Analysis Overview
SHA256
fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
Threat Level: Known bad
The file b28242123ed2cf6000f0aa036844bd29 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Downloads MZ/PE file
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Executes dropped EXE
Modifies system executable filetype association
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Unsigned PE
Program crash
Enumerates physical storage devices
NTFS ADS
System policy modification
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-07 13:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-07 13:31
Reported
2024-03-07 13:36
Platform
win11-20240221-en
Max time kernel
232s
Max time network
240s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\System32\wscript.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" | C:\Windows\System32\wscript.exe | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\FlashKiller.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\BossDaMajor.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\MrsMajor3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" | C:\Windows\System32\wscript.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\unregmp2.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\Launcher.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\MrsMjrGui.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\reStart.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\CPUUsage.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\default.txt | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\def_resource\creepysound.mp3 | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\def_resource\Skullcur.cur | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\Doll_patch.xml | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Program Files\mrsmajor\CPUUsage.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\def_resource\f11.mp4 | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\DreS_X.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\WinLogon.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\mrsmajorlauncher.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Downloads\FlashKiller.exe |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Control Panel\Cursors | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" | C:\Windows\System32\wscript.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "180" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-647252928-2816094679-1307623958-1000\{B12B204C-994A-4F42-BE9E-948CF9669662} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon | C:\Windows\System32\wscript.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\BossDaMajor.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\FlashKiller.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\MrsMajor3.0.exe | N/A |
| N/A | N/A | C:\Windows\System32\PickerHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system | C:\Windows\System32\wscript.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\system32\wscript.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2464 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3464 -ip 3464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 464
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4056 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5044 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5860 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2992 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3416 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:8
C:\Users\Admin\Downloads\FlashKiller.exe
