Analysis Overview
Threat Level: Known bad
The file https://github.com/TheDarkMythos/windows-malware/blob/master/MrsMajor%202.0/MrsMajor2.0.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Downloads MZ/PE file
Possible privilege escalation attempt
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Checks computer location settings
Executes dropped EXE
Modifies system executable filetype association
Modifies file permissions
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
System policy modification
Suspicious use of FindShellTrayWindow
NTFS ADS
Modifies data under HKEY_USERS
Modifies Control Panel
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-20 14:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-20 14:32
Reported
2024-03-22 19:48
Platform
win10v2004-20240226-en
Max time kernel
245s
Max time network
247s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\MicrosoftWindowsServicesEtc\\xRunReg.vbs\"" | C:\Windows\system32\wscript.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" | C:\Windows\system32\wscript.exe | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\MrsMajor2.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\MrsMajor2.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\MrsMajor2.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\MrsMajor2.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eula32.exe | N/A |
| N/A | N/A | C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe | N/A |
| N/A | N/A | C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MajorX = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xRun.vbs\"" | C:\Windows\system32\wscript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\taskmgr.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\sethc.exe | C:\Windows\system32\cmd.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\program files\MicrosoftWindowsServicesEtc\DgzRun.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\GetReady.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\NotMuch.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\bsod.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\runner32s.vbs | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\CallFunc.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\data\thetruth.jpg | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\data\eula32.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\Major.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\xRunReg.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\GetReady.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\healgen.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\breakrule.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\RuntimeChecker.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\xRun.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\clingclang.wav | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\data\fileico.ico | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\data\runner32s.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\cmd.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\Major.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\majorsod.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\data\excursor.ani | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\example.txt | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\majorlist.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\RuntimeChecker.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\WinScrew.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\bsod.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\checker.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\fexec.vbs | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\breakrule.