Malware Analysis Report

2024-11-16 12:27

Sample ID 240320-rwmwyaaf58
Target https://github.com/TheDarkMythos/windows-malware/blob/master/MrsMajor%202.0/MrsMajor2.0.exe
Tags
discovery evasion exploit persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/TheDarkMythos/windows-malware/blob/master/MrsMajor%202.0/MrsMajor2.0.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion exploit persistence trojan

Modifies WinLogon for persistence

UAC bypass

Downloads MZ/PE file

Possible privilege escalation attempt

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Checks computer location settings

Executes dropped EXE

Modifies system executable filetype association

Modifies file permissions

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

System policy modification

Suspicious use of FindShellTrayWindow

NTFS ADS

Modifies data under HKEY_USERS

Modifies Control Panel

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-20 14:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-20 14:32

Reported

2024-03-22 19:48

Platform

win10v2004-20240226-en

Max time kernel

245s

Max time network

247s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/TheDarkMythos/windows-malware/blob/master/MrsMajor%202.0/MrsMajor2.0.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\MicrosoftWindowsServicesEtc\\xRunReg.vbs\"" C:\Windows\system32\wscript.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" C:\Windows\system32\wscript.exe N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\MrsMajor2.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\MrsMajor2.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MajorX = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xRun.vbs\"" C:\Windows\system32\wscript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\taskmgr.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\sethc.exe C:\Windows\system32\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\program files\MicrosoftWindowsServicesEtc\DgzRun.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\GetReady.bat C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\NotMuch.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\bsod.bat C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\runner32s.vbs C:\Windows\system32\wscript.exe N/A
File opened for modification C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\CallFunc.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\data\thetruth.jpg C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\data\eula32.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\Major.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\xRunReg.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\GetReady.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\healgen.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\breakrule.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\RuntimeChecker.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\xRun.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\clingclang.wav C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\data\fileico.ico C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\data\runner32s.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\cmd.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\Major.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\majorsod.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\data\excursor.ani C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\example.txt C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\majorlist.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\RuntimeChecker.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\WinScrew.bat C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\bsod.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\checker.bat C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\fexec.vbs C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\breakrule.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\rsod.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\WinScrew.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\majordared.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\majorsod.exe C:\Windows\system32\wscript.exe N/A
File created C:\program files\MicrosoftWindowsServicesEtc\weird\majorlist.bat C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" C:\Windows\system32\wscript.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon C:\Windows\system32\wscript.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 577287.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/TheDarkMythos/windows-malware/blob/master/MrsMajor%202.0/MrsMajor2.0.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc26f46f8,0x7ffdc26f4708,0x7ffdc26f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3972 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5248 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8

C:\Users\Admin\Downloads\MrsMajor2.0.exe

"C:\Users\Admin\Downloads\MrsMajor2.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9675.tmp\9676.vbs

C:\Users\Admin\Downloads\MrsMajor2.0.exe

"C:\Users\Admin\Downloads\MrsMajor2.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\ACBC.tmp\ACBD.vbs

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c cd\&cd "C:\Users\Admin\AppData\Local\Temp" & eula32.exe

C:\Users\Admin\AppData\Local\Temp\eula32.exe

eula32.exe

C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe

"C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\CD73.bat "C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe""

C:\Windows\System32\takeown.exe

takeown /f taskmgr.exe

C:\Windows\System32\icacls.exe

icacls taskmgr.exe /granted "Admin":F

C:\Windows\System32\takeown.exe

takeown /f sethc.exe

C:\Windows\System32\icacls.exe

icacls sethc.exe /granted "Admin":F

C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe

"C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe"

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" -r -t 5

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa38da855 /state1:0x41c64e6d

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,105087230293477846,9788547847112564260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 154.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.113.21:443 collector.github.com tcp
US 140.82.113.21:443 collector.github.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
DE 140.82.121.6:443 api.github.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 21.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 6.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 api.github.com udp
DE 140.82.121.6:443 api.github.com tcp
DE 140.82.121.6:443 api.github.com tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
DE 140.82.121.6:443 api.github.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9f44d6f922f830d04d7463189045a5a3
SHA1 2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c
SHA256 0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a
SHA512 7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

\??\pipe\LOCAL\crashpad_3164_PCTFURYLNSIPWBQE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7740a919423ddc469647f8fdd981324d
SHA1 c1bc3f834507e4940a0b7594e34c4b83bbea7cda
SHA256 bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221
SHA512 7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6c09b9d6-7d68-4843-b557-7fe272fb4028.tmp

