Malware Analysis Report

2024-11-30 19:07

Sample ID 240307-qss34scd57
Target b28242123ed2cf6000f0aa036844bd29
SHA256 fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
Tags
agilenet evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786

Threat Level: Known bad

The file b28242123ed2cf6000f0aa036844bd29 was found to be: Known bad.

Malicious Activity Summary

agilenet evasion persistence trojan

UAC bypass

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Downloads MZ/PE file

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

NTFS ADS

System policy modification

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-07 13:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-07 13:31

Reported

2024-03-07 13:36

Platform

win11-20240221-en

Max time kernel

232s

Max time network

240s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\"" C:\Windows\System32\wscript.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\wscript.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" C:\Windows\System32\wscript.exe N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Launcher.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\MrsMjrGui.exe C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\reStart.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\CPUUsage.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\default.txt C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\creepysound.mp3 C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\Skullcur.cur C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Doll_patch.xml C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Program Files\mrsmajor\CPUUsage.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\f11.mp4 C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\DreS_X.bat C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\WinLogon.bat C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\mrsmajorlauncher.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Control Panel\Cursors C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "180" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-647252928-2816094679-1307623958-1000\{B12B204C-994A-4F42-BE9E-948CF9669662} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon C:\Windows\System32\wscript.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\BossDaMajor.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\FlashKiller.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\MrsMajor3.0.exe N/A
N/A N/A C:\Windows\System32\PickerHost.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 3464 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2104 wrote to memory of 3464 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2104 wrote to memory of 3464 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 896 wrote to memory of 3536 N/A C:\Users\Admin\Downloads\MrsMajor3.0.exe C:\Windows\system32\wscript.exe
PID 896 wrote to memory of 3536 N/A C:\Users\Admin\Downloads\MrsMajor3.0.exe C:\Windows\system32\wscript.exe
PID 1660 wrote to memory of 1344 N/A C:\Users\Admin\Downloads\BossDaMajor.exe C:\Windows\system32\wscript.exe
PID 1660 wrote to memory of 1344 N/A C:\Users\Admin\Downloads\BossDaMajor.exe C:\Windows\system32\wscript.exe
PID 3536 wrote to memory of 1808 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe
PID 3536 wrote to memory of 1808 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe
PID 1344 wrote to memory of 3096 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\notepad.exe
PID 1344 wrote to memory of 3096 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\notepad.exe
PID 1344 wrote to memory of 4260 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1344 wrote to memory of 4260 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4260 wrote to memory of 2772 N/A C:\Windows\System32\wscript.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4260 wrote to memory of 2772 N/A C:\Windows\System32\wscript.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4260 wrote to memory of 2772 N/A C:\Windows\System32\wscript.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 2772 wrote to memory of 3944 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2772 wrote to memory of 3944 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2772 wrote to memory of 3944 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2772 wrote to memory of 1952 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2772 wrote to memory of 1952 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2772 wrote to memory of 1952 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 1952 wrote to memory of 4968 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 1952 wrote to memory of 4968 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 4260 wrote to memory of 2948 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\shutdown.exe
PID 4260 wrote to memory of 2948 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\shutdown.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Windows\System32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2464 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3464 -ip 3464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4056 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5044 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5860 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2992 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3416 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:8

C:\Users\Admin\Downloads\FlashKiller.exe

"C:\Users\Admin\Downloads\FlashKiller.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1660 -ip 1660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6860 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6812 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2760 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,18420176394837583401,227552115907365834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1264 /prefetch:8

C:\Users\Admin\Downloads\BossDaMajor.exe

"C:\Users\Admin\Downloads\BossDaMajor.exe"

C:\Users\Admin\Downloads\MrsMajor3.0.exe

"C:\Users\Admin\Downloads\MrsMajor3.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\B7E8.tmp\B7E9.vbs //Nologo

