13cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2340 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3420 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6192 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6372 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 /prefetch:8
C:\Users\Admin\Downloads\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\MrsMajor3.0.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\F580.tmp\F581.tmp\F582.vbs //Nologo
C:\Users\Admin\AppData\Local\Temp\F580.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\F580.tmp\eulascr.exe"
C:\Users\Admin\Downloads\000.exe
"C:\Users\Admin\Downloads\000.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a30855 /state1:0x41c64e6d
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8152981513306111614,4284545199670082354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.5:443 | api.github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.5:443 | api.github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7c194bbd45fc5d3714e8db77e01ac25a |
| SHA1 | e758434417035cccc8891d516854afb4141dd72a |
| SHA256 | 253f8f4a60bdf1763526998865311c1f02085388892f14e94f858c50bf6e53c3 |
| SHA512 | aca42768dcc4334e49cd6295bd563c797b11523f4405cd5b4aeb41dec9379d155ae241ce937ec55063ecbf82136154e4dc5065afb78d18b42af86829bac6900d |
\??\pipe\LOCAL\crashpad_1184_DWCYVECZUUFFKDRA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | caaacbd78b8e7ebc636ff19241b2b13d |
| SHA1 | 4435edc68c0594ebb8b0aa84b769d566ad913bc8 |
| SHA256 | 989cc6f5cdc43f7bac8f6bc10624a47d46cbc366c671c495c6900eabc5276f7a |
| SHA512 | c668a938bef9bbe432af676004beb1ae9c06f1ba2f154d1973e691a892cb39c345b12265b5996127efff3258ebba333847df09238f69e95f2f35879b5db7b7fc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 39a023e8f4e542eb65d0cc47b3d9bd83 |
| SHA1 | c75cd8d36d7454482099ccb7006091cfd6199962 |
| SHA256 | 49133c7ac0abba47e86092e5aec27e515467057e1205422807094fe36a579529 |
| SHA512 | c047d648d968825135a6545e2aa2b29af38a01ed36487c8ef66caacb2313ca17eb3cbaba54f9b14b245632781b15238dacae4b7c017869bf934710385e6ed81d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 043b855295333c06ea0e3162d036d174 |
| SHA1 | deccd7320b46d9f756106ef3a6b0dd633861e077 |
| SHA256 | f9d3d6dd20eecdf9be085ffdb1f86b7918119f1f894340bebc151d12cc7f7a90 |
| SHA512 | 03bdc283ddab10a04da2b0a18113e8909dc5dc522563f478cbbb35d3e8ade0ece430b25c719fd22d3141d407b6ecfb52e45adaebbac29a654fec404beceaebb4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 023c16c69fbc994c830c90b52625f0c1 |
| SHA1 | 9ca7676652ddafe7d2a58d26846e3cbbda28b2db |
| SHA256 | d4247cc78488d32b0c0213c608d0e8f98e8c19b75a36e6e42c0f6940452095b8 |
| SHA512 | 3a1c415201423b221c5ffef12c855bffde48b693f364357db88b259caaa6d53f29ee506f29212de9fb5810ccbfdd256f7b7849158105ebd418fac687133fd674 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 8debc50e5347633dc6478e640b5c01be |
| SHA1 | 1cffbacfcb8ff4b28ece1ffe043fab2d6ce844d8 |
| SHA256 | b81042da970660a3c7a276cae0bf8e3f28c0e8fe5bdf330f2d9b9e7aef350b97 |
| SHA512 | b7df2555aaa40784488ee61d078937b92d4fdbf8e69dd6ae56cb015cfb1b81e625b225428e403b2af028a7852563e4e6b04b2ea1b9a604ae0d33576896598770 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 21b31e13878cad4219c0155487acd3d4 |
| SHA1 | de2d869b9734432c45903e19b030e1b92339e3b1 |
| SHA256 | 5b105f856e723134813ea2cd576bdb6105e50424c2f72ad3a0ec69d99731dc1e |
| SHA512 | 39bbacf5e2c4937475a201ccd598cabb3436ebfaa36588823c4f18e651b1e6a40c332a1e3e4a8bbee313e418d4b0fb01df7f3a74a30c33efa0683101fcf620ae |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f38fca2961e765aa9d5beba10f67cc92 |
| SHA1 | 21fd418777098c4381249b38e69c3771b1d50de4 |
| SHA256 | aba239b7806d3e6dd18008081fb9153bca06fc5ffa5d7762663d8a97fe7a70af |