MD5 ea0a399369a297fe6d01ed22f7b7da96
SHA1 4b63b01e8526a18f6025e9d64fb222e75fb5cd43
SHA256 5f0f5d99ebd06c7180ee1d023f720e91aee80fb28bf78727a4fa3b970123e515
SHA512 3ab57d2b5f49590e0c4be067c1c6452fc277eb2c05f29edc2b65747ece73438f3dfc90971c47a4c871eedd133bd9b68137e8f5ff8f6b741662417c62db35093a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 01e2bfbc6873ac56c535f470140382cd
SHA1 99d2637b169f3a960e5df907923e05071374a0c1
SHA256 f40965e6dcb517388ced5e0bbc4308e049c7f7322a8af05572de4c80da3922e0
SHA512 f80e0d2456bc2e4cfb0f99b728b85c2ae35ffe1fb0a5ceb4391bb3341f6639eb30511f018f233388b5ce00eb487fde60d1d818f504a9ba0fd002a0a017b5a25c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 876a53abd89f64551a2a310c60306a71
SHA1 d0fb663674d7c8afaf7cc889fd05dda22135ebba
SHA256 bcf8f7421d1ef20252ca43c9574cceceba4fae3f22e4aae6463efe7d3ec00bf6
SHA512 15a6914714fac8ee6232f22972d2a19ff51d6411d9cd31fbe191f62ab79e96304cae30666378200ebbfdd09a43cbf07fc47cfb2316f550835899fe65cbb2298b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2b53e1f180926fc333c8176b8ec5ad37
SHA1 1c077d8e7a0d9ea7a8c7267c101bbfcc980aaf65
SHA256 2718949a96d8c2e736919cd9fde3c9f3659538e8dc01bec3cc8582824ddf5039
SHA512 adc262ff8b84da195b3241ea4f64a5f154cc5d9ba589655a71a02b37088460cb8b84b7c3d0a2ca4bab4b30fbb0fff3e092f720ffa4c725520086e7047cc21aa0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fdce4e72dabad1a29c8b5bfbeb718ac5
SHA1 61d77b19e0e720b3573869f76140861c05658de8
SHA256 2a8c3775ccee69ed0d314e7a2512049c56263557e5ab540fe32d1a554560c411
SHA512 eb3768efccff3997bfaeb4437b8416b2e14dcb08723ab58723b672ea1747252c6a4d6eba25357ea9ada8de6de19ce794b262b4e7c0825fdd2ec00a6dfcd6ac90

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\390b789f-98dc-43bb-a2fc-6dce9c94db48.tmp

MD5 df654fedd529a5fdb1d078acade66ce1
SHA1 1873ea24ab376ef4cfe6b1538b8f2aea0a236549
SHA256 50b1926ead67adc1b5e631086c44dbda63a750fca5947b142ed9147f0ed60314
SHA512 aae015a586eb75a4411412ed78cc3ac6af3422e42db1d8c1c289d4aa08ab9ef330b439877dcd75f0867e0039774fd6041c9932518c6eb62143fd75b5e3d9c1e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 9956429ec8f3edb5394e307c24dd9e2a
SHA1 684f6f1345c954eb66f86ff3fb3f6e70a60d605d
SHA256 9d33fee21954dbb22a9de5b1692c8da5971ff00c7108a58867d3429772eb291b
SHA512 7dd3884198046568dc1e835e23d83f226cf44869bad0a7a603755b8fe7ba22f9bc9d30b1d907088ec661d66293ba016a57f55b6703df7dabed3fd5fbea6444fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8afaf251ad72000f937e62b3a98cc475
SHA1 c834fc1e584b667076542ce10f3cf60bf10bc5f3
SHA256 8bdd4449db0a172043afbc3be0d3262deac505551c8ba15d6140d302361c0481
SHA512 334c93378fe1e7cabccebd805300d76bd2f4a3fc29d083a667c897dd2b4a3a8ce230ca3fb98fe3ee646eceb2c6539ad81756ba72c7ef02fc55a7c34d34d1c38e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8de0e9e9c7ea8fc85beceedfdae42b7e
SHA1 0dc2f1135af6497843df8dd9e2701812a1a22fe8
SHA256 9ef4e7a48059e61c790d22e4ff7794c02ee21ef97af9d1f81f0656def4ecb887
SHA512 2cbca6736d49a7b24847f2ab11aef9126ab0e5b488f3e97e9067abebba758ad6141ddc7f05421659c5bd0fe82fa9d8ac673d11cac33cf4034e4529309d6c4ff8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592205.TMP