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\B0F3.vbs

C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe

"C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" -r -t 03

C:\Windows\System32\PickerHost.exe

C:\Windows\System32\PickerHost.exe -Embedding

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39c7855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.110.86.104.in-addr.arpa udp
GB 2.16.34.48:443 tcp
AU 40.79.167.8:443 browser.pipe.aria.microsoft.com tcp
GB 92.123.128.189:443 r.bing.com tcp
GB 92.123.128.189:443 r.bing.com tcp
GB 92.123.128.189:443 r.bing.com tcp
GB 92.123.128.189:443 r.bing.com tcp
GB 92.123.128.189:443 r.bing.com tcp
GB 92.123.128.189:443 r.bing.com tcp
N/A 224.0.0.251:5353 udp
GB 92.123.128.182:443 www.bing.com tcp
GB 92.123.128.182:443 www.bing.com tcp
GB 92.123.128.158:443 r.bing.com tcp
GB 92.123.128.158:443 r.bing.com tcp
GB 92.123.128.187:443 www.bing.com tcp
GB 92.123.128.187:443 www.bing.com tcp
SE 40.126.53.16:443 login.microsoftonline.com tcp
US 13.107.5.80:443 services.bingapis.com tcp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
DE 140.82.121.5:443 api.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
GB 88.221.134.129:443 aefd.nelreports.net tcp
GB 88.221.134.129:443 aefd.nelreports.net tcp
GB 88.221.134.129:443 aefd.nelreports.net udp
US 104.16.114.74:443 static.mediafire.com tcp
US 104.16.114.74:443 static.mediafire.com tcp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.200.10:443 ajax.googleapis.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 104.16.56.101:443 static.cloudflareinsights.com tcp
GB 18.172.155.200:443 cdn.amplitude.com tcp
GB 172.217.16.238:443 translate.google.com tcp
GB 216.58.213.10:443 translate-pa.googleapis.com tcp
US 34.223.219.83:443 api.amplitude.com tcp
US 34.223.219.83:443 api.amplitude.com tcp
GB 216.58.204.67:443 www.google.co.uk tcp
GB 216.58.204.67:443 www.google.co.uk tcp
BE 108.177.15.155:443 stats.g.doubleclick.net tcp
BE 108.177.15.155:443 stats.g.doubleclick.net tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
GB 172.217.16.228:443 www.google.com udp
GB 216.58.204.67:443 www.google.co.uk udp
GB 216.58.213.10:443 translate-pa.googleapis.com udp
DE 140.82.121.4:443 github.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
AU 40.79.167.8:443 browser.pipe.aria.microsoft.com tcp
GB 92.123.128.189:443 r.bing.com tcp
GB 92.123.128.189:443 r.bing.com tcp
GB 92.123.128.189:443 r.bing.com tcp
GB 92.123.128.189:443 r.bing.com tcp
GB 92.123.128.189:443 r.bing.com tcp
GB 2.16.34.48:443 tcp
GB 92.123.128.189:443 r.bing.com tcp
GB 2.16.34.48:443 tcp
DE 140.82.121.4:443 github.com tcp

Files

memory/3464-0-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4b98d7286c3bfff2b54c313476a5e228
SHA1 806197dd444d69d9db0d7f198b5232f353d1fc1c
SHA256 03b338fd1e6276994f8cc4a890b55af6a239e528f9451447ade9d125dc14f3da
SHA512 7980d1e443b4f8714ad077d4e25a9bc46dc3aed9a5a7fc304ffe9f9e011b6c3157e7e2c04d1c90f5d8db459fdf2bc4d3c44eb96d41b0256bc15810f967440afd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5842ff.TMP

MD5 1f2876231110246beeb6bbe06b491cdb
SHA1 2ede1d598c4018fc89d650cf556b8f617ac66268
SHA256 e18a40f68a9a9554078eba9cc74258d456b6c2f6586635d68d4ffe82ac34cf18
SHA512 1e12ff813f0c1ae82fe8fe953d797b15aef62e727dbf070a69d62596fc43fa5ca20ad373db0eefc5b25df06834c36c60234a1f39bfaeea0d713c4a97f80e042e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 de676de80e3345921efb0ac3e8e0a614
SHA1 e044285b76395ab6fdd6a8139aedbeb2cc70fa2a
SHA256 5c8d15d79166ca41a86bf2dfd54373fda8cf041127e7c9e8d4192dfbb51dbcbf
SHA512 2dae63b2baeae6e71130135741f61905641e1d98912976d1880ef5c95febd684a949c0efd0d762a7c6c702635316136bce2bc9a43d1d03b8b5e83f9faf0e8655