"C:\Users\Admin\Downloads\FlashKiller.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1660 -ip 1660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 256
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6860 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6812 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2760 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1264 /prefetch:8
C:\Users\Admin\Downloads\BossDaMajor.exe
"C:\Users\Admin\Downloads\BossDaMajor.exe"
C:\Users\Admin\Downloads\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\MrsMajor3.0.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\B7E8.tmp\B7E9.vbs //Nologo
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\B0F3.vbs
C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 03
C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c7855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.86.104.in-addr.arpa | udp |
| GB | 2.16.34.48:443 | tcp | |
| AU | 40.79.167.8:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 92.123.128.189:443 | r.bing.com | tcp |
| GB | 92.123.128.189:443 | r.bing.com | tcp |
| GB | 92.123.128.189:443 | r.bing.com | tcp |
| GB | 92.123.128.189:443 | r.bing.com | tcp |
| GB | 92.123.128.189:443 | r.bing.com | tcp |
| GB | 92.123.128.189:443 | r.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 92.123.128.182:443 | www.bing.com | tcp |
| GB | 92.123.128.182:443 | www.bing.com | tcp |
| GB | 92.123.128.158:443 | r.bing.com | tcp |
| GB | 92.123.128.158:443 | r.bing.com | tcp |
| GB | 92.123.128.187:443 | www.bing.com | tcp |
| GB | 92.123.128.187:443 | www.bing.com | tcp |
| SE | 40.126.53.16:443 | login.microsoftonline.com | tcp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| DE | 140.82.121.5:443 | api.github.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| GB | 88.221.134.129:443 | aefd.nelreports.net | tcp |
| GB | 88.221.134.129:443 | aefd.nelreports.net | tcp |
| GB | 88.221.134.129:443 | aefd.nelreports.net | udp |
| US | 104.16.114.74:443 | static.mediafire.com | tcp |
| US | 104.16.114.74:443 | static.mediafire.com | tcp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 142.250.200.10:443 | ajax.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 104.16.56.101:443 | static.cloudflareinsights.com | tcp |
| GB | 18.172.155.200:443 | cdn.amplitude.com | tcp |
| GB | 172.217.16.238:443 | translate.google.com | tcp |
| GB | 216.58.213.10:443 | translate-pa.googleapis.com | tcp |
| US | 34.223.219.83:443 | api.amplitude.com | tcp |
| US | 34.223.219.83:443 | api.amplitude.com | tcp |
| GB | 216.58.204.67:443 | www.google.co.uk | tcp |
| GB | 216.58.204.67:443 | www.google.co.uk | tcp |
| BE | 108.177.15.155:443 | stats.g.doubleclick.net | tcp |
| BE | 108.177.15.155:443 | stats.g.doubleclick.net | tcp |
| US | 216.239.34.36:443 | region1.analytics.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| GB | 216.58.204.67:443 | www.google.co.uk | udp |
| GB | 216.58.213.10:443 | translate-pa.googleapis.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| AU | 40.79.167.8:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 92.123.128.189:443 | r.bing.com | tcp |
| GB | 92.123.128.189:443 | r.bing.com | tcp |
| GB | 92.123.128.189:443 | r.bing.com | tcp |
| GB | 92.123.128.189:443 | r.bing.com | tcp |
| GB | 92.123.128.189:443 | r.bing.com | tcp |
| GB | 2.16.34.48:443 | tcp | |
| GB | 92.123.128.189:443 | r.bing.com | tcp |
| GB | 2.16.34.48:443 | tcp | |
| DE | 140.82.121.4:443 | github.com | tcp |
Files
memory/3464-0-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 807419ca9a4734feaf8d8563a003b048 |
| SHA1 | a723c7d60a65886ffa068711f1e900ccc85922a6 |
| SHA256 | aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631 |