MD5 2c277cd793f742ad49677dbc05e66b34
SHA1 5618903cc784db8a7796cfe5461e132e270f676f
SHA256 1a6f03b38c3803e99c0f6d42e7323859dac9d5bbbf01547eb7a7a278de3dce65
SHA512 b57d87ffb5cd6f57f3126722fe9ec8a7dcf2ee7588b7fdd96d3b364b12cab36120e014340af3491736b25503f92be6083639a785baf09a0fa9ce0820bee33736

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0da52d78e9d3bd10dcd99b9b760537a4
SHA1 6e7dfeb116b1e91664021cb2769576a085ae148c
SHA256 a45e684d21d16b88059b4d14ac8dc6a4d5dcbe8ffacc8fdea062ad21ffe599e3
SHA512 ed7bb2520545ada61152f623e7c9b681d2fd2b5e2e537fecc1ee719dbec3bb89307c51a50a8fb45af383c3b7bdeeec2aa40a7042385f340fb3c8f5e368076002

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 eb3ff0bde216dc6c7acf1e5abc9a5e51
SHA1 87bc6be9dd9305957557761645cdc122ac8545e3
SHA256 599ee2e37f76ad64ff2e5ba8aa29cea625dd413f651cfe4ebddaac418d84e29e
SHA512 0daf101896d0451787260d1c106457fd1b8aaf667ff92b7783c32f1d61b8d07283db4393c2c320b10eb9d3d1985e4d13b3b1b9b4c49698d127a7cec27b352737

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cc1084c91b89fffef808859e44d07146
SHA1 0087a265eb490b31a52918885e4b4a11272fb9da
SHA256 89d3365629c833852d1fdf8b4c1e6e259af5f8da6d3b6c8dfe15f93d8c33c5d3
SHA512 f0b06efc81cf4d631feb1a571ac338bb49734f3dc6b1f9b0b890a6865911cf6b54d4f2c80de63bed827e9dfa51fda6ab5e638bf1dd5cdf70e4083371d520f144

C:\Users\Admin\Downloads\Unconfirmed 577287.crdownload

MD5 247a35851fdee53a1696715d67bd0905
SHA1 d2e86020e1d48e527e81e550f06c651328bd58a4
SHA256 5dd4ea169cabf9226f54bb53e63ea6a1b5880a0d1222242aee378efb6255b57d
SHA512 a173801aaef4fab608d99b52223b5b2400d69b91edcbf33c21fcb47bd832eef9d771dfd36da350a502a371ed1739c869a7c2b4dca456c93f2feed9ac9c647c7c

C:\Users\Admin\Downloads\MrsMajor2.0.exe

MD5 87a657b25c36c3a341fdc8db4d9ac699
SHA1 b4400a01ea1d8d0bc59ab7c1cead8f9f67e4c5d6
SHA256 099b9c0df16b2e0c0559a0058bc41908c99797c118a6ffa319d2c32293d6a1a7
SHA512 266fb7410e8194fbb8cb05462eb0f9003491c2a070606610a62fc8286a067affe0637276815b90f671b22c0e4f3e6dbae444ddce589ee7e10020a58f58416132

C:\Users\Admin\Downloads\MrsMajor2.0.exe

MD5 55ddf8a798e099994374035f2cb715d8
SHA1 51bd1be247e2b7d1fc95387118cf21ad3506d4d6
SHA256 e1abbbec977652c182fa578bcf38c6298964776a0d1569ae5abef4a6884ca8fd
SHA512 5f565ac6ea34307beb1813c8310c04e0cdee0f32060f0a95dac5074ae4ef9f71c49afb113cd6335ac9677701eaa7c4837644d626bba6f2248d7b7d92737ec577

C:\Users\Admin\AppData\Local\Temp\9675.tmp\9676.vbs

MD5 fd76266c8088a4dca45414c36c7e9523
SHA1 6b19bf2904a0e3b479032e101476b49ed3ae144a
SHA256 f853dddb0f9f1b74b72bccdb5191c28e18d466b5dbc205f7741a24391375cd6f
SHA512 3cd49395368e279ac9a63315583d3804aa89ec8bb6112754973451a7ea7b68140598699b30eef1b0e94c3286d1e6254e2063188282f7e6a18f1349877adeb072

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\bsod.exe

MD5 8f6a3b2b1af3a4aacd8df1734d250cfe
SHA1 505b3bd8e936cb5d8999c1b319951ffebab335c9
SHA256 6581eeab9fd116662b4ca73f6ef00fb96e0505d01cfb446ee4b32bbdeefe1361
SHA512 c1b5f845c005a1a586080e9da9744e30c7f3eda1e3aaba9c351768f7dea802e9f39d0227772413756ab63914ae4a2514e6ce52c494a91e92c3a1f08badb40264