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 bb520b92961ed989ace6081620222bbc
SHA1 06ea5ff0892ba5c9b293a0ec04191b89a889b968
SHA256 50553bdaae314e43f2394a3c84797b864e5e97b4f05f109b078686bb56287773
SHA512 3b1671040887b5d3a9801d0f1e1537bd98b4edc91115cdf3e4bddb549378f20dbf86f488f2225af743a84db0a95a65549558455fe6a76ec7bd56f69fbb69c550

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a864e26e9d5cb9f780643894f22a4147
SHA1 32688ce12cb97213e44eadbf98a43b42224022af
SHA256 4d0261ec6961d7ee0afd1a907c65209a4a3f5973e88763ee5857930e4894fb6e
SHA512 9d7df0eb28f9e26f23b8ef13a7697cd1f12381521c9b7ad537823c1115eb0d91c5aa1cdc474c7658ec5ba523321bce8d1bdb506a186b94bd00f55bde6d623be9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 78fcf1bf0e4de923c5d671cc57b11ed4
SHA1 9f54def356352f73d2f307290eccce6e655aae25
SHA256 822e3de1ce1af594d4fb77a1ee2aaaa5f0ea83e4f33fa409a2d78f40bed37b8b
SHA512 fbcdae99ed29cdedbc62851da5797d9e2afa74e871fc9b2937d15b865c30a9f25a34e26cfe58d68c196e6f6d55ad39955e7f5ad61c40b4cb3d53182ed5425e8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 92c6816e89b7d7ff7a1a464631be3d95
SHA1 2ee1c085c48eb663bc2c180fb75a12e4763f7540
SHA256 154555fd80d8db3907acbcb0e7b9158f0fa806182a1ecbc80f93484759f61b59
SHA512 fe9e6c582cc77f62884a4332f838074a0d4d2931ba17884e5880bd344fccc7a579f1a1702038c35168d9f4c503b59a75427eba70bbd415b618aea6d8adb3321b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8184d32125e6bc8115c9ba9cc1fb81b3
SHA1 62d07bce66e9bc8b0909a613582c8fa2a509c41e
SHA256 b96d55aae780d9f01c136b592d70d1f4278c8b7bf158490da6cc187ac155728f
SHA512 6bd345aff9fc9f48ba18e4e4305bfa789dee42fa800f19bf4f7ecff90b9e67dcd11ade4dc6c3ea90bda962a5beff1ff4a4b8371dfef2ff8bb4d424c917fc6327

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 772a8805de94e121d8a89606c1ff88a3
SHA1 178c8718f27af3cbee01c91451c3c2dc364c3e9e
SHA256 d1b4b0a3d8592cb94111819c39a7a5392403d9e9cea51516403d0f403a1b4975
SHA512 d46626efde8f2f11d21b87f46bfaae5a4d7119c5ff13ed414140734dbc43c06a26c80b1ae80af9304e17fc13cdf030488da930ecde8a0c1ce6b7d8317e807713

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 99b26bb104cad0ca2d3df56486ab8fef
SHA1 b92ea68866484810e749d4fcebedb3936ff686e1
SHA256 e8e3599233eceb6510a16af40ae113ccd4aaa45508589f8e689e581868b0f42c
SHA512 6b3f53b6f24a843ab4096b175e2eee8eb4ec26dd92e9a1a7df4edf70f3d4b88c74a67e8dcaa4f0fdaa3f205d359d45edeeaaad75407148a6faeae1891283e8ee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6c125581e2b0bec4d47ee907e2236d15
SHA1 63c443057da7c5be5bc436d117f5edfdf3dc4dee
SHA256 20b39de062124ded862a951c6a7b32a5879a212c2887d5a7f229f0fdd8c0cab8
SHA512 0cdc03001c2c9d4d855065f9aae181af78a74d28f2bc5802364fb4339e480b1d9f103971b3dbf0b2d8e62f106f77ed9118430aa9d857d74ad3acccaaa689728c