| SHA512 | f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4b98d7286c3bfff2b54c313476a5e228 |
| SHA1 | 806197dd444d69d9db0d7f198b5232f353d1fc1c |
| SHA256 | 03b338fd1e6276994f8cc4a890b55af6a239e528f9451447ade9d125dc14f3da |
| SHA512 | 7980d1e443b4f8714ad077d4e25a9bc46dc3aed9a5a7fc304ffe9f9e011b6c3157e7e2c04d1c90f5d8db459fdf2bc4d3c44eb96d41b0256bc15810f967440afd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5842ff.TMP
| MD5 | 1f2876231110246beeb6bbe06b491cdb |
| SHA1 | 2ede1d598c4018fc89d650cf556b8f617ac66268 |
| SHA256 | e18a40f68a9a9554078eba9cc74258d456b6c2f6586635d68d4ffe82ac34cf18 |
| SHA512 | 1e12ff813f0c1ae82fe8fe953d797b15aef62e727dbf070a69d62596fc43fa5ca20ad373db0eefc5b25df06834c36c60234a1f39bfaeea0d713c4a97f80e042e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | de676de80e3345921efb0ac3e8e0a614 |
| SHA1 | e044285b76395ab6fdd6a8139aedbeb2cc70fa2a |
| SHA256 | 5c8d15d79166ca41a86bf2dfd54373fda8cf041127e7c9e8d4192dfbb51dbcbf |
| SHA512 | 2dae63b2baeae6e71130135741f61905641e1d98912976d1880ef5c95febd684a949c0efd0d762a7c6c702635316136bce2bc9a43d1d03b8b5e83f9faf0e8655 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | bb520b92961ed989ace6081620222bbc |
| SHA1 | 06ea5ff0892ba5c9b293a0ec04191b89a889b968 |
| SHA256 | 50553bdaae314e43f2394a3c84797b864e5e97b4f05f109b078686bb56287773 |
| SHA512 | 3b1671040887b5d3a9801d0f1e1537bd98b4edc91115cdf3e4bddb549378f20dbf86f488f2225af743a84db0a95a65549558455fe6a76ec7bd56f69fbb69c550 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | a864e26e9d5cb9f780643894f22a4147 |
| SHA1 | 32688ce12cb97213e44eadbf98a43b42224022af |
| SHA256 | 4d0261ec6961d7ee0afd1a907c65209a4a3f5973e88763ee5857930e4894fb6e |
| SHA512 | 9d7df0eb28f9e26f23b8ef13a7697cd1f12381521c9b7ad537823c1115eb0d91c5aa1cdc474c7658ec5ba523321bce8d1bdb506a186b94bd00f55bde6d623be9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 78fcf1bf0e4de923c5d671cc57b11ed4 |
| SHA1 | 9f54def356352f73d2f307290eccce6e655aae25 |
| SHA256 | 822e3de1ce1af594d4fb77a1ee2aaaa5f0ea83e4f33fa409a2d78f40bed37b8b |
| SHA512 | fbcdae99ed29cdedbc62851da5797d9e2afa74e871fc9b2937d15b865c30a9f25a34e26cfe58d68c196e6f6d55ad39955e7f5ad61c40b4cb3d53182ed5425e8a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 92c6816e89b7d7ff7a1a464631be3d95 |
| SHA1 | 2ee1c085c48eb663bc2c180fb75a12e4763f7540 |
| SHA256 | 154555fd80d8db3907acbcb0e7b9158f0fa806182a1ecbc80f93484759f61b59 |
| SHA512 | fe9e6c582cc77f62884a4332f838074a0d4d2931ba17884e5880bd344fccc7a579f1a1702038c35168d9f4c503b59a75427eba70bbd415b618aea6d8adb3321b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8184d32125e6bc8115c9ba9cc1fb81b3 |
| SHA1 | 62d07bce66e9bc8b0909a613582c8fa2a509c41e |
| SHA256 | b96d55aae780d9f01c136b592d70d1f4278c8b7bf158490da6cc187ac155728f |
| SHA512 | 6bd345aff9fc9f48ba18e4e4305bfa789dee42fa800f19bf4f7ecff90b9e67dcd11ade4dc6c3ea90bda962a5beff1ff4a4b8371dfef2ff8bb4d424c917fc6327 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 772a8805de94e121d8a89606c1ff88a3 |
| SHA1 | 178c8718f27af3cbee01c91451c3c2dc364c3e9e |
| SHA256 | d1b4b0a3d8592cb94111819c39a7a5392403d9e9cea51516403d0f403a1b4975 |
| SHA512 | d46626efde8f2f11d21b87f46bfaae5a4d7119c5ff13ed414140734dbc43c06a26c80b1ae80af9304e17fc13cdf030488da930ecde8a0c1ce6b7d8317e807713 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 99b26bb104cad0ca2d3df56486ab8fef |
| SHA1 | b92ea68866484810e749d4fcebedb3936ff686e1 |
| SHA256 | e8e3599233eceb6510a16af40ae113ccd4aaa45508589f8e689e581868b0f42c |
| SHA512 | 6b3f53b6f24a843ab4096b175e2eee8eb4ec26dd92e9a1a7df4edf70f3d4b88c74a67e8dcaa4f0fdaa3f205d359d45edeeaaad75407148a6faeae1891283e8ee |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6c125581e2b0bec4d47ee907e2236d15 |