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\breakrule.exe

MD5 bcb0ac4822de8aeb86ea8a83cd74d7ca
SHA1 8e2b702450f91dde3c085d902c09dd265368112e
SHA256 5eafebd52fbf6d0e8abd0cc9bf42d36e5b6e4d85b8ebe59f61c9f2d6dccc65e4
SHA512 b73647a59eeb92f95c4d7519432ce40ce9014b292b9eb1ed6a809cca30864527c2c827fe49c285bb69984f33469704424edca526f9dff05a6244b33424df01d1

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\AppKill.bat

MD5 d4e987817d2e5d6ed2c12633d6f11101
SHA1 3f38430a028f9e3cb66c152e302b3586512dd9c4
SHA256 5549670ef8837c6e3c4e496c1ea2063670618249d4151dea4d07d48ab456690c
SHA512 b84fef88f0128b46f1e2f9c5dff2cb620ee885bed6c90dcf4a5dc51c77bea492c92b8084d8dc8b4277b47b2493a2d9d3f348c6e229bf3da9041ef90e0fd8b6c4

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\CallFunc.vbs

MD5 5f9737f03289963a6d7a71efab0813c4
SHA1 ba22dfae8d365cbf8014a630f23f1d8574b5cf85
SHA256 a767894a68ebc490cb5ab2b7b04dd12b7465553ce7ba7e41e1ea45f1eaef5275
SHA512 5f4fb691e6da90e8e0872378a7b78cbd1acbf2bd75d19d65f17bf5b1cea95047d66b79fd1173703fcfef42cfc116ca629b9b37e355e44155e8f3b98f2d916a2a

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\clingclang.wav

MD5 bb029b3a8613e3923f799f6372d22806
SHA1 fb6877ab7cba960e47f21522872b3a0a3bde10aa
SHA256 f4307a9263951bdefeda06083fe3dec33b7a53ef0c3b4e38b2a88748bc9cbfc5
SHA512 f9b8f8b77bd8bceaf4993df8bc9a49d63de8d0c8e309a0f5d2aad72c4467faf2c14dd1c5c5f0436cff85845f352f73f4964dd3d6a7cfb2ee516605b0f85ce321

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\checker.bat

MD5 f59801d5c49713770bdb2f14eff34e2f
SHA1 91090652460c3a197cfad74d2d3c16947d023d63
SHA256 3382484b5a6a04d05500e7622da37c1ffaef3a1343395942bc7802bf2a19b53f
SHA512 c1c3a78f86e7938afbe391f0e03065b04375207704e419fe77bf0810d1e740c3ef8926c878884ad81b429ec41e126813a68844f600e124f5fa8d28ef17b4b7bc

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\data\fileico.ico

MD5 a62eeca905717738a4355dc5009d0fc6
SHA1 dd4cc0d3f203d395dfdc26834fc890e181d33382
SHA256 d13f7fd44f38136dae1cdf147ba9b673e698f77c0a644ccd3c12e3a71818a0cd
SHA512 47ffac6dc37dac4276579cd668fd2524ab1591b594032adbeb609d442f3a28235a2d185c66d8b78b6827ac51d62d97bdc3dffc3ffbaa70cf13d4d5f1dc5f16c2

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\data\excursor.ani

MD5 289624a46bb7ec6d91d5b099343b7f24
SHA1 2b0aab828ddb252baf4ed99994f716d136cd7948
SHA256 b93b0cb2bb965f5758cb0c699fbc827a64712d6f248aaf810cde5fa5ef3227eb
SHA512 8c77696fe1c897f56ea3afdecf67ad1128274815942cd4c73d30bf0a44dd1a690d8c2f4b0be08e604853084e5515020c2e913d6e044f9801b6223c1912eec8f8

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\data\thetruth.jpg

MD5 ecaa6c4d9d0918a6b021a3dde050dfcb
SHA1 4d9825d20905eba8c2c95f0a2307624783b85987
SHA256 c3763f14a2ef5ca07c6dacc26a755c031f72bf76a31080b96929c5b147e10754
SHA512 24727cc6fe56dfcedbef684c96fceb846374d9a341683f2470e78264e62ac48765d454f8d1046dd7fdadf128e886819d56521f743dca8b76d2cc3f8fe4b8b2ce

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\data\runner32s.exe

MD5 87815289b110cf33af8af1decf9ff2e9
SHA1 09024f9ec9464f56b7e6c61bdd31d7044bdf4795
SHA256 a97ea879e2b51972aa0ba46a19ad4363d876ac035502a2ed2df27db522bc6ac4
SHA512 8d9024507fa83f578b375c86f38970177313ec3dd9fae794b6e7f739e84fa047a9ef56bf190f6f131d0c7c5e280e729208848b152b3ca492a54af2b18e70f5dc