| SHA512 | 1f696d17080e7bbf73f5e066d57bba7d3fd7fc9d4e114eea4cee8fdc1b751a603d3d71d9cbe5cbed15584eca4c6e446cfef973a3fd994d70e553ad7c50a72624 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58fda5.TMP
| MD5 | fd30596b42617d46c06fd6fa08cff8b1 |
| SHA1 | 29b5a473cdae537d943f9fa6c6e5f0c1a9959428 |
| SHA256 | 8aae6ea068bec1e2b52148ded9ebbb769a689008d777c37c415e69947a20cbdd |
| SHA512 | 9614c9a80fe4fcca68eb90fc5f22bf3fc16ccca6011e43581790eaaff6a613e4bf68211e54fed35f786d4d30e874950e093c049754ccad79dcecd83fa822c298 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b62a60c2b8eced1599a284d7b1b666a9 |
| SHA1 | 11f4a992538400a510ce91e4b181d4f8efcc9113 |
| SHA256 | a59e52675341bae550658a8e20d5bcfbefc88100d236ec67c3cb0a63dffbda0d |
| SHA512 | e60c2f7973a8c6ef304300513d6d267641f2189e82de2123688fb10488b7be35233086a4accb2f68c85d696c90c453f4b7a1c61a3be96c98dfd3631421408361 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 02563a62bef94d3d2634c5cfa2a1a39e |
| SHA1 | 6c0647c1860aeaafa8cf2d4c6e3683039a7b683a |
| SHA256 | 238cebd38709b34246bcde996ebdac4a59362c4641a3495128a84e410b140dda |
| SHA512 | eb2b532269fad2b9284d473061f5cfaaa2648194d75b70b3fcd07dcca4c039d800b442c8c97096f44768f43b3aaf1f8eae674733f37a2eed820338987b526709 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 661a83bd434079e3b76bbd447dcca84f |
| SHA1 | b7985aff5a16b4f91c2e330c14ddb35ee22696b7 |
| SHA256 | 606b51d97290f2c598024d7412539aa6ecc5b2f2876c7f5f9eb4a73369740e9c |
| SHA512 | 5737c72eaefa9e9f47353f3b35fd95a2604c69608bcfbd1a3ee942f9f576897c39d59d59e4fdb8c2de6ee1953f39eb0e138b889861aa69eb0a0e5b06b9796eb6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 2af1027eb492ba125c147b18bfdd96a0 |
| SHA1 | ed657aa471c980ef1ac77ec255d2f697962c48ee |
| SHA256 | 3e812feee34270249db8d6228c5b0048155d89f14d2fa689c4408b3387ba7da2 |
| SHA512 | fba8470357583fd5873c99571a3026eea8ac7a195b3e4ea443e4fa2b76f5a4113353febcb2dd95256ecaffffed7502c22cde78f51a1dcb962b4f00e7e9a2da99 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 575c3e4aa4cec303e51663036b6f1588 |
| SHA1 | d511fd0d97ec3e6c8c22166f22ee905ad7ebf189 |
| SHA256 | 9d76a4761a55301b36a307893c9ac9cb192dd2ced394894f80b4d71c07377b47 |
| SHA512 | e1f55bc21c6ea613c4af7a97ae6f5ab7eba8905acd7e6a31807439eaa33536a8549526e9b6fec9bc21adb5a59179dcde494d0966d7edf72749ffddbf833a73b9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1ed5887f91a06e912d58887b3adfd951 |
| SHA1 | 8d5384a18f0bd9d8644373853abb494bae603911 |
| SHA256 | e9287cd27e70dfb678a427e37373f894a83eef65b3167d00c03fcbf0ee108dcb |
| SHA512 | 55a567d79ba3b73ba337644c34a64f1927b4d14783894f4afbdff8827657d1e9332a71f8c9304de32937687720d5fb7a671e10b83e12c2334796a2f2762a423c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 002c7e5fdbcfe3209e64f5b474e421d8 |
| SHA1 | 0ddac6ad34bb89f5c4efaf6336d7ed9b8342bfc3 |
| SHA256 | 99dd8c2fcd780efa64bcc561f374851c516fc995a6b905501deb10fcbe4ebe42 |
| SHA512 | a8236dc2fa31c8d345dca99857084b7a0fd05d3eec8cbe8e9db1114508d04841c6e421763892f757262cf2252f89db2fdfa457e42c78cf971f9d6ee55ae0da7c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8557e83f1332649377667bb43d10574d |
| SHA1 | 7640244c0029ae2b1f17f1b89ddb2b20501e267b |
| SHA256 | 8045c34d366e475037c1df42814be0682b39a3897b9d1e1e72006ec17655e741 |
| SHA512 | 230abb41a0313a084f186882d0612da49e4d9b472eb2c806f23fe57873b93fd7b83887a6428a6474fe00f249909f2f1039e6974385fa354c375937c48f5bbc45 |
C:\Users\Admin\Downloads\Unconfirmed 278809.crdownload
| MD5 | f2b7074e1543720a9a98fda660e02688 |
| SHA1 | 1029492c1a12789d8af78d54adcb921e24b9e5ca |
| SHA256 | 4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966 |
| SHA512 | 73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3aa4f8d8842f9d1adb315f05a1ff97b6 |
| SHA1 | c123e9cbf0f876029a2406d6fab025ac80af279d |