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\rsod.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\WinScrew.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\majordared.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\majorsod.exe | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\program files\MicrosoftWindowsServicesEtc\weird\majorlist.bat | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" | C:\Windows\system32\wscript.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon | C:\Windows\system32\wscript.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 577287.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system | C:\Windows\system32\wscript.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\wscript.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/TheDarkMythos/windows-malware/blob/master/MrsMajor%202.0/MrsMajor2.0.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc26f46f8,0x7ffdc26f4708,0x7ffdc26f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3972 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5248 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5164 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
C:\Users\Admin\Downloads\MrsMajor2.0.exe
"C:\Users\Admin\Downloads\MrsMajor2.0.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9675.tmp\9676.vbs
C:\Users\Admin\Downloads\MrsMajor2.0.exe
"C:\Users\Admin\Downloads\MrsMajor2.0.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\ACBC.tmp\ACBD.vbs
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd\&cd "C:\Users\Admin\AppData\Local\Temp" & eula32.exe
C:\Users\Admin\AppData\Local\Temp\eula32.exe
eula32.exe
C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe
"C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\CD73.bat "C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe""
C:\Windows\System32\takeown.exe
takeown /f taskmgr.exe
C:\Windows\System32\icacls.exe
icacls taskmgr.exe /granted "Admin":F
C:\Windows\System32\takeown.exe
takeown /f sethc.exe
C:\Windows\System32\icacls.exe
icacls sethc.exe /granted "Admin":F
C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe
"C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe"
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 5
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38da855 /state1:0x41c64e6d
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9f44d6f922f830d04d7463189045a5a3 |
| SHA1 | 2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c |
| SHA256 | 0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a |
| SHA512 | 7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d |
\??\pipe\LOCAL\crashpad_3164_PCTFURYLNSIPWBQE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7740a919423ddc469647f8fdd981324d |
| SHA1 | c1bc3f834507e4940a0b7594e34c4b83bbea7cda |
| SHA256 | bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221 |
| SHA512 | 7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6c09b9d6-7d68-4843-b557-7fe272fb4028.tmp
| MD5 | ea0a399369a297fe6d01ed22f7b7da96 |
| SHA1 | 4b63b01e8526a18f6025e9d64fb222e75fb5cd43 |
| SHA256 | 5f0f5d99ebd06c7180ee1d023f720e91aee80fb28bf78727a4fa3b970123e515 |
| SHA512 | 3ab57d2b5f49590e0c4be067c1c6452fc277eb2c05f29edc2b65747ece73438f3dfc90971c47a4c871eedd133bd9b68137e8f5ff8f6b741662417c62db35093a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 01e2bfbc6873ac56c535f470140382cd |
| SHA1 | 99d2637b169f3a960e5df907923e05071374a0c1 |
| SHA256 | f40965e6dcb517388ced5e0bbc4308e049c7f7322a8af05572de4c80da3922e0 |
| SHA512 | f80e0d2456bc2e4cfb0f99b728b85c2ae35ffe1fb0a5ceb4391bb3341f6639eb30511f018f233388b5ce00eb487fde60d1d818f504a9ba0fd002a0a017b5a25c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 876a53abd89f64551a2a310c60306a71 |