| SHA1 | 63c443057da7c5be5bc436d117f5edfdf3dc4dee |
| SHA256 | 20b39de062124ded862a951c6a7b32a5879a212c2887d5a7f229f0fdd8c0cab8 |
| SHA512 | 0cdc03001c2c9d4d855065f9aae181af78a74d28f2bc5802364fb4339e480b1d9f103971b3dbf0b2d8e62f106f77ed9118430aa9d857d74ad3acccaaa689728c |
C:\Users\Admin\Downloads\FlashKiller.exe
| MD5 | 331973644859575a72f7b08ba0447f2a |
| SHA1 | 869a4f0c48ed46b8fe107c0368d5206bc8b2efb5 |
| SHA256 | 353df4f186c06a626373b0978d15ec6357510fd0d4ac54b63217b37142ab52d3 |
| SHA512 | 402662eb4d47af234b3e5fbba10c6d77bdfdb9ff8ecfdd9d204f0264b64ea97fc3b5c54469f537173a26c72b3733550854749649d649bc0153c8fe3faacc50a1 |
memory/1660-218-0x0000000000400000-0x0000000000404000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 6294f66e87da3f047c8000f490f6f176 |
| SHA1 | 5a5e63b32d4c13aa5649c77af1b93153c0115ce8 |
| SHA256 | 5d1d2ff5c385bbf87dc0b8d3b21fe3c13365332c92a9b8dc294b266614142a85 |
| SHA512 | e25e5de8b5f0048260aed520fcf0ce1a6680e88fa4f69dc76a4650d23be71bd8c096c7e71c502505c0f3c53da55c3ce1e4a760106faceaebf4198f954cd508c6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 74acf93852e0d8e2a8f53aae25a9c158 |
| SHA1 | 118e2b5628550be504d1351b00e42226d50aa048 |
| SHA256 | 8e628008e40c6d50719cd2324e4d77864bc504e3af8f3bc77c2388dbaf0a1a33 |
| SHA512 | a5943c5a25f84bed357b2ba7d70996873bf46588876a6ee138e8d8f5cf16777f77ec67b3ceb3c386c32d461ac3eb67870bcd34a13e11de626f7997d2975b71d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3b4ba4f3155de80b8b0f065f4775e5df |
| SHA1 | 532d342c78a951537def17fef3b10f5a7dabfb9e |
| SHA256 | 49a70b9649a2113c179ab057326fb31c841008fe954815bcfa1808c414344783 |
| SHA512 | f5d63f049633c7d02ca1a596152d500a27b0983a2fb91aa172b50c41912685f43dd011779b9ab1a1d46bd7b4cc1fa3aa395b4605c5a7379441f140d3dccf0dfa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | e8bdf77bfabb6615c84ba0bab1e3f9ec |
| SHA1 | b74c34e2a5d787c8e741d85e575de51bee593e44 |
| SHA256 | 04ffd1b88927d572b3f1ee064d93f32d2b2023c718927168ae24a33fbdca155c |
| SHA512 | 618f25ba1580f2eaad4670dff3df8a03c4df53c993a6c7a8447f72edb7533e2ec1356d069288088b36447f0d6a8f582982dcbdc273eea9e0fe38effbe7619ea3 |
C:\Users\Admin\Downloads\BossDaMajor.exe
| MD5 | f2fefefc091bc42566971b477c005e15 |
| SHA1 | c04202bc5d2e1e82b6c058f806d1e9f1eee8d34d |
| SHA256 | dec3ee7093c75b7606696e0149c435c7b925859fb4d64f428135aef495db41f5 |
| SHA512 | b9adde265734062789988dff1ac8edde2a3a7000585f6238a45d6d7955d63e6d4259128eddca1249e3176c1f0994cea102f916bf254639da062f6b26f4be5153 |
C:\Users\Admin\Downloads\BossDaMajor.exe
| MD5 | 09d8bc3e1c346beb58d70f6285d0a6a4 |
| SHA1 | ea66dbfcc7d6d7f6ea9b697c23fc39aeb0d34162 |
| SHA256 | 745cfe3415fc0076e5b098ba77723415937bf0211bffa3d4182d769b321e8d1f |
| SHA512 | f3065eca4cd24a6074531c34c9fbbb2932faee8a24de37184cecfa76a075744a6b773c6a0cdb9c6edd5867f98cc76f39a894ccb8bea6cb7a92718b52f46278e2 |
C:\Users\Admin\Downloads\MrsMajor3.0.exe
| MD5 | 35a27d088cd5be278629fae37d464182 |
| SHA1 | d5a291fadead1f2a0cf35082012fe6f4bf22a3ab |
| SHA256 | 4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69 |
| SHA512 | eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5 |
C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\B7E8.tmp\B7E9.vbs
| MD5 | 3b8696ecbb737aad2a763c4eaf62c247 |
| SHA1 | 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5 |
| SHA256 | ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569 |
| SHA512 | 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb |
C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe
| MD5 | 8b1c352450e480d9320fce5e6f2c8713 |
| SHA1 | d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a |
| SHA256 | 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e |
