Malware Analysis Report

2024-11-13 16:14

Sample ID 240412-xk4m7sda76
Target sample
SHA256 8a1ca44c57db2910334734c555645f5e4cce911b0b6a51020eeadbe1f5432b4e
Tags
lokibot agilenet evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a1ca44c57db2910334734c555645f5e4cce911b0b6a51020eeadbe1f5432b4e

Threat Level: Known bad

The file sample was found to be: Known bad.

Malicious Activity Summary

lokibot agilenet evasion persistence spyware stealer trojan

Modifies WinLogon for persistence

UAC bypass

Lokibot

Disables Task Manager via registry modification

Drops file in Drivers directory

Disables RegEdit via registry modification

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Modifies data under HKEY_USERS

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: LoadsDriver

Modifies registry class

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

NTFS ADS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-12 18:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-12 18:55

Reported

2024-04-12 19:02

Platform

win11-20240412-en

Max time kernel

363s

Max time network

368s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html

Signatures

Lokibot

trojan spyware stealer lokibot

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\"" C:\Windows\System32\wscript.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\wscript.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" C:\Windows\System32\wscript.exe N/A

Disables Task Manager via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\mistdrv.sys C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\MistInstaller.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3139.tmp\eulascr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3139.tmp\eulascr.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XRF = "C:\\Windows\\system32\\PrTecTor.exe" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Duksten.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\PrTecTor.exe C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Duksten.exe N/A
File opened for modification C:\Windows\SysWOW64\PrTecTor.exe C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Duksten.exe N/A
File created C:\Windows\SysWOW64\PrTecTor.exe:Zone.Identifier:$DATA C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Duksten.exe N/A
File created C:\Windows\SysWOW64\regedit.exe C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Duksten.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Duksten.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\default.txt C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\f11.mp4 C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\DreS_X.bat C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\mrsmajorlauncher.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\MrsMjrGui.exe C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\CPUUsage.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\creepysound.mp3 C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\Skullcur.cur C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Program Files\mrsmajor\CPUUsage.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Launcher.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\reStart.vbs C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\WinLogon.bat C:\Windows\system32\wscript.exe N/A
File created C:\Program Files\mrsmajor\Doll_patch.xml C:\Windows\System32\wscript.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\m_regedit.exe C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Duksten.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Control Panel\Cursors C:\Windows\System32\wscript.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "157" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-243033537-3771492294-1461557691-1000\{3D5110B4-127E-41DA-94DD-AACD8671D49A} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3139.tmp\eulascr.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 1172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 1172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1816 wrote to memory of 3564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\system32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Windows\System32\wscript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\wscript.exe N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff8bd083cb8,0x7ff8bd083cc8,0x7ff8bd083cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5016 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5004 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004CC

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6212 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 296

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Duksten.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Duksten.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4976 -ip 4976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 592

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\SpySheriff.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\SpySheriff.exe"

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\MistInstaller.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\MistInstaller.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3139.tmp\313A.tmp\313B.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\3139.tmp\eulascr.exe

"C:\Users\Admin\AppData\Local\Temp\3139.tmp\eulascr.exe"

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\BossDaMajor.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\BossDaMajor.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\8AD4.vbs

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" -r -t 03

C:\Windows\System32\PickerHost.exe

C:\Windows\System32\PickerHost.exe -Embedding

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a3f855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
GB 172.217.16.238:443 drive.google.com tcp
GB 172.217.16.238:443 drive.google.com tcp
GB 172.217.16.238:443 drive.google.com tcp
GB 172.217.16.238:443 drive.google.com tcp
GB 142.250.178.10:445 fonts.googleapis.com tcp
GB 172.217.16.238:443 drive.google.com udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
GB 172.217.169.22:443 i.ytimg.com tcp
GB 142.250.178.10:139 fonts.googleapis.com tcp
NL 23.62.61.115:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
NL 23.62.61.115:443 www.bing.com tcp
NL 23.62.61.75:443 th.bing.com tcp
NL 23.62.61.75:443 th.bing.com tcp
NL 23.62.61.104:443 th.bing.com tcp
NL 23.62.61.104:443 th.bing.com tcp
NL 2.18.121.196:443 aefd.nelreports.net tcp
NL 2.18.121.196:443 aefd.nelreports.net udp
IE 40.126.31.73:443 login.microsoftonline.com tcp
US 13.107.5.80:443 services.bingapis.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 207.241.224.2:443 archive.org tcp
US 207.241.224.2:443 archive.org tcp
US 207.241.239.241:443 polyfill.archive.org tcp
US 207.241.225.195:443 analytics.archive.org tcp
US 184.105.214.247:443 dn720003.ca.archive.org tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 user-images.githubusercontent.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 140.82.113.22:443 collector.github.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.216:443 codeload.github.com tcp
CA 69.50.175.178:80 tcp
GB 172.217.16.238:443 drive.google.com tcp
GB 142.250.187.193:443 drive.usercontent.google.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b0d0271cd8394035d3f04a57c4376225
SHA1 6ef25cb6b29467e6a659b8dbc28b52006778dabb
SHA256 1c8016ee1208109e59206f98b68b821b61f1cff2ab3852042379b3287674c42d
SHA512 b856d97096d0288fe0547b484abddce5fd100c080a7992709b0158b7e2d498c9820ba54f99b6b71056bdff7f0d6ceeac87793ab074f126e506aee2c83d2523ec