| SHA1 | d0fb663674d7c8afaf7cc889fd05dda22135ebba |
| SHA256 | bcf8f7421d1ef20252ca43c9574cceceba4fae3f22e4aae6463efe7d3ec00bf6 |
| SHA512 | 15a6914714fac8ee6232f22972d2a19ff51d6411d9cd31fbe191f62ab79e96304cae30666378200ebbfdd09a43cbf07fc47cfb2316f550835899fe65cbb2298b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2b53e1f180926fc333c8176b8ec5ad37 |
| SHA1 | 1c077d8e7a0d9ea7a8c7267c101bbfcc980aaf65 |
| SHA256 | 2718949a96d8c2e736919cd9fde3c9f3659538e8dc01bec3cc8582824ddf5039 |
| SHA512 | adc262ff8b84da195b3241ea4f64a5f154cc5d9ba589655a71a02b37088460cb8b84b7c3d0a2ca4bab4b30fbb0fff3e092f720ffa4c725520086e7047cc21aa0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | fdce4e72dabad1a29c8b5bfbeb718ac5 |
| SHA1 | 61d77b19e0e720b3573869f76140861c05658de8 |
| SHA256 | 2a8c3775ccee69ed0d314e7a2512049c56263557e5ab540fe32d1a554560c411 |
| SHA512 | eb3768efccff3997bfaeb4437b8416b2e14dcb08723ab58723b672ea1747252c6a4d6eba25357ea9ada8de6de19ce794b262b4e7c0825fdd2ec00a6dfcd6ac90 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\390b789f-98dc-43bb-a2fc-6dce9c94db48.tmp
| MD5 | df654fedd529a5fdb1d078acade66ce1 |
| SHA1 | 1873ea24ab376ef4cfe6b1538b8f2aea0a236549 |
| SHA256 | 50b1926ead67adc1b5e631086c44dbda63a750fca5947b142ed9147f0ed60314 |
| SHA512 | aae015a586eb75a4411412ed78cc3ac6af3422e42db1d8c1c289d4aa08ab9ef330b439877dcd75f0867e0039774fd6041c9932518c6eb62143fd75b5e3d9c1e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 9956429ec8f3edb5394e307c24dd9e2a |
| SHA1 | 684f6f1345c954eb66f86ff3fb3f6e70a60d605d |
| SHA256 | 9d33fee21954dbb22a9de5b1692c8da5971ff00c7108a58867d3429772eb291b |
| SHA512 | 7dd3884198046568dc1e835e23d83f226cf44869bad0a7a603755b8fe7ba22f9bc9d30b1d907088ec661d66293ba016a57f55b6703df7dabed3fd5fbea6444fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8afaf251ad72000f937e62b3a98cc475 |
| SHA1 | c834fc1e584b667076542ce10f3cf60bf10bc5f3 |
| SHA256 | 8bdd4449db0a172043afbc3be0d3262deac505551c8ba15d6140d302361c0481 |
| SHA512 | 334c93378fe1e7cabccebd805300d76bd2f4a3fc29d083a667c897dd2b4a3a8ce230ca3fb98fe3ee646eceb2c6539ad81756ba72c7ef02fc55a7c34d34d1c38e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8de0e9e9c7ea8fc85beceedfdae42b7e |
| SHA1 | 0dc2f1135af6497843df8dd9e2701812a1a22fe8 |
| SHA256 | 9ef4e7a48059e61c790d22e4ff7794c02ee21ef97af9d1f81f0656def4ecb887 |
| SHA512 | 2cbca6736d49a7b24847f2ab11aef9126ab0e5b488f3e97e9067abebba758ad6141ddc7f05421659c5bd0fe82fa9d8ac673d11cac33cf4034e4529309d6c4ff8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592205.TMP
| MD5 | 2c277cd793f742ad49677dbc05e66b34 |
| SHA1 | 5618903cc784db8a7796cfe5461e132e270f676f |
| SHA256 | 1a6f03b38c3803e99c0f6d42e7323859dac9d5bbbf01547eb7a7a278de3dce65 |
| SHA512 | b57d87ffb5cd6f57f3126722fe9ec8a7dcf2ee7588b7fdd96d3b364b12cab36120e014340af3491736b25503f92be6083639a785baf09a0fa9ce0820bee33736 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0da52d78e9d3bd10dcd99b9b760537a4 |
| SHA1 | 6e7dfeb116b1e91664021cb2769576a085ae148c |
| SHA256 | a45e684d21d16b88059b4d14ac8dc6a4d5dcbe8ffacc8fdea062ad21ffe599e3 |
| SHA512 | ed7bb2520545ada61152f623e7c9b681d2fd2b5e2e537fecc1ee719dbec3bb89307c51a50a8fb45af383c3b7bdeeec2aa40a7042385f340fb3c8f5e368076002 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | eb3ff0bde216dc6c7acf1e5abc9a5e51 |
| SHA1 | 87bc6be9dd9305957557761645cdc122ac8545e3 |
| SHA256 | 599ee2e37f76ad64ff2e5ba8aa29cea625dd413f651cfe4ebddaac418d84e29e |
| SHA512 | 0daf101896d0451787260d1c106457fd1b8aaf667ff92b7783c32f1d61b8d07283db4393c2c320b10eb9d3d1985e4d13b3b1b9b4c49698d127a7cec27b352737 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | cc1084c91b89fffef808859e44d07146 |