| SHA256 | 585e3b534f1d0ed607243f2868469939fc5f4ab9f7fd027bfd0acac73484162a |
| SHA512 | f81db8cf79ecbaf50cd70851495a823d744b71eec9b99168dad3aabb31f75be6dc8dae369aa602ac2c4c8cc1f1370468a5dbf6b76b1852907d50f7a8daf4058f |
C:\Users\Admin\Downloads\Unconfirmed 942188.crdownload
| MD5 | 35a27d088cd5be278629fae37d464182 |
| SHA1 | d5a291fadead1f2a0cf35082012fe6f4bf22a3ab |
| SHA256 | 4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69 |
| SHA512 | eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 9f85680bc585f7722c71e867824b0c84 |
| SHA1 | 590801341032934b7eb78ab1581b566f8e399dc5 |
| SHA256 | 6ffff4df473f0b89b7be0cbc11b653594720c67cc1a20bfd39d107b074f92447 |
| SHA512 | 088910046b2b1f0217375f5ced0df51c0bd4f46f120771847905c300c1f9b555af88a2989233790f086716b1e2accdb5aab4ad4a491e870eb30fe107a278ced1 |
C:\Users\Admin\Downloads\Unconfirmed 157632.crdownload
| MD5 | 9f7bbb2fffc94ce46b5a01321077e2cd |
| SHA1 | b76625902193a1d6555049e910d41db978e77190 |
| SHA256 | 636bf7e2895d2ed29da91c5e330771e2d876e0a6094c37f14df79616a817efa6 |
| SHA512 | 2ae4e42c0de0442fcf81bec8960f7ee472d7ca1c15675131a17e76b311a6827f83c27fb75d61368297e1dc71c456be719c15dc4871693ca971461dbb238e334e |
C:\Users\Admin\Downloads\MrsMajor2.0.7z:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3d9f2b53aec87a874639840a41768938 |
| SHA1 | 860cd7fbedf4c75694b7c2244fb04b50bb942ec7 |
| SHA256 | 35a3703454cb5e8def051beffa2f74acc2c169b3ac468824fa3d1502edd9a743 |
| SHA512 | 2212cf40989cc03700135e063871878896016e9d22fb843dcd8dbbfac7db2896e7618b081f6e29b58b1665b3af0a8d81ca31cdf55a158a46a086574d743b8dbd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | be85a012866f82533b134a3e7c03581c |
| SHA1 | 8f361377763dc0f643a3c2746149ca5850c5d8c0 |
| SHA256 | 7c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0 |
| SHA512 | 38aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621 |
C:\Users\Admin\AppData\Local\Temp\F580.tmp\F581.tmp\F582.vbs
| MD5 | 3b8696ecbb737aad2a763c4eaf62c247 |
| SHA1 | 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5 |
| SHA256 | ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569 |
| SHA512 | 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb |
C:\Users\Admin\AppData\Local\Temp\F580.tmp\eulascr.exe
| MD5 | 8b1c352450e480d9320fce5e6f2c8713 |
| SHA1 | d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a |
| SHA256 | 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e |
| SHA512 | 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc |
memory/2328-548-0x00000000009A0000-0x00000000009CA000-memory.dmp
memory/2328-549-0x00007FFACE600000-0x00007FFACF0C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
| MD5 | 42b2c266e49a3acd346b91e3b0e638c0 |
| SHA1 | 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1 |
| SHA256 | adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29 |
| SHA512 | 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81 |
memory/2328-557-0x00007FFACCDF0000-0x00007FFACCF3F000-memory.dmp
memory/2328-550-0x000000001B760000-0x000000001B770000-memory.dmp
memory/2328-558-0x000000001B760000-0x000000001B770000-memory.dmp
memory/2328-559-0x000000001D330000-0x000000001D4F2000-memory.dmp
memory/2328-560-0x000000001DA30000-0x000000001DF58000-memory.dmp
memory/2328-562-0x00007FFACE600000-0x00007FFACF0C2000-memory.dmp
C:\Users\Admin\Downloads\000.exe
| MD5 | ed39d9b96eaa612fe0aacf530d507fb1 |
| SHA1 | 1b30c619c1aeba4d34915c06add1ac2c48aaeced |
| SHA256 | 058cded27b09b4629d1107839e204c229eb61740684f7381613e234822608706 |
| SHA512 | 114f8b8cf0e0596297766884fa107d052c3a89ca77db29e59f08639e410461e557d11f38eb3c9605c19060c70b8de1a3a36d80f6125727ed3fdabc1461887e7e |
C:\Users\Admin\Downloads\000.exe
| MD5 | afba5075b8160341dc97dc370476971e |
| SHA1 | 27bc8b7f9b8c55e3db2b5b0f4ce745760ccbcce7 |
| SHA256 | 0b674d008946b3c91ef4e07b59e69e39a973f8b4fe00e03468dbda3a05f88a92 |