\??\pipe\LOCAL\crashpad_1816_IJRFYBMJLGOULBUD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e51956799fa67379ea02ed281264a0e4
SHA1 e8f9403225aedfc94b27d902b72ca6591858d643
SHA256 6f3fd42d136b90c98ace40fb6b1522f1b9a1076b431e5290f89cabb4948c3a57
SHA512 c5e017b2b06bf486daa64612f8bbe5dd9f28633d6dfc434f1605c2f36cc08ae6ae40c187316fe1ff998ed7346deef35a66cbc445f2adbb273ac928175e735391

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 38c85007f322d3a3445e680c7d2685c6
SHA1 0e6d92fba475fbc6c6f3e5bd45057fdf22d4420c
SHA256 592ba16ae112da8b5ed3a6dcb57291eff6b81e05674c2595fc8dc39f155246f5
SHA512 0db5345ef9cd73336ab32a9fc4deb3c510239198ef4b1ff6aa5fe93e6c9f6a5c2c9cf068e5b7625eb3e9b2372e827e23732c85ff52102cc29bf1b7237a500240

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0ef321ed5e2cc26ab81d9a092a8baf47
SHA1 bc85fb78dddd53c9e01910fa4ac218c2e9c7a648
SHA256 63ae26b9f972c8d46e4dedb7de5ce38d9ecaae1910c610f088dd6de169038dd5
SHA512 7f9795a76fc419cb6ab54cd3a30299bd3b0bc4dc35d765af5ffa6c6acaffbc609b4aa67a3907877c77e8f1666b85f7948bc1fdcf819ea3b749dfa8ebf26efd74

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cd48cfebf9a014113f774a9615a5ac72
SHA1 d439c42a515be3688378926b79994f0ea2bc3b6f
SHA256 5feb88d0028ed02586a54c6722d86528ffaf5976f7b18ac6123c77c33b0e35a5
SHA512 3b9fde350a0f93a66bfa8372c70fab77bdf6abb62ca8ab0211f515bb746cec72b7598a8e9e66e491f553c302b7c98944fe0dc6487200142813780722eebfdcb8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d3426ae0cc61ab447ed77de9e18f437f
SHA1 0840bee36fe20e908269c30090763b6e26432887
SHA256 ef04a1a7be583bb5de24497f20e122af950cd12a1bd2e175b55af3cbef10140e
SHA512 d4d51c3dfa429d31fe4c38e5e9ffb53cdf0c2bc3c7b58e185d734057182d3bb77d0d94e7d89ce09e54027e841d67b195b2b4b6d8f144c3634ba168bd26fabc4d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 cd57a41c25cba16517b4a778d901125d
SHA1 84e05c4aa2e30d3840fd87490d54cd79fbe113a6
SHA256 4c874e57c9e739e637fbb65b630f6b05672470056380b8603b693e3a0653740d
SHA512 546ef6d9de8cf558d4b87a10514557bf21b40788a7ce78b0cd8c2eb7aad1047ea12dd7d2cdaf2dc6780dc7d8bfbd5587209fa23ccb0f0d26c4dff443bb69a11a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0cdcbd7a6f60943ef22eec8377d24051
SHA1 237ca106117bdf2022cd7898c4db5282807e3fa3
SHA256 69af35435891f3ecbdfcc1b23b6f2a68aa1afc08f60117c61152f0583e1f9de0
SHA512 c071ded76223b92ae4aacefb5abc86f650bebe581959dabc25eface73b81760828dfa178a8e42ecc1cc9e8d488c7b6663ff82259f94a116984d91b57dabf1c17

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8dc32368bbd7e3838c10c22d7991b808
SHA1 902109924e517d993d807e7512f03aa281e9a171
SHA256 a2adf4870cf4dd3ce72210817d4303370557a5188663070a3fdab6e7f6056c4b
SHA512 40098f1380516c70b437043c4011cbba20d2ab52ef65490d595a80e5764199532c69b1d2eafc534c3e0f5cf689523695790864113b8b3e457c381b6eb5c62ee1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58364d.TMP