| SHA1 | 0087a265eb490b31a52918885e4b4a11272fb9da |
| SHA256 | 89d3365629c833852d1fdf8b4c1e6e259af5f8da6d3b6c8dfe15f93d8c33c5d3 |
| SHA512 | f0b06efc81cf4d631feb1a571ac338bb49734f3dc6b1f9b0b890a6865911cf6b54d4f2c80de63bed827e9dfa51fda6ab5e638bf1dd5cdf70e4083371d520f144 |
C:\Users\Admin\Downloads\Unconfirmed 577287.crdownload
| MD5 | 247a35851fdee53a1696715d67bd0905 |
| SHA1 | d2e86020e1d48e527e81e550f06c651328bd58a4 |
| SHA256 | 5dd4ea169cabf9226f54bb53e63ea6a1b5880a0d1222242aee378efb6255b57d |
| SHA512 | a173801aaef4fab608d99b52223b5b2400d69b91edcbf33c21fcb47bd832eef9d771dfd36da350a502a371ed1739c869a7c2b4dca456c93f2feed9ac9c647c7c |
C:\Users\Admin\Downloads\MrsMajor2.0.exe
| MD5 | 87a657b25c36c3a341fdc8db4d9ac699 |
| SHA1 | b4400a01ea1d8d0bc59ab7c1cead8f9f67e4c5d6 |
| SHA256 | 099b9c0df16b2e0c0559a0058bc41908c99797c118a6ffa319d2c32293d6a1a7 |
| SHA512 | 266fb7410e8194fbb8cb05462eb0f9003491c2a070606610a62fc8286a067affe0637276815b90f671b22c0e4f3e6dbae444ddce589ee7e10020a58f58416132 |
C:\Users\Admin\Downloads\MrsMajor2.0.exe
| MD5 | 55ddf8a798e099994374035f2cb715d8 |
| SHA1 | 51bd1be247e2b7d1fc95387118cf21ad3506d4d6 |
| SHA256 | e1abbbec977652c182fa578bcf38c6298964776a0d1569ae5abef4a6884ca8fd |
| SHA512 | 5f565ac6ea34307beb1813c8310c04e0cdee0f32060f0a95dac5074ae4ef9f71c49afb113cd6335ac9677701eaa7c4837644d626bba6f2248d7b7d92737ec577 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\9676.vbs
| MD5 | fd76266c8088a4dca45414c36c7e9523 |
| SHA1 | 6b19bf2904a0e3b479032e101476b49ed3ae144a |
| SHA256 | f853dddb0f9f1b74b72bccdb5191c28e18d466b5dbc205f7741a24391375cd6f |
| SHA512 | 3cd49395368e279ac9a63315583d3804aa89ec8bb6112754973451a7ea7b68140598699b30eef1b0e94c3286d1e6254e2063188282f7e6a18f1349877adeb072 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\bsod.exe
| MD5 | 8f6a3b2b1af3a4aacd8df1734d250cfe |
| SHA1 | 505b3bd8e936cb5d8999c1b319951ffebab335c9 |
| SHA256 | 6581eeab9fd116662b4ca73f6ef00fb96e0505d01cfb446ee4b32bbdeefe1361 |
| SHA512 | c1b5f845c005a1a586080e9da9744e30c7f3eda1e3aaba9c351768f7dea802e9f39d0227772413756ab63914ae4a2514e6ce52c494a91e92c3a1f08badb40264 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\breakrule.exe
| MD5 | bcb0ac4822de8aeb86ea8a83cd74d7ca |
| SHA1 | 8e2b702450f91dde3c085d902c09dd265368112e |
| SHA256 | 5eafebd52fbf6d0e8abd0cc9bf42d36e5b6e4d85b8ebe59f61c9f2d6dccc65e4 |
| SHA512 | b73647a59eeb92f95c4d7519432ce40ce9014b292b9eb1ed6a809cca30864527c2c827fe49c285bb69984f33469704424edca526f9dff05a6244b33424df01d1 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\AppKill.bat
| MD5 | d4e987817d2e5d6ed2c12633d6f11101 |
| SHA1 | 3f38430a028f9e3cb66c152e302b3586512dd9c4 |
| SHA256 | 5549670ef8837c6e3c4e496c1ea2063670618249d4151dea4d07d48ab456690c |
| SHA512 | b84fef88f0128b46f1e2f9c5dff2cb620ee885bed6c90dcf4a5dc51c77bea492c92b8084d8dc8b4277b47b2493a2d9d3f348c6e229bf3da9041ef90e0fd8b6c4 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\CallFunc.vbs
| MD5 | 5f9737f03289963a6d7a71efab0813c4 |
| SHA1 | ba22dfae8d365cbf8014a630f23f1d8574b5cf85 |
| SHA256 | a767894a68ebc490cb5ab2b7b04dd12b7465553ce7ba7e41e1ea45f1eaef5275 |
| SHA512 | 5f4fb691e6da90e8e0872378a7b78cbd1acbf2bd75d19d65f17bf5b1cea95047d66b79fd1173703fcfef42cfc116ca629b9b37e355e44155e8f3b98f2d916a2a |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\clingclang.wav
| MD5 | bb029b3a8613e3923f799f6372d22806 |
| SHA1 | fb6877ab7cba960e47f21522872b3a0a3bde10aa |
| SHA256 | f4307a9263951bdefeda06083fe3dec33b7a53ef0c3b4e38b2a88748bc9cbfc5 |
| SHA512 | f9b8f8b77bd8bceaf4993df8bc9a49d63de8d0c8e309a0f5d2aad72c4467faf2c14dd1c5c5f0436cff85845f352f73f4964dd3d6a7cfb2ee516605b0f85ce321 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\checker.bat
| MD5 | f59801d5c49713770bdb2f14eff34e2f |