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\data\eula32.exe

MD5 2c16d02a2d22af1e79ebe78b5f9007d0
SHA1 f263471ad2481cf903c54a6ef470bb0bcd363386
SHA256 772028bf1ea5546365b98656881dd1281257e081800db712ae79f08db3996c0a
SHA512 ac28c7c61c188c8dd317b3df6c016a780113d8b9a053a6a36e45b3407be7466ae406fba9f0bc1922a6612f90fe0cb49a600142377ab7d28223fbc695ad508d50

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\majordared.exe

MD5 25df21398e58bd5b5966baae6c683fdb
SHA1 dbd1d2c1e32c7de015dcdae1557fa0b7b7a56151
SHA256 a3b85e756cbba8dbc5a6cd8f020e7c9e3f51cc7b51d6d063b3143c50618cad74
SHA512 4cec3c1c7185531eaf86671c5d173fb655c14d7be946368f12aa1565f6549ff93aee3765b6fa06fe5879e5a4a7cc53f30fcd12ba5a40adf50bdddd1070e869c8

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\majorlist.exe

MD5 230970ec5286b34a6b2cda9afdd28368
SHA1 e3198d3d3b51d245a62a0dc955f2b1449608a295
SHA256 3cdafc944b48d45a0d5dc068652486a970124ebe1379a7a04e5cf1dcf05c37c8
SHA512 52912b6b2ba55c540316fcfc6f45d68771d1c22ddf4eb09c2cc15fb8ddd214812c18fd75cd61b561c29f660e2bf20290a101b85da1e0bbf8dfbf90b791892b57

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\Major.exe

MD5 d604c29940864c64b4752d31e2deb465
SHA1 c1698ea4e5d1ba1c9b78973556f97e8f6dbbdef3
SHA256 da0233f5e5e9a34e8dd4f6911444ca1f3e29bb9cbd958a9f4508ac7d72ccd55d
SHA512 89a4a14574ba19fe319c766add0111feeb4320c08bf75f55a898d9acc783d5a862a6433758a413cc719b9179dcf873f1c850d1084851b8fc37aa1e3deabfcf54

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\healgen.vbs

MD5 8837818893ce61b6730dd8a83d625890
SHA1 a9d71d6d6d0c262d41a60b6733fb23cd7b8c7614
SHA256 cc6d0f847fde710096b01abf905c037594ff4afae6e68a8b6af0cc59543e29bb
SHA512 6f17d46098e3c56070ced4171d4c3a0785463d92db5f703b56b250ab8615bcb6e504d4c5a74d05308a62ea36ae31bc29850187943b54add2b50422fb03125516

C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe

MD5 57f3795953dafa8b5e2b24ba5bfad87f
SHA1 47719bd600e7527c355dbdb053e3936379d1b405
SHA256 5319958efc38ea81f61854eb9f6c8aee32394d4389e52fe5c1f7f7ef6b261725
SHA512 172006e8deed2766e7fa71e34182b5539309ec8c2ac5f63285724ef8f59864e1159c618c0914eb05692df721794eb4726757b2ccf576f0c78a6567d807cbfb98

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\DgzRun.vbs

MD5 a91417f7c55510155771f1f644dd6c7e
SHA1 41bdb69c5baca73f49231d5b5f77975b79e55bdf
SHA256 729f7540887cf32a5d4e1968a284c46cf904752821c734bd970ecd30a848477a
SHA512 f786699c1ab9d7c74dd9eb9d76a76728980b29e84999a166a47b7ee102d8e545901ed0fcb30331712490a36de2d726115b661ad3900cdc2bfcfc601d00b76b07

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe

MD5 cd58990b1b7f6c68f56244c41ab91665
SHA1 7ccca9958d6aebbe3883b55f115b041b827bd2e7
SHA256 51f59e877a1c2a1c2760c677def7395ef2868c2ee3e56ffdc3ace570afa50428
SHA512 011bdd417ec3bf72daa2b32d3816b696be8b87423740dc2a0182e23515651deeb870a94f3415a73480145f9f5e36c1a3a492410b77ca95d7fab8b9826e9198cc

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\rsod.exe

MD5 91a0740cfb043e1f4d8461f8cbe2ff19
SHA1 92e1ad31c34c4102e5cb2cc69f3793b2a1d5304e
SHA256 dcaabfd6955d3fec26a86217d1b1ab7e979c301d498473e4d885145ce031fc3b
SHA512 c60067655e5f191708af9b25382869e3ce65cd3ea2d6cac70f8cae4132942cfd6a8aa9dde1e2b7f3f12997d6d7411e21dc73ab4cd83ec555d74b82b86778a613