| SHA512 | eb283b60a114da0c5a6b2f97d3402fb0d74b6a719957557f44e9f4c588994ad710b821cbf458bf5f6c89e0bb9a7b5d8b49d51faa96b5f414349ad3571686fdba |
memory/3260-565-0x0000000074CD0000-0x0000000075481000-memory.dmp
memory/3260-566-0x00000000004B0000-0x0000000000B5E000-memory.dmp
memory/3260-567-0x0000000005580000-0x0000000005590000-memory.dmp
memory/3260-568-0x0000000005D10000-0x00000000062B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\windl.bat
| MD5 | a9401e260d9856d1134692759d636e92 |
| SHA1 | 4141d3c60173741e14f36dfe41588bb2716d2867 |
| SHA256 | b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7 |
| SHA512 | 5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/3260-586-0x000000000B910000-0x000000000B948000-memory.dmp
memory/3260-587-0x0000000009200000-0x000000000920E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rniw.exe
| MD5 | 9232120b6ff11d48a90069b25aa30abc |
| SHA1 | 97bb45f4076083fca037eee15d001fd284e53e47 |
| SHA256 | 70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be |
| SHA512 | b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877 |
memory/3260-593-0x000000000B900000-0x000000000B910000-memory.dmp
memory/3260-594-0x000000000B900000-0x000000000B910000-memory.dmp
memory/3260-595-0x000000000B900000-0x000000000B910000-memory.dmp
memory/3260-597-0x000000000B900000-0x000000000B910000-memory.dmp
memory/3260-598-0x000000000B900000-0x000000000B910000-memory.dmp
memory/3260-599-0x000000000BFB0000-0x000000000BFC0000-memory.dmp
memory/3260-600-0x000000000BFB0000-0x000000000BFC0000-memory.dmp
memory/3260-601-0x000000000B900000-0x000000000B910000-memory.dmp
memory/3260-604-0x000000000B900000-0x000000000B910000-memory.dmp
memory/3260-602-0x000000000BFB0000-0x000000000BFC0000-memory.dmp
memory/3260-605-0x000000000B900000-0x000000000B910000-memory.dmp
memory/3260-606-0x000000000BFB0000-0x000000000BFC0000-memory.dmp
memory/3260-607-0x000000000BFB0000-0x000000000BFC0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 64ba02774339081616c578cf8efcd84c |
| SHA1 | 7b7b29612e396245b13c652898a1b19c1dfe8292 |
| SHA256 | 86d02cc24b6e832bbcb6463c4dfc337784c4c8040555c291e299073c808e1bdc |
| SHA512 | 1a9ec8f6c4e22193a96a8b9f26600ed180d66dbc2d0bb00fbd99c29a737e5a5de5888c621837c6afd0f2c32e01ed02ab89e7d65ff4cc1685fd9bee0a1caa7db4 |
C:\Users\Admin\AppData\Local\Temp\text.txt
| MD5 | 9037ebf0a18a1c17537832bc73739109 |
| SHA1 | 1d951dedfa4c172a1aa1aae096cfb576c1fb1d60 |
| SHA256 | 38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48 |
| SHA512 | 4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f |
C:\Users\Admin\AppData\Local\Temp\one.rtf
| MD5 | 6fbd6ce25307749d6e0a66ebbc0264e7 |
| SHA1 | faee71e2eac4c03b96aabecde91336a6510fff60 |
| SHA256 | e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690 |
| SHA512 | 35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064 |
memory/3260-1254-0x0000000074CD0000-0x0000000075481000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d77991af0e1a68f76634f361fe38c0e5 |
| SHA1 | 781b88e7248536464ee450213e4d267c308ab830 |
| SHA256 | ab9a72a23388e9c73c19f35ed0114affe3b6ed676bf8f8db6f01e6485d29d73e |
| SHA512 | 03b551a78799fa9b6fd455986952ce77b7cbfd104aaf03e92ba8ec2a0f9b700d9cc82872a3c2e1fd5eba9bd10f1c4784d9ae37834deff87f4494e387d0f8b8d2 |
memory/3260-1436-0x0000000005580000-0x0000000005590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\v.mp4
| MD5 | d2774b188ab5dde3e2df5033a676a0b4 |
| SHA1 | 6e8f668cba211f1c3303e4947676f2fc9e4a1bcc |
| SHA256 | 95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443 |
| SHA512 | 3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131 |
memory/3260-1439-0x0000000005580000-0x0000000005590000-memory.dmp
memory/3260-1459-0x0000000074CD0000-0x0000000075481000-memory.dmp