| SHA1 | 91090652460c3a197cfad74d2d3c16947d023d63 |
| SHA256 | 3382484b5a6a04d05500e7622da37c1ffaef3a1343395942bc7802bf2a19b53f |
| SHA512 | c1c3a78f86e7938afbe391f0e03065b04375207704e419fe77bf0810d1e740c3ef8926c878884ad81b429ec41e126813a68844f600e124f5fa8d28ef17b4b7bc |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\data\fileico.ico
| MD5 | a62eeca905717738a4355dc5009d0fc6 |
| SHA1 | dd4cc0d3f203d395dfdc26834fc890e181d33382 |
| SHA256 | d13f7fd44f38136dae1cdf147ba9b673e698f77c0a644ccd3c12e3a71818a0cd |
| SHA512 | 47ffac6dc37dac4276579cd668fd2524ab1591b594032adbeb609d442f3a28235a2d185c66d8b78b6827ac51d62d97bdc3dffc3ffbaa70cf13d4d5f1dc5f16c2 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\data\excursor.ani
| MD5 | 289624a46bb7ec6d91d5b099343b7f24 |
| SHA1 | 2b0aab828ddb252baf4ed99994f716d136cd7948 |
| SHA256 | b93b0cb2bb965f5758cb0c699fbc827a64712d6f248aaf810cde5fa5ef3227eb |
| SHA512 | 8c77696fe1c897f56ea3afdecf67ad1128274815942cd4c73d30bf0a44dd1a690d8c2f4b0be08e604853084e5515020c2e913d6e044f9801b6223c1912eec8f8 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\data\thetruth.jpg
| MD5 | ecaa6c4d9d0918a6b021a3dde050dfcb |
| SHA1 | 4d9825d20905eba8c2c95f0a2307624783b85987 |
| SHA256 | c3763f14a2ef5ca07c6dacc26a755c031f72bf76a31080b96929c5b147e10754 |
| SHA512 | 24727cc6fe56dfcedbef684c96fceb846374d9a341683f2470e78264e62ac48765d454f8d1046dd7fdadf128e886819d56521f743dca8b76d2cc3f8fe4b8b2ce |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\data\runner32s.exe
| MD5 | 87815289b110cf33af8af1decf9ff2e9 |
| SHA1 | 09024f9ec9464f56b7e6c61bdd31d7044bdf4795 |
| SHA256 | a97ea879e2b51972aa0ba46a19ad4363d876ac035502a2ed2df27db522bc6ac4 |
| SHA512 | 8d9024507fa83f578b375c86f38970177313ec3dd9fae794b6e7f739e84fa047a9ef56bf190f6f131d0c7c5e280e729208848b152b3ca492a54af2b18e70f5dc |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\data\eula32.exe
| MD5 | 2c16d02a2d22af1e79ebe78b5f9007d0 |
| SHA1 | f263471ad2481cf903c54a6ef470bb0bcd363386 |
| SHA256 | 772028bf1ea5546365b98656881dd1281257e081800db712ae79f08db3996c0a |
| SHA512 | ac28c7c61c188c8dd317b3df6c016a780113d8b9a053a6a36e45b3407be7466ae406fba9f0bc1922a6612f90fe0cb49a600142377ab7d28223fbc695ad508d50 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\majordared.exe
| MD5 | 25df21398e58bd5b5966baae6c683fdb |
| SHA1 | dbd1d2c1e32c7de015dcdae1557fa0b7b7a56151 |
| SHA256 | a3b85e756cbba8dbc5a6cd8f020e7c9e3f51cc7b51d6d063b3143c50618cad74 |
| SHA512 | 4cec3c1c7185531eaf86671c5d173fb655c14d7be946368f12aa1565f6549ff93aee3765b6fa06fe5879e5a4a7cc53f30fcd12ba5a40adf50bdddd1070e869c8 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\majorlist.exe
| MD5 | 230970ec5286b34a6b2cda9afdd28368 |
| SHA1 | e3198d3d3b51d245a62a0dc955f2b1449608a295 |
| SHA256 | 3cdafc944b48d45a0d5dc068652486a970124ebe1379a7a04e5cf1dcf05c37c8 |
| SHA512 | 52912b6b2ba55c540316fcfc6f45d68771d1c22ddf4eb09c2cc15fb8ddd214812c18fd75cd61b561c29f660e2bf20290a101b85da1e0bbf8dfbf90b791892b57 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\Major.exe
| MD5 | d604c29940864c64b4752d31e2deb465 |
| SHA1 | c1698ea4e5d1ba1c9b78973556f97e8f6dbbdef3 |
| SHA256 | da0233f5e5e9a34e8dd4f6911444ca1f3e29bb9cbd958a9f4508ac7d72ccd55d |
| SHA512 | 89a4a14574ba19fe319c766add0111feeb4320c08bf75f55a898d9acc783d5a862a6433758a413cc719b9179dcf873f1c850d1084851b8fc37aa1e3deabfcf54 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\healgen.vbs
| MD5 | 8837818893ce61b6730dd8a83d625890 |
| SHA1 | a9d71d6d6d0c262d41a60b6733fb23cd7b8c7614 |
| SHA256 | cc6d0f847fde710096b01abf905c037594ff4afae6e68a8b6af0cc59543e29bb |
| SHA512 | 6f17d46098e3c56070ced4171d4c3a0785463d92db5f703b56b250ab8615bcb6e504d4c5a74d05308a62ea36ae31bc29850187943b54add2b50422fb03125516 |