C:\Users\Admin\Downloads\FlashKiller.exe

MD5 331973644859575a72f7b08ba0447f2a
SHA1 869a4f0c48ed46b8fe107c0368d5206bc8b2efb5
SHA256 353df4f186c06a626373b0978d15ec6357510fd0d4ac54b63217b37142ab52d3
SHA512 402662eb4d47af234b3e5fbba10c6d77bdfdb9ff8ecfdd9d204f0264b64ea97fc3b5c54469f537173a26c72b3733550854749649d649bc0153c8fe3faacc50a1

memory/1660-218-0x0000000000400000-0x0000000000404000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 6294f66e87da3f047c8000f490f6f176
SHA1 5a5e63b32d4c13aa5649c77af1b93153c0115ce8
SHA256 5d1d2ff5c385bbf87dc0b8d3b21fe3c13365332c92a9b8dc294b266614142a85
SHA512 e25e5de8b5f0048260aed520fcf0ce1a6680e88fa4f69dc76a4650d23be71bd8c096c7e71c502505c0f3c53da55c3ce1e4a760106faceaebf4198f954cd508c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 74acf93852e0d8e2a8f53aae25a9c158
SHA1 118e2b5628550be504d1351b00e42226d50aa048
SHA256 8e628008e40c6d50719cd2324e4d77864bc504e3af8f3bc77c2388dbaf0a1a33
SHA512 a5943c5a25f84bed357b2ba7d70996873bf46588876a6ee138e8d8f5cf16777f77ec67b3ceb3c386c32d461ac3eb67870bcd34a13e11de626f7997d2975b71d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3b4ba4f3155de80b8b0f065f4775e5df
SHA1 532d342c78a951537def17fef3b10f5a7dabfb9e
SHA256 49a70b9649a2113c179ab057326fb31c841008fe954815bcfa1808c414344783
SHA512 f5d63f049633c7d02ca1a596152d500a27b0983a2fb91aa172b50c41912685f43dd011779b9ab1a1d46bd7b4cc1fa3aa395b4605c5a7379441f140d3dccf0dfa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e8bdf77bfabb6615c84ba0bab1e3f9ec
SHA1 b74c34e2a5d787c8e741d85e575de51bee593e44
SHA256 04ffd1b88927d572b3f1ee064d93f32d2b2023c718927168ae24a33fbdca155c
SHA512 618f25ba1580f2eaad4670dff3df8a03c4df53c993a6c7a8447f72edb7533e2ec1356d069288088b36447f0d6a8f582982dcbdc273eea9e0fe38effbe7619ea3

C:\Users\Admin\Downloads\BossDaMajor.exe

MD5 f2fefefc091bc42566971b477c005e15
SHA1 c04202bc5d2e1e82b6c058f806d1e9f1eee8d34d
SHA256 dec3ee7093c75b7606696e0149c435c7b925859fb4d64f428135aef495db41f5
SHA512 b9adde265734062789988dff1ac8edde2a3a7000585f6238a45d6d7955d63e6d4259128eddca1249e3176c1f0994cea102f916bf254639da062f6b26f4be5153

C:\Users\Admin\Downloads\BossDaMajor.exe

MD5 09d8bc3e1c346beb58d70f6285d0a6a4
SHA1 ea66dbfcc7d6d7f6ea9b697c23fc39aeb0d34162
SHA256 745cfe3415fc0076e5b098ba77723415937bf0211bffa3d4182d769b321e8d1f
SHA512 f3065eca4cd24a6074531c34c9fbbb2932faee8a24de37184cecfa76a075744a6b773c6a0cdb9c6edd5867f98cc76f39a894ccb8bea6cb7a92718b52f46278e2

C:\Users\Admin\Downloads\MrsMajor3.0.exe

MD5 35a27d088cd5be278629fae37d464182
SHA1 d5a291fadead1f2a0cf35082012fe6f4bf22a3ab
SHA256 4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
SHA512 eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\B7E8.tmp\B7E9.vbs

MD5 3b8696ecbb737aad2a763c4eaf62c247
SHA1 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256 ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

C:\Users\Admin\AppData\Local\Temp\B7E7.tmp\eulascr.exe

MD5 8b1c352450e480d9320fce5e6f2c8713
SHA1 d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA256 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA512 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

memory/1808-307-0x0000000000080000-0x00000000000AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\B0F3.vbs

MD5 5706bc5d518069a3b2be5e6fac51b12f
SHA1 d7361f3623ecf05e63bb97cc9da8d5c50401575c
SHA256 8a74eead47657582c84209eb4cdba545404d9c67dd288c605515a86e06de0aad
SHA512 fb68727db0365ab10c5b0d5e5e1d44b95aa38806e33b0af3280abcefae83f30eb8252653e158ac941320f3b38507649cce41898c8511223ee8642339cfece047