| SHA512 | 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc |
memory/1808-307-0x0000000000080000-0x00000000000AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\B0F3.vbs
| MD5 | 5706bc5d518069a3b2be5e6fac51b12f |
| SHA1 | d7361f3623ecf05e63bb97cc9da8d5c50401575c |
| SHA256 | 8a74eead47657582c84209eb4cdba545404d9c67dd288c605515a86e06de0aad |
| SHA512 | fb68727db0365ab10c5b0d5e5e1d44b95aa38806e33b0af3280abcefae83f30eb8252653e158ac941320f3b38507649cce41898c8511223ee8642339cfece047 |
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
| MD5 | 42b2c266e49a3acd346b91e3b0e638c0 |
| SHA1 | 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1 |
| SHA256 | adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29 |
| SHA512 | 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81 |
memory/1808-315-0x00007FFDC1830000-0x00007FFDC22F2000-memory.dmp
memory/1808-316-0x000000001B000000-0x000000001B010000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\DreS_X.bat
| MD5 | ba81d7fa0662e8ee3780c5becc355a14 |
| SHA1 | 0bd3d86116f431a43d02894337af084caf2b4de1 |
| SHA256 | 2590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816 |
| SHA512 | 0b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2 |
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\def_resource\Skullcur.cur
| MD5 | cea57c3a54a04118f1db9db8b38ea17a |
| SHA1 | 112d0f8913ff205776b975f54639c5c34ce43987 |
| SHA256 | d2b6db8b28112da51e34972dec513278a56783d24b8b5408f11997e9e67d422b |
| SHA512 | 561860907fa2f53c7853094299758232a70c0cd22c6df3534abd094c6970f28792c6c334a33b129d661a46930d90fd8c98f11cb34f3e277cf20a355b792f64f0 |
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\def_resource\f11.mp4
| MD5 | 17042b9e5fc04a571311cd484f17b9eb |
| SHA1 | 585d91c69c3f9e3d2e8cb8cf984871d89cc4adbb |
| SHA256 | a9b0f1f849e0b41924f5e80b0c4948e63fc4b4f335bbdf0f997b03a3aff55424 |
| SHA512 | 709076c6cef8dd61701c93e1fe331d2b1a218498b833db10ee4d2be0816e3444aeebfa092ab1bd10322617cf3385414e8fdb76fd90f25b44ac24d38937b4d47f |
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\def_resource\creepysound.mp3
| MD5 | 4a9b1d8a8fe8a75c81ddba3e411ddc5d |
| SHA1 | e40cb1ee4490f6d7520902e12222446a8efbf9a8 |
| SHA256 | 79e9a3611494b5ffafaa79788ba7e11dd218e3800c40b56684ccc0c33ab64eac |
| SHA512 | e7a28acb04ca33d57efe0474bb67d6d4b8ceff9198198b81574c76c835d5df05d113fc468f4a4434580b1b58189f38184c376976604dc05d1424af1721995601 |
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\def_resource\@Tile@@.jpg
| MD5 | 3e21bcf0d1e7f39d8b8ec2c940489ca2 |
| SHA1 | fa6879a984d70241557bb0abb849f175ace2fd78 |
| SHA256 | 064f135fcc026a574552f42901b51052345f4b0f122edd7acd5f2dcc023160a5 |
| SHA512 | 5577e20f76d6b1cccc513392532a09bdc6dcd3a8a177b8035dc5d7eb082e0093436068f92059e301c5987e6122c4d9aff3e5ae9cc94ccc1ecc9951e2785b0922 |
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\default.txt
| MD5 | 30cfd8bb946a7e889090fb148ea6f501 |
| SHA1 | c49dbc93f0f17ff65faf3b313562c655ef3f9753 |
| SHA256 | e1ebbd3abfcaddf7d6960708f3ccd8eda64c944723f0905ff76551c692b94210 |
| SHA512 | 8e7d98e6d0c05d199114d2d6ab8da886aed68de690c4d79643868eaf051c229fff94c88d937adb3da5e31fe48116613cf79dd00dda30f296746ce0a8aded9fe2 |
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\CPUUsage.vbs
| MD5 | 0e4c01bf30b13c953f8f76db4a7e857d |
| SHA1 | b8ddbc05adcf890b55d82a9f00922376c1a22696 |
| SHA256 | 28e69e90466034ce392e84db2bde3ad43ad556d12609e3860f92016641b2a738 |
| SHA512 | 5e66e2793e7bc88066b8df3dccb554351287dea18207e280b69d7798ecd5cdc99bd4c126c3e394db9f45f54bb561e6688f928de4f638c5eca4f101dc2cea54a1 |
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\MrsMjrGui.exe
| MD5 | 450f49426b4519ecaac8cd04814c03a4 |