C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe
| MD5 | 57f3795953dafa8b5e2b24ba5bfad87f |
| SHA1 | 47719bd600e7527c355dbdb053e3936379d1b405 |
| SHA256 | 5319958efc38ea81f61854eb9f6c8aee32394d4389e52fe5c1f7f7ef6b261725 |
| SHA512 | 172006e8deed2766e7fa71e34182b5539309ec8c2ac5f63285724ef8f59864e1159c618c0914eb05692df721794eb4726757b2ccf576f0c78a6567d807cbfb98 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\DgzRun.vbs
| MD5 | a91417f7c55510155771f1f644dd6c7e |
| SHA1 | 41bdb69c5baca73f49231d5b5f77975b79e55bdf |
| SHA256 | 729f7540887cf32a5d4e1968a284c46cf904752821c734bd970ecd30a848477a |
| SHA512 | f786699c1ab9d7c74dd9eb9d76a76728980b29e84999a166a47b7ee102d8e545901ed0fcb30331712490a36de2d726115b661ad3900cdc2bfcfc601d00b76b07 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe
| MD5 | cd58990b1b7f6c68f56244c41ab91665 |
| SHA1 | 7ccca9958d6aebbe3883b55f115b041b827bd2e7 |
| SHA256 | 51f59e877a1c2a1c2760c677def7395ef2868c2ee3e56ffdc3ace570afa50428 |
| SHA512 | 011bdd417ec3bf72daa2b32d3816b696be8b87423740dc2a0182e23515651deeb870a94f3415a73480145f9f5e36c1a3a492410b77ca95d7fab8b9826e9198cc |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\rsod.exe
| MD5 | 91a0740cfb043e1f4d8461f8cbe2ff19 |
| SHA1 | 92e1ad31c34c4102e5cb2cc69f3793b2a1d5304e |
| SHA256 | dcaabfd6955d3fec26a86217d1b1ab7e979c301d498473e4d885145ce031fc3b |
| SHA512 | c60067655e5f191708af9b25382869e3ce65cd3ea2d6cac70f8cae4132942cfd6a8aa9dde1e2b7f3f12997d6d7411e21dc73ab4cd83ec555d74b82b86778a613 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\NotMuch.exe
| MD5 | 87a43b15969dc083a0d7e2ef73ee4dd1 |
| SHA1 | 657c7ff7e3f325bcbc88db9499b12c636d564a5f |
| SHA256 | cf830a2d66d3ffe51341de9e62c939b2bb68583afbc926ddc7818c3a71e80ebb |
| SHA512 | 8a02d24f5dab33cdaf768bca0d7a1e3ea75ad515747ccca8ee9f7ffc6f93e8f392ab377f7c2efa5d79cc0b599750fd591358a557f074f3ce9170283ab5b786a1 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\majorsod.exe
| MD5 | b561c360c46744f55be79a25e1844e3c |
| SHA1 | ed0f7eb00b4f1ae6cf92ad75e5701014f3d03d56 |
| SHA256 | d1094e91960ded15444c6f50756adc451a7c0b495b2ea28319b7184ba96236f7 |
| SHA512 | 0a3a75d08f1d7afcd7a476fc71157983e04b0c26b00ace4d505aa644e5da3e242dd0f6afdb3c93f29ba0b08d2702d0e96b49acba4ed260330068b13f93973e9f |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\GetReady.bat
| MD5 | 3dbccaadafb7f0227c1839be5ca07015 |
| SHA1 | bd636f73235d52d172ad8932a8e4a6a8b17389a0 |
| SHA256 | 33a0c62f3f66bce3fc1beb37aca8ad731bfa5590177d933d9d4eae016019242a |
| SHA512 | d981670f9d492d97931ab260a7d7d27d4f97621a1ef3e20246d4be2a9b4cfc01e01174a1d46432b4a3d937ad135c97eec9ef7bbc7da46034388843887df4637e |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\cmd.vbs
| MD5 | b181d5a4055b4a620dd7c44c5065bbe7 |
| SHA1 | 36320f257026b923b923ad2c0e7fa93a257806e0 |
| SHA256 | 4d2639e890d6d5988eb9cb6f8cb50647048bbfeeb83fc604c52567e7381c876c |
| SHA512 | 0bec0cf2e5b93065701c5458c1d7e047312971d7bbed3ce5444db710654fa0d84eabb7d7c243130e3cb2dae38eb05874929b5b08547174a6065f8accd4e0433d |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\bsod.bat
| MD5 | c94bb8d71863b05b95891389bed6365e |
| SHA1 | 07bb402d67f8b1fc601687f1df2622369413db3b |
| SHA256 | 3900e3b60b4691311e050c4cf8fac82ff178a06e3d04d5d6b2d7ea12cf5d53d1 |
| SHA512 | 00e7ab3a91862faaf5ac5ca3de6dbf2cbb8aac4aba277e1e14b2ecf4650eea2e68134e0df549dca35ab715ed46e36fa9cfee1ba7bb3520511723bf567566682d |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\breakrule.vbs
| MD5 | 2609fde7a9604c73be5083e4bcfa0e20 |
| SHA1 | 068c89f703fb11663143b9927f2a0c9f9f59c0e3 |
| SHA256 | 17d014cb4abbaced3acce9b6d7a1b595cd6e2dd814e41f06ceddcdc08e93eebe |