C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

MD5 42b2c266e49a3acd346b91e3b0e638c0
SHA1 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256 adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

memory/1808-315-0x00007FFDC1830000-0x00007FFDC22F2000-memory.dmp

memory/1808-316-0x000000001B000000-0x000000001B010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\DreS_X.bat

MD5 ba81d7fa0662e8ee3780c5becc355a14
SHA1 0bd3d86116f431a43d02894337af084caf2b4de1
SHA256 2590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816
SHA512 0b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\def_resource\Skullcur.cur

MD5 cea57c3a54a04118f1db9db8b38ea17a
SHA1 112d0f8913ff205776b975f54639c5c34ce43987
SHA256 d2b6db8b28112da51e34972dec513278a56783d24b8b5408f11997e9e67d422b
SHA512 561860907fa2f53c7853094299758232a70c0cd22c6df3534abd094c6970f28792c6c334a33b129d661a46930d90fd8c98f11cb34f3e277cf20a355b792f64f0

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\def_resource\f11.mp4

MD5 17042b9e5fc04a571311cd484f17b9eb
SHA1 585d91c69c3f9e3d2e8cb8cf984871d89cc4adbb
SHA256 a9b0f1f849e0b41924f5e80b0c4948e63fc4b4f335bbdf0f997b03a3aff55424
SHA512 709076c6cef8dd61701c93e1fe331d2b1a218498b833db10ee4d2be0816e3444aeebfa092ab1bd10322617cf3385414e8fdb76fd90f25b44ac24d38937b4d47f

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\def_resource\creepysound.mp3

MD5 4a9b1d8a8fe8a75c81ddba3e411ddc5d
SHA1 e40cb1ee4490f6d7520902e12222446a8efbf9a8
SHA256 79e9a3611494b5ffafaa79788ba7e11dd218e3800c40b56684ccc0c33ab64eac
SHA512 e7a28acb04ca33d57efe0474bb67d6d4b8ceff9198198b81574c76c835d5df05d113fc468f4a4434580b1b58189f38184c376976604dc05d1424af1721995601

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\def_resource\@Tile@@.jpg

MD5 3e21bcf0d1e7f39d8b8ec2c940489ca2
SHA1 fa6879a984d70241557bb0abb849f175ace2fd78
SHA256 064f135fcc026a574552f42901b51052345f4b0f122edd7acd5f2dcc023160a5
SHA512 5577e20f76d6b1cccc513392532a09bdc6dcd3a8a177b8035dc5d7eb082e0093436068f92059e301c5987e6122c4d9aff3e5ae9cc94ccc1ecc9951e2785b0922

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\default.txt

MD5 30cfd8bb946a7e889090fb148ea6f501
SHA1 c49dbc93f0f17ff65faf3b313562c655ef3f9753
SHA256 e1ebbd3abfcaddf7d6960708f3ccd8eda64c944723f0905ff76551c692b94210
SHA512 8e7d98e6d0c05d199114d2d6ab8da886aed68de690c4d79643868eaf051c229fff94c88d937adb3da5e31fe48116613cf79dd00dda30f296746ce0a8aded9fe2

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\CPUUsage.vbs

MD5 0e4c01bf30b13c953f8f76db4a7e857d
SHA1 b8ddbc05adcf890b55d82a9f00922376c1a22696
SHA256 28e69e90466034ce392e84db2bde3ad43ad556d12609e3860f92016641b2a738
SHA512 5e66e2793e7bc88066b8df3dccb554351287dea18207e280b69d7798ecd5cdc99bd4c126c3e394db9f45f54bb561e6688f928de4f638c5eca4f101dc2cea54a1

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\MrsMjrGui.exe

MD5 450f49426b4519ecaac8cd04814c03a4
SHA1 063ee81f46d56544a5c217ffab69ee949eaa6f45
SHA256 087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d
SHA512 0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\WinLogon.bat

MD5 870bce376c1b71365390a9e9aefb9a33
SHA1 176fdbdb8e5795fb5fddc81b2b4e1d9677779786
SHA256 2798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc
SHA512 f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53

memory/1808-345-0x00007FFDC3040000-0x00007FFDC318F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\reStart.vbs