| SHA1 | 063ee81f46d56544a5c217ffab69ee949eaa6f45 |
| SHA256 | 087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d |
| SHA512 | 0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc |
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\WinLogon.bat
| MD5 | 870bce376c1b71365390a9e9aefb9a33 |
| SHA1 | 176fdbdb8e5795fb5fddc81b2b4e1d9677779786 |
| SHA256 | 2798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc |
| SHA512 | f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53 |
memory/1808-345-0x00007FFDC3040000-0x00007FFDC318F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\reStart.vbs
| MD5 | 0851e8d791f618daa5b72d40e0c8e32b |
| SHA1 | 80bea0443dc4cc508e846fefdb9de6c44ad8ff91 |
| SHA256 | 2cbd8bc239c5cfc3ef02f8472d867dff61e5aed9fde8a3823cda28cc37d77722 |
| SHA512 | 57a9d1d75dbbab842060b29f01958f7e6b27d0175ff9a3f7b97e423c1b4e3fae94547a569c2e5c88224fc5dcc785f5a1d49c61199a8c7b3afeb4fc520600df40 |
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\MrsMjrGuiLauncher.bat
| MD5 | c7146f88f4184c6ee5dcf7a62846aa23 |
| SHA1 | 215adb85d81cc4130154e73a2ab76c6e0f6f2ff3 |
| SHA256 | 47e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963 |
| SHA512 | 3b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10 |
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\Launcher.vbs
| MD5 | b5a1c9ae4c2ae863ac3f6a019f556a22 |
| SHA1 | 9ae506e04b4b7394796d5c5640b8ba9eba71a4a6 |
| SHA256 | 6f0bb8cc239af15c9215867d6225c8ff344052aaa0deeb3452dbf463b8c46529 |
| SHA512 | a644c48562e38190720fb55a6c6e7d5ccfab60f362236fe7d63caebdc01758f17196d123fb37bd11f7e247ce8ab21812165b27496d3bd6ca5e2c5efefab8fb03 |
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\mrsmajorlauncher.vbs
| MD5 | e3fdf285b14fb588f674ebfc2134200c |
| SHA1 | 30fba2298b6e1fade4b5f9c8c80f7f1ea07de811 |
| SHA256 | 4d3aa3ecd16a6ba46a9d6c0bdacdcd9dce70d93585941a94e544696e3e6f7d92 |
| SHA512 | 9b0bfbb07c77d9e9979a6c0f88b0a93010133f7dd3cf01e1de5dfbe812a5ed920e916d16d6a32fe21b9ee4b5425e61a616ded1aeeb35a410d4f77c0f9392ed0a |
C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\Icon_resource\SkullIco.ico
| MD5 | c7bf05d7cb3535f7485606cf5b5987fe |
| SHA1 | 9d480d6f1e3f17d5018c1d2f4ae257ae983f0bb5 |
| SHA256 | 4c1cfbe274f993941ac5fa512c376b6d7344800fb8be08cc6344e6c16a418311 |
| SHA512 | d30952a75d94dd64b7bd253ed72810690f3550f2262cfaaef45854fc8334f6201a8cbafb9b175c6435f7ce0499567f2fa8667b4b0046bfb651bf61eb4278e6c8 |
memory/1808-346-0x000000001B000000-0x000000001B010000-memory.dmp
memory/1808-347-0x000000001C6F0000-0x000000001C8B2000-memory.dmp
memory/1808-348-0x000000001CDF0000-0x000000001D318000-memory.dmp
C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 5.txt
| MD5 | e20f623b1d5a781f86b51347260d68a5 |
| SHA1 | 7e06a43ba81d27b017eb1d5dcc62124a9579f96e |
| SHA256 | afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179 |
| SHA512 | 2e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b |
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | c69225307dc86a28c94f0d92c2595f81 |
| SHA1 | 89771dab6b2ef087655ad9f5830e3b13d60460d0 |
| SHA256 | 0969d6a88fe3b3a6df1ed229e11ec1d6d427177706c5efb5732da373aaabef4a |
| SHA512 | 0dddb298427f515edfadac7adc0623bf6fb1ceb45c59a764f04f5c8e6e0b57c0bb89bd035b745a92af6187597b0a3e1114500c22108887ead41a8cbbe6ef0470 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 314be8e6fd6662d90b082b233c9c2148 |
| SHA1 | e1e4bb6b8ad8d1ea950af9eb551d63b9ba6ba3b2 |
| SHA256 | ae5258e810841a6292c37fcaaabe03f77ac295e06c7afe46c24fdc982aba94a5 |
| SHA512 | 80900d737f0f542d33d986632c6d01cec0a165e6c09e9b3ebc436d518677ac40e12df009fd0249954ca533c278d2a5f24c3ebf23f645cdd85b87d21e3fd93fea |
memory/1808-436-0x00007FFDC1830000-0x00007FFDC22F2000-memory.dmp