| SHA512 | 439fee7cc198cb3fef4ef14693141e52c305579a4ff2da0842323f57dcffade03f3b01ac288080fed423511937a4c1e2080f5a79f967a963fe34253f541824cb |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\Major.vbs
| MD5 | 9192fd494155eab424110765c751559e |
| SHA1 | b54fcc1e29617b3eee1c7bb215c048498881b641 |
| SHA256 | cbd3b0f294e8f11592a3ad80d1070d81746f806a48183b93c345251422ccbf0d |
| SHA512 | b8c48916535f3721e7f47be6af671765c3befefcd407c6ea5fabcf9ada119747408d662f61fb436f98a7c33050b6674da54dddf25e683429204a96555ec6e801 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\majorsod.vbs
| MD5 | fecb9e50c1f01d9d6101f273cb860260 |
| SHA1 | 18c413f577c289004db6156bd133e5db70258044 |
| SHA256 | 8863b595563e92d73b29090ff83191b2fa1297507be588aa7e1cf910e77c7feb |
| SHA512 | 2c30641b099d5b6c3af40cb41e70160c1f4294bb30dc3162b018e9552b48fc899d1a63d3e366bfb71fcf6803bcc518cf8d504ce60684ce221028a9bf2bc07f9d |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\majorlist.bat
| MD5 | 4cc606c63f423fda5324c962db709562 |
| SHA1 | 091250ffc64db9bea451885350abed2b7748014c |
| SHA256 | 839301ef07178c100e7f4d47874faf995ae5d11dfd527dda096a284c8114671b |
| SHA512 | f29ef2bc694f497499545d1fa4e14ca93c06049fff582af3a6caf3885153491a1cd9e96ab5a6746051aa972421f876c008e5d5b671bd34c3922b61c84151097f |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\xRun.vbs
| MD5 | 26ec8d73e3f6c1e196cc6e3713b9a89f |
| SHA1 | cb2266f3ecfef4d59bd12d7f117c2327eb9c55fa |
| SHA256 | ed588fa361979f7f9c6dbb4e6a1ae6e075f2db8d79ea6ca2007ba8e3423671b0 |
| SHA512 | 2b3ad279f1cdc2a5b05073116c71d79e190bfa407da09d8268d56ac2a0c4cc0c31161a251686ac67468d0ba329c302a301c542c22744d9e3a3f5e7ffd2b51195 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\xRunReg.vbs
| MD5 | 8267192f547f8914ff36eff80ca3f402 |
| SHA1 | 23bdeb19fb37059e1293dd80d8be69480c957c73 |
| SHA256 | cdd4f356ca256c707960bc42b97649111a830e6f951ca6a3cf80853e3c342947 |
| SHA512 | cd684cb73496ca925fd8604fbbf286b842e2b02ce18b19d63618e8355dcec02bce700fb09b25da932545845b01a7f8d9986fa486db504b92a42d7c0ace21e9e2 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\WinScrew.exe
| MD5 | 1aaafedd9f259acca75708f4af10b5be |
| SHA1 | f6b4ea28d304e1f9205c1c0b970d60ee989402f2 |
| SHA256 | 429e01b0e06b02a55bafb1527629f8d4c5f64d9b21ac9f81484a3928fdce6dc9 |
| SHA512 | a995ebf4d142452aabb419f0cacfa5412d03532840cb08c37dd7c00001dee521bf9d0da66ac4346b07dffd91fe01fa3115fa05811acbd43d380320dca1be4aa8 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\WinScrew.bat
| MD5 | 04067ca733ee8b2ab2f068edc8b75a0f |
| SHA1 | 973cb577f6ab2463040918c3661333553a3132c8 |
| SHA256 | 3aef33c03777abe62feef0a840ac6a087caafc05adfe801464fd1c52eac656a0 |
| SHA512 | 5423a1e668211f269a3d787548e11d18de7365d6c2525c2de61014854f1ab5a51b5de9eda70fb21d6ebe356cb52e93b3f406c71ed7fbcaedd2b023b6fa9c13f8 |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\RuntimeChecker.vbs
| MD5 | fe44b78a465853c0ac0744c6ab05ea40 |
| SHA1 | f32dacd91b9547fce9a8a2846a4e17c33295aab3 |
| SHA256 | 989d947c51c878bcefecb53d867a3c182c2d67129a87a5f6773eb6ef2bbf9b2e |
| SHA512 | 6b945e16786833c2e2e9867315b8859c413687fc72d4c8576b9c0a1aed2dc65249468317dd49f2ecf777e27c9969b7a7abc72b4d9b7c182dc7999051377515db |
C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\runner32s.vbs
| MD5 | 5f427dc44f33906509423d24fa0590c0 |
| SHA1 | b896f7667381a594d3751e05f258925b81c231c0 |
| SHA256 | 9aae0707b1d5d3b7ed3bf5cc8fbb530aebd195e3e2f18312f3f7f1aa43e031b4 |
| SHA512 | bd28c386772062ef945f24c8ad7a25f158856af36e31d2c9b14674cedfd34b4f48ed531cd40a7eb291384d83665ffe154f0786c1a7ee1616256cf30125120961 |
C:\Users\Admin\Downloads\MrsMajor2.0.exe
| MD5 | 55f6e95d7ece49d1d1abadc3322034a1 |
| SHA1 | 22428ce06d1e79518911f11b9012c7ab35769010 |
| SHA256 | 410c9a4549f215ea4bec4ce4120041d66d522e6179caed2ed8d2f104b7f31f76 |