MD5 0851e8d791f618daa5b72d40e0c8e32b
SHA1 80bea0443dc4cc508e846fefdb9de6c44ad8ff91
SHA256 2cbd8bc239c5cfc3ef02f8472d867dff61e5aed9fde8a3823cda28cc37d77722
SHA512 57a9d1d75dbbab842060b29f01958f7e6b27d0175ff9a3f7b97e423c1b4e3fae94547a569c2e5c88224fc5dcc785f5a1d49c61199a8c7b3afeb4fc520600df40

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\MrsMjrGuiLauncher.bat

MD5 c7146f88f4184c6ee5dcf7a62846aa23
SHA1 215adb85d81cc4130154e73a2ab76c6e0f6f2ff3
SHA256 47e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963
SHA512 3b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\Launcher.vbs

MD5 b5a1c9ae4c2ae863ac3f6a019f556a22
SHA1 9ae506e04b4b7394796d5c5640b8ba9eba71a4a6
SHA256 6f0bb8cc239af15c9215867d6225c8ff344052aaa0deeb3452dbf463b8c46529
SHA512 a644c48562e38190720fb55a6c6e7d5ccfab60f362236fe7d63caebdc01758f17196d123fb37bd11f7e247ce8ab21812165b27496d3bd6ca5e2c5efefab8fb03

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\mrsmajorlauncher.vbs

MD5 e3fdf285b14fb588f674ebfc2134200c
SHA1 30fba2298b6e1fade4b5f9c8c80f7f1ea07de811
SHA256 4d3aa3ecd16a6ba46a9d6c0bdacdcd9dce70d93585941a94e544696e3e6f7d92
SHA512 9b0bfbb07c77d9e9979a6c0f88b0a93010133f7dd3cf01e1de5dfbe812a5ed920e916d16d6a32fe21b9ee4b5425e61a616ded1aeeb35a410d4f77c0f9392ed0a

C:\Users\Admin\AppData\Local\Temp\B0F2.tmp\mrsmajor\Icon_resource\SkullIco.ico

MD5 c7bf05d7cb3535f7485606cf5b5987fe
SHA1 9d480d6f1e3f17d5018c1d2f4ae257ae983f0bb5
SHA256 4c1cfbe274f993941ac5fa512c376b6d7344800fb8be08cc6344e6c16a418311
SHA512 d30952a75d94dd64b7bd253ed72810690f3550f2262cfaaef45854fc8334f6201a8cbafb9b175c6435f7ce0499567f2fa8667b4b0046bfb651bf61eb4278e6c8

memory/1808-346-0x000000001B000000-0x000000001B010000-memory.dmp

memory/1808-347-0x000000001C6F0000-0x000000001C8B2000-memory.dmp

memory/1808-348-0x000000001CDF0000-0x000000001D318000-memory.dmp

C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 5.txt

MD5 e20f623b1d5a781f86b51347260d68a5
SHA1 7e06a43ba81d27b017eb1d5dcc62124a9579f96e
SHA256 afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179
SHA512 2e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 c69225307dc86a28c94f0d92c2595f81
SHA1 89771dab6b2ef087655ad9f5830e3b13d60460d0
SHA256 0969d6a88fe3b3a6df1ed229e11ec1d6d427177706c5efb5732da373aaabef4a
SHA512 0dddb298427f515edfadac7adc0623bf6fb1ceb45c59a764f04f5c8e6e0b57c0bb89bd035b745a92af6187597b0a3e1114500c22108887ead41a8cbbe6ef0470

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 314be8e6fd6662d90b082b233c9c2148
SHA1 e1e4bb6b8ad8d1ea950af9eb551d63b9ba6ba3b2
SHA256 ae5258e810841a6292c37fcaaabe03f77ac295e06c7afe46c24fdc982aba94a5
SHA512 80900d737f0f542d33d986632c6d01cec0a165e6c09e9b3ebc436d518677ac40e12df009fd0249954ca533c278d2a5f24c3ebf23f645cdd85b87d21e3fd93fea

memory/1808-436-0x00007FFDC1830000-0x00007FFDC22F2000-memory.dmp