MD5 8f6d7a577c8c24902d75c481552b2932
SHA1 f8456f674413b137e91e644ce1c1b6ca371747ee
SHA256 6daf23e52c95c9dd7681356336eee91127da5300facc7a3b63f03d475c11ad5d
SHA512 cd0303707edc6ea2d24461a116444eed3f1eba57f33e9e114cdc1204db9982d45ee0e5132960539556682030b10f59bd9195df1e79fc4d513bf14dbd1701b7a0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9d6cabf167e35a2cc40d7d64e7902f60
SHA1 c7e4cec181f8a117d1462497f414ec57c70747f3
SHA256 16df80b6d6f5455e284111618ff8dbd30d44872f99e089fdfcc80001cf314103
SHA512 fa6c42b44eb6becf8ba3a0f56c1283653fb6562906e27001fb11733cd9a9336ed501499398e70cfc9d1e7ca730fd1b0c1568beaafdfd70e2a98c892072358d63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 40f7dd1df414759610e9d403737261c2
SHA1 b20240b948dda30e3d982978de2cdeb80eb9bfb8
SHA256 e66bcec6ae38e34e7b455072f55e8de149d28ce7c7d7b7c7cb6350ffcfb95f0c
SHA512 18ccb785b168511757ada5c8ead87ec198b710d572231920ec72984f520982382002c94aaf187ce334294a0a29deda53ca3eb826fffb232025ccbaa6fb547bcd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 acd129f1bfe95986dee0d2f4951bb1e6
SHA1 876bccb284d3396a0a45de5d4855fa94e62c872a
SHA256 83c14589cd3dd6e085d8495a852a22593bebcac83b1342707f2fcd76116fdf44
SHA512 5d94ae460c780e2a98eed3c77b13cc09a9911cf4b55a573c82ab58ec9ce930de7e2555f907b40b92b47456921d7ba7839cc925ec33e0afdf6e55bc04a33fab48

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 75ac9ff932c16d93ebd8e068374195da
SHA1 1bb37ed611c17bb154cdaa6c418ea3cad70b74d7
SHA256 a3f2efe68415eaef1856dcec3ed0b0b19e0fa5cee76e2411a3f2a22c0c2a9cf8
SHA512 26c83fa080310971df3f8c27d6a9d4d3a4366561464d1e4777d07579276a527c3c308ea421badd00bc2b00f57246d5b78c88e53530af080b0b1462e25bb2522b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c3535560-cc91-4f9a-8328-cc953dd7c693.tmp

MD5 b3c9c6f6765481c2956aeaad0d37a8f1
SHA1 64ce1d3a4e0900552a0594c08a0dc1ebfa51ac3a
SHA256 35c237b9c6a5e586aebb7b0dae34933d30c75c5b6d74f40df1357ea1dbb57571
SHA512 230169d8495788516cc7899813d6856fd6a013e8a2a6bafcb6dce5e90bf8c857e95e62d01662a0e1ecf5e4a558fbe956ae9102f0d6bf9e74c5e4db8bced11ad3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 051b2efbdb7ce1eb57129effd76c205d
SHA1 cc97d12a38a48956ba9b2f707782b80d4d8fda10
SHA256 11f9df507cf8471daa720b2bc85d60fd85a2aaf6114d55ab77c7dc9945fb5d40
SHA512 93abc8ce4d1c4f8add257f7b2ac69b39af35d515866375f1e7afdd1d92155c259ff11def614ea952fee295fcfe2fe1dd7d4992b9487d0c040201200cb7bcadcf

C:\Users\Admin\Downloads\Unconfirmed 436058.crdownload

MD5 7208e5f9e495b7aae9401089cb96924f
SHA1 454d0fbf093e4cf0d0341ee02fa541b17b330f02
SHA256 e2c2d9966385189bfb7e85c42eb1a706f745f7ac9d85ac27b979b0c35155654a
SHA512 764a7ff53a1ce6acd1c4a210bfe0e3738014ce9bbe7241c18aaaf0ea1e7f9907cb8fea16f650658709b42a1484ae2477a77ba9a95ebf6f4ad260ea1dc0cce216

C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 79d66f7e53a5078f4838652e81bed824
SHA1 8c129edae9b6af1796eaeb43c4bb7edd5292bedc
SHA256 930050a1a1089466620f25e1d4a55479555104a54c1dfdda230b242f97acf9c4
SHA512 479bf7c80fec0ae6d8b63fb086adbaf8f4226319d4411e04da312886bbbaccc87a6ff42b0e58205bdcce932b89639c44b76f6337fe4992ff0fd55bda678ae031