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\NotMuch.exe

MD5 87a43b15969dc083a0d7e2ef73ee4dd1
SHA1 657c7ff7e3f325bcbc88db9499b12c636d564a5f
SHA256 cf830a2d66d3ffe51341de9e62c939b2bb68583afbc926ddc7818c3a71e80ebb
SHA512 8a02d24f5dab33cdaf768bca0d7a1e3ea75ad515747ccca8ee9f7ffc6f93e8f392ab377f7c2efa5d79cc0b599750fd591358a557f074f3ce9170283ab5b786a1

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\majorsod.exe

MD5 b561c360c46744f55be79a25e1844e3c
SHA1 ed0f7eb00b4f1ae6cf92ad75e5701014f3d03d56
SHA256 d1094e91960ded15444c6f50756adc451a7c0b495b2ea28319b7184ba96236f7
SHA512 0a3a75d08f1d7afcd7a476fc71157983e04b0c26b00ace4d505aa644e5da3e242dd0f6afdb3c93f29ba0b08d2702d0e96b49acba4ed260330068b13f93973e9f

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\GetReady.bat

MD5 3dbccaadafb7f0227c1839be5ca07015
SHA1 bd636f73235d52d172ad8932a8e4a6a8b17389a0
SHA256 33a0c62f3f66bce3fc1beb37aca8ad731bfa5590177d933d9d4eae016019242a
SHA512 d981670f9d492d97931ab260a7d7d27d4f97621a1ef3e20246d4be2a9b4cfc01e01174a1d46432b4a3d937ad135c97eec9ef7bbc7da46034388843887df4637e

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\cmd.vbs

MD5 b181d5a4055b4a620dd7c44c5065bbe7
SHA1 36320f257026b923b923ad2c0e7fa93a257806e0
SHA256 4d2639e890d6d5988eb9cb6f8cb50647048bbfeeb83fc604c52567e7381c876c
SHA512 0bec0cf2e5b93065701c5458c1d7e047312971d7bbed3ce5444db710654fa0d84eabb7d7c243130e3cb2dae38eb05874929b5b08547174a6065f8accd4e0433d

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\bsod.bat

MD5 c94bb8d71863b05b95891389bed6365e
SHA1 07bb402d67f8b1fc601687f1df2622369413db3b
SHA256 3900e3b60b4691311e050c4cf8fac82ff178a06e3d04d5d6b2d7ea12cf5d53d1
SHA512 00e7ab3a91862faaf5ac5ca3de6dbf2cbb8aac4aba277e1e14b2ecf4650eea2e68134e0df549dca35ab715ed46e36fa9cfee1ba7bb3520511723bf567566682d

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\breakrule.vbs

MD5 2609fde7a9604c73be5083e4bcfa0e20
SHA1 068c89f703fb11663143b9927f2a0c9f9f59c0e3
SHA256 17d014cb4abbaced3acce9b6d7a1b595cd6e2dd814e41f06ceddcdc08e93eebe
SHA512 439fee7cc198cb3fef4ef14693141e52c305579a4ff2da0842323f57dcffade03f3b01ac288080fed423511937a4c1e2080f5a79f967a963fe34253f541824cb

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\Major.vbs

MD5 9192fd494155eab424110765c751559e
SHA1 b54fcc1e29617b3eee1c7bb215c048498881b641
SHA256 cbd3b0f294e8f11592a3ad80d1070d81746f806a48183b93c345251422ccbf0d
SHA512 b8c48916535f3721e7f47be6af671765c3befefcd407c6ea5fabcf9ada119747408d662f61fb436f98a7c33050b6674da54dddf25e683429204a96555ec6e801

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\majorsod.vbs

MD5 fecb9e50c1f01d9d6101f273cb860260
SHA1 18c413f577c289004db6156bd133e5db70258044
SHA256 8863b595563e92d73b29090ff83191b2fa1297507be588aa7e1cf910e77c7feb
SHA512 2c30641b099d5b6c3af40cb41e70160c1f4294bb30dc3162b018e9552b48fc899d1a63d3e366bfb71fcf6803bcc518cf8d504ce60684ce221028a9bf2bc07f9d

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\majorlist.bat

MD5 4cc606c63f423fda5324c962db709562
SHA1 091250ffc64db9bea451885350abed2b7748014c
SHA256 839301ef07178c100e7f4d47874faf995ae5d11dfd527dda096a284c8114671b
SHA512 f29ef2bc694f497499545d1fa4e14ca93c06049fff582af3a6caf3885153491a1cd9e96ab5a6746051aa972421f876c008e5d5b671bd34c3922b61c84151097f