| SHA512 | 86b2f57b5bdce99363b898ea0c0cc03408e22bfbd3756bafcd2c445fb6ee273fd5c0f8a8d34014d592dcf9f39afd414c5a18155dbf0869816d99d7346565e8d0 |
C:\Users\Admin\AppData\Local\Temp\ACBC.tmp\MicrosoftWindowsServicesEtc\clingclang.wav
| MD5 | 4bc923f234812b1698ad053db7e8caa3 |
| SHA1 | 4960a28863f2b09ead2b243a83f47dce99ddf20f |
| SHA256 | ef463cb99aeec687997696512a00775f8224dfa92859314a27e1f74963fea514 |
| SHA512 | d6ce29d6ac3b2905478ce83bfb8c7fbdab4416b57ff70e82d53e3c53119953caa0f8d82c280e63f58d211a7ba38c9653dbe8c523b877aadcb2bcc634b0c5956e |
C:\Users\Admin\AppData\Local\Temp\ACBC.tmp\MicrosoftWindowsServicesEtc\data\eula32.exe
| MD5 | cbc127fb8db087485068044b966c76e8 |
| SHA1 | d02451bd20b77664ce27d39313e218ab9a9fdbf9 |
| SHA256 | c5704419b3eec34fb133cf2509d12492febdcb8831efa1ab014edeac83f538d9 |
| SHA512 | 200ee39287f056b504cc23beb1b301a88b183a3806b023d936a2d44a31bbfd08854f6776082d4f7e2232c3d2f606cd5d8229591ecdc86a2bbcfd970a1ee33d41 |
C:\Users\Admin\AppData\Local\Temp\ACBC.tmp\MicrosoftWindowsServicesEtc\data\thetruth.jpg
| MD5 | 7907845316bdbd32200b82944d752d9c |
| SHA1 | 1e5c37db25964c5dd05f4dce392533a838a722a9 |
| SHA256 | 4e3baea3d98c479951f9ea02e588a3b98b1975055c1dfdf67af4de6e7b41e476 |
| SHA512 | 72a64fab025928d60174d067990c35caa3bb6dadacf9c66e5629ee466016bc8495e71bed218e502f6bde61623e0819485459f25f3f82836e632a52727335c0a0 |
C:\Users\Admin\AppData\Local\Temp\ACBC.tmp\MicrosoftWindowsServicesEtc\majordared.exe
| MD5 | ecb9c58142a622d6ac3b5ea6d9080720 |
| SHA1 | 65751cc7f69632c6194b97526d0667d05376297d |
| SHA256 | e7cbc125c4c83300ed8b1f521951a8932886a8269bc98dd232da837674a7182e |
| SHA512 | 9ccb04825f1fabd04650eec97f40c2020f1253f4157a0e437978c77e2d40f0807a0523f1653bb5c51f25894f8d10b7beae8970554d080a2293bb500f5f0721cd |
C:\Users\Admin\AppData\Local\Temp\eula32.exe
| MD5 | 0fc9edbea8f90c4fb3a3d73c79197b42 |
| SHA1 | 0b2258c3baced66dd3155c61eda697b61a482474 |
| SHA256 | 4b9a8d9d3de8c021bc9e6b41e1ea7fc34e72393d39709ab6d814b4281b8187d0 |
| SHA512 | ea3e03aeef7c83cc5a078369e4c871c80fbf5f340a2ef80c13361a77357a3b9d96ed0ef2311abe83dd0061a6fd8ec9223aadcc9926bdc0445b202626eb6cd325 |
memory/4476-614-0x00000000006A0000-0x00000000007DC000-memory.dmp
memory/4476-613-0x00000000737E0000-0x0000000073F90000-memory.dmp
memory/4476-615-0x0000000005750000-0x0000000005CF4000-memory.dmp
memory/4476-616-0x0000000005240000-0x00000000052D2000-memory.dmp
memory/4476-617-0x0000000005470000-0x0000000005480000-memory.dmp
memory/4476-618-0x00000000051E0000-0x00000000051EA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c33459928b7253d47f4384d4916dffa8 |
| SHA1 | 554c43a6b4c789dfe586124bdb9a29415138006c |
| SHA256 | d3f25357e362cc16775bf4be57c64fe20801266e9d0e7310d7de5c6e110968be |
| SHA512 | fde8223f9c6bf151147ec23ef83ece60c69faf4fbfc667affc49cd756c273d18dbc7c3bceef56dbec575f530b7d6f017836e333e564cba10358815bc3e9f4d6d |
memory/4476-628-0x0000000005470000-0x0000000005480000-memory.dmp
memory/4476-630-0x00000000737E0000-0x0000000073F90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1\CD73.bat
| MD5 | fe81c1282a808b7a1d0a27d7cccaa624 |
| SHA1 | f6afc7b26ead8cdb51b11d59c6e68e5aab265bfa |
| SHA256 | 3e18de7065154144b54a2f7c179c27b3f27c3cda5871f472f452a8cfc3dc6791 |
| SHA512 | 873e226360edc463dd753aedfec7ec60e0d8efac08652245709862b8bd9e6ae85eb6ea6f05d8d2c0ec1c8e7fc1bddeebc5037efcac1ceb5b1f099b49c0a93045 |
memory/3496-653-0x00000000737E0000-0x0000000073F90000-memory.dmp
memory/3496-652-0x00000000007F0000-0x0000000000814000-memory.dmp
memory/3496-654-0x0000000005310000-0x0000000005320000-memory.dmp
memory/3496-655-0x0000000005310000-0x0000000005320000-memory.dmp
memory/3496-665-0x0000000005310000-0x0000000005320000-memory.dmp
memory/3496-684-0x00000000737E0000-0x0000000073F90000-memory.dmp