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\xRun.vbs

MD5 26ec8d73e3f6c1e196cc6e3713b9a89f
SHA1 cb2266f3ecfef4d59bd12d7f117c2327eb9c55fa
SHA256 ed588fa361979f7f9c6dbb4e6a1ae6e075f2db8d79ea6ca2007ba8e3423671b0
SHA512 2b3ad279f1cdc2a5b05073116c71d79e190bfa407da09d8268d56ac2a0c4cc0c31161a251686ac67468d0ba329c302a301c542c22744d9e3a3f5e7ffd2b51195

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\xRunReg.vbs

MD5 8267192f547f8914ff36eff80ca3f402
SHA1 23bdeb19fb37059e1293dd80d8be69480c957c73
SHA256 cdd4f356ca256c707960bc42b97649111a830e6f951ca6a3cf80853e3c342947
SHA512 cd684cb73496ca925fd8604fbbf286b842e2b02ce18b19d63618e8355dcec02bce700fb09b25da932545845b01a7f8d9986fa486db504b92a42d7c0ace21e9e2

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\WinScrew.exe

MD5 1aaafedd9f259acca75708f4af10b5be
SHA1 f6b4ea28d304e1f9205c1c0b970d60ee989402f2
SHA256 429e01b0e06b02a55bafb1527629f8d4c5f64d9b21ac9f81484a3928fdce6dc9
SHA512 a995ebf4d142452aabb419f0cacfa5412d03532840cb08c37dd7c00001dee521bf9d0da66ac4346b07dffd91fe01fa3115fa05811acbd43d380320dca1be4aa8

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\WinScrew.bat

MD5 04067ca733ee8b2ab2f068edc8b75a0f
SHA1 973cb577f6ab2463040918c3661333553a3132c8
SHA256 3aef33c03777abe62feef0a840ac6a087caafc05adfe801464fd1c52eac656a0
SHA512 5423a1e668211f269a3d787548e11d18de7365d6c2525c2de61014854f1ab5a51b5de9eda70fb21d6ebe356cb52e93b3f406c71ed7fbcaedd2b023b6fa9c13f8

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\RuntimeChecker.vbs

MD5 fe44b78a465853c0ac0744c6ab05ea40
SHA1 f32dacd91b9547fce9a8a2846a4e17c33295aab3
SHA256 989d947c51c878bcefecb53d867a3c182c2d67129a87a5f6773eb6ef2bbf9b2e
SHA512 6b945e16786833c2e2e9867315b8859c413687fc72d4c8576b9c0a1aed2dc65249468317dd49f2ecf777e27c9969b7a7abc72b4d9b7c182dc7999051377515db

C:\Users\Admin\AppData\Local\Temp\9675.tmp\MicrosoftWindowsServicesEtc\weird\runner32s.vbs

MD5 5f427dc44f33906509423d24fa0590c0
SHA1 b896f7667381a594d3751e05f258925b81c231c0
SHA256 9aae0707b1d5d3b7ed3bf5cc8fbb530aebd195e3e2f18312f3f7f1aa43e031b4
SHA512 bd28c386772062ef945f24c8ad7a25f158856af36e31d2c9b14674cedfd34b4f48ed531cd40a7eb291384d83665ffe154f0786c1a7ee1616256cf30125120961

C:\Users\Admin\Downloads\MrsMajor2.0.exe

MD5 55f6e95d7ece49d1d1abadc3322034a1
SHA1 22428ce06d1e79518911f11b9012c7ab35769010
SHA256 410c9a4549f215ea4bec4ce4120041d66d522e6179caed2ed8d2f104b7f31f76
SHA512 86b2f57b5bdce99363b898ea0c0cc03408e22bfbd3756bafcd2c445fb6ee273fd5c0f8a8d34014d592dcf9f39afd414c5a18155dbf0869816d99d7346565e8d0

C:\Users\Admin\AppData\Local\Temp\ACBC.tmp\MicrosoftWindowsServicesEtc\clingclang.wav

MD5 4bc923f234812b1698ad053db7e8caa3
SHA1 4960a28863f2b09ead2b243a83f47dce99ddf20f
SHA256 ef463cb99aeec687997696512a00775f8224dfa92859314a27e1f74963fea514
SHA512 d6ce29d6ac3b2905478ce83bfb8c7fbdab4416b57ff70e82d53e3c53119953caa0f8d82c280e63f58d211a7ba38c9653dbe8c523b877aadcb2bcc634b0c5956e

C:\Users\Admin\AppData\Local\Temp\ACBC.tmp\MicrosoftWindowsServicesEtc\data\eula32.exe

MD5 cbc127fb8db087485068044b966c76e8
SHA1 d02451bd20b77664ce27d39313e218ab9a9fdbf9
SHA256 c5704419b3eec34fb133cf2509d12492febdcb8831efa1ab014edeac83f538d9
SHA512 200ee39287f056b504cc23beb1b301a88b183a3806b023d936a2d44a31bbfd08854f6776082d4f7e2232c3d2f606cd5d8229591ecdc86a2bbcfd970a1ee33d41

C:\Users\Admin\AppData\Local\Temp\ACBC.tmp\MicrosoftWindowsServicesEtc\data\thetruth.jpg

MD5 7907845316bdbd32200b82944d752d9c
SHA1 1e5c37db25964c5dd05f4dce392533a838a722a9
SHA256 4e3baea3d98c479951f9ea02e588a3b98b1975055c1dfdf67af4de6e7b41e476
SHA512 72a64fab025928d60174d067990c35caa3bb6dadacf9c66e5629ee466016bc8495e71bed218e502f6bde61623e0819485459f25f3f82836e632a52727335c0a0

C:\Users\Admin\AppData\Local\Temp\ACBC.tmp\MicrosoftWindowsServicesEtc\majordared.exe

MD5 ecb9c58142a622d6ac3b5ea6d9080720
SHA1 65751cc7f69632c6194b97526d0667d05376297d
SHA256 e7cbc125c4c83300ed8b1f521951a8932886a8269bc98dd232da837674a7182e
SHA512 9ccb04825f1fabd04650eec97f40c2020f1253f4157a0e437978c77e2d40f0807a0523f1653bb5c51f25894f8d10b7beae8970554d080a2293bb500f5f0721cd

C:\Users\Admin\AppData\Local\Temp\eula32.exe

MD5 0fc9edbea8f90c4fb3a3d73c79197b42
SHA1 0b2258c3baced66dd3155c61eda697b61a482474
SHA256 4b9a8d9d3de8c021bc9e6b41e1ea7fc34e72393d39709ab6d814b4281b8187d0
SHA512 ea3e03aeef7c83cc5a078369e4c871c80fbf5f340a2ef80c13361a77357a3b9d96ed0ef2311abe83dd0061a6fd8ec9223aadcc9926bdc0445b202626eb6cd325

memory/4476-614-0x00000000006A0000-0x00000000007DC000-memory.dmp

memory/4476-613-0x00000000737E0000-0x0000000073F90000-memory.dmp

memory/4476-615-0x0000000005750000-0x0000000005CF4000-memory.dmp

memory/4476-616-0x0000000005240000-0x00000000052D2000-memory.dmp

memory/4476-617-0x0000000005470000-0x0000000005480000-memory.dmp

memory/4476-618-0x00000000051E0000-0x00000000051EA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c33459928b7253d47f4384d4916dffa8
SHA1 554c43a6b4c789dfe586124bdb9a29415138006c
SHA256 d3f25357e362cc16775bf4be57c64fe20801266e9d0e7310d7de5c6e110968be
SHA512 fde8223f9c6bf151147ec23ef83ece60c69faf4fbfc667affc49cd756c273d18dbc7c3bceef56dbec575f530b7d6f017836e333e564cba10358815bc3e9f4d6d

memory/4476-628-0x0000000005470000-0x0000000005480000-memory.dmp

memory/4476-630-0x00000000737E0000-0x0000000073F90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1\CD73.bat

MD5 fe81c1282a808b7a1d0a27d7cccaa624
SHA1 f6afc7b26ead8cdb51b11d59c6e68e5aab265bfa
SHA256 3e18de7065154144b54a2f7c179c27b3f27c3cda5871f472f452a8cfc3dc6791
SHA512 873e226360edc463dd753aedfec7ec60e0d8efac08652245709862b8bd9e6ae85eb6ea6f05d8d2c0ec1c8e7fc1bddeebc5037efcac1ceb5b1f099b49c0a93045

memory/3496-653-0x00000000737E0000-0x0000000073F90000-memory.dmp

memory/3496-652-0x00000000007F0000-0x0000000000814000-memory.dmp

memory/3496-654-0x0000000005310000-0x0000000005320000-memory.dmp

memory/3496-655-0x0000000005310000-0x0000000005320000-memory.dmp

memory/3496-665-0x0000000005310000-0x0000000005320000-memory.dmp

memory/3496-684-0x00000000737E0000-0x0000000073F90000-memory.dmp