C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip

MD5 af60ad5b6cafd14d7ebce530813e68a0
SHA1 ad81b87e7e9bbc21eb93aca7638d827498e78076
SHA256 b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
SHA512 81314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 14febf3288a65f26b42bc2e4ef340099
SHA1 372a684e3f16f9776ae1c76da81e7424005a5d4b
SHA256 5cd916f1ff6b8b7062966b62f4fc2e4eb33c769fd7d9b42727e38727babb887e
SHA512 f4d7fbc2e6462d11f0530c67bfa0b35581dff98808c2772f4546e1c1b2c621d7dea1feda0009f7b1f1e97941abcdafe2253520f9868516bb2e7f53d6a0ae71db

memory/4424-556-0x0000000002940000-0x0000000002BBF000-memory.dmp

memory/4424-557-0x0000000002BC0000-0x0000000002E4D000-memory.dmp

memory/4976-558-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4976-562-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2884-563-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2884-564-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2884-565-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3896-567-0x0000000074CC0000-0x0000000075471000-memory.dmp

memory/3896-566-0x0000000000640000-0x0000000000692000-memory.dmp

memory/3896-568-0x0000000002BD0000-0x0000000002BE4000-memory.dmp

memory/3896-569-0x0000000005740000-0x0000000005CE6000-memory.dmp

memory/3896-570-0x0000000005250000-0x0000000005260000-memory.dmp

memory/3896-571-0x0000000005220000-0x0000000005228000-memory.dmp

memory/3896-572-0x0000000005ED0000-0x0000000005F62000-memory.dmp

memory/3896-573-0x0000000005250000-0x0000000005260000-memory.dmp

memory/3896-574-0x0000000005FB0000-0x0000000005FB8000-memory.dmp

memory/3896-575-0x0000000006150000-0x0000000006194000-memory.dmp

memory/3896-576-0x0000000074CC0000-0x0000000075471000-memory.dmp

memory/3896-577-0x0000000006000000-0x0000000006022000-memory.dmp

memory/3896-579-0x0000000005250000-0x0000000005260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3139.tmp\313A.tmp\313B.vbs

MD5 3b8696ecbb737aad2a763c4eaf62c247
SHA1 4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256 ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512 713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

C:\Users\Admin\AppData\Local\Temp\3139.tmp\eulascr.exe

MD5 8b1c352450e480d9320fce5e6f2c8713
SHA1 d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA256 2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA512 2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

memory/4252-588-0x00000000004E0000-0x000000000050A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

MD5 42b2c266e49a3acd346b91e3b0e638c0
SHA1 2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256 adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512 770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

memory/4252-596-0x00007FF8A7C40000-0x00007FF8A8702000-memory.dmp

memory/4252-595-0x00007FF8A6430000-0x00007FF8A657F000-memory.dmp

memory/4252-597-0x0000000000D40000-0x0000000000D50000-memory.dmp

memory/4252-598-0x0000000000D40000-0x0000000000D50000-memory.dmp

memory/4252-599-0x000000001CEA0000-0x000000001D062000-memory.dmp

memory/4252-600-0x000000001D5A0000-0x000000001DAC8000-memory.dmp

memory/4252-601-0x0000000000D40000-0x0000000000D50000-memory.dmp

memory/1028-603-0x0000000000530000-0x00000000005D2000-memory.dmp

memory/3896-606-0x0000000074CC0000-0x0000000075471000-memory.dmp

memory/4252-608-0x00007FF8A7C40000-0x00007FF8A8702000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\8AD4.vbs

MD5 5706bc5d518069a3b2be5e6fac51b12f
SHA1 d7361f3623ecf05e63bb97cc9da8d5c50401575c
SHA256 8a74eead47657582c84209eb4cdba545404d9c67dd288c605515a86e06de0aad
SHA512 fb68727db0365ab10c5b0d5e5e1d44b95aa38806e33b0af3280abcefae83f30eb8252653e158ac941320f3b38507649cce41898c8511223ee8642339cfece047

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\mrsmajor\DreS_X.bat

MD5 ba81d7fa0662e8ee3780c5becc355a14
SHA1 0bd3d86116f431a43d02894337af084caf2b4de1
SHA256 2590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816
SHA512 0b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\mrsmajor\WinLogon.bat

MD5 870bce376c1b71365390a9e9aefb9a33
SHA1 176fdbdb8e5795fb5fddc81b2b4e1d9677779786
SHA256 2798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc
SHA512 f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\mrsmajor\reStart.vbs

MD5 0851e8d791f618daa5b72d40e0c8e32b
SHA1 80bea0443dc4cc508e846fefdb9de6c44ad8ff91
SHA256 2cbd8bc239c5cfc3ef02f8472d867dff61e5aed9fde8a3823cda28cc37d77722
SHA512 57a9d1d75dbbab842060b29f01958f7e6b27d0175ff9a3f7b97e423c1b4e3fae94547a569c2e5c88224fc5dcc785f5a1d49c61199a8c7b3afeb4fc520600df40

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\mrsmajor\MrsMjrGuiLauncher.bat

MD5 c7146f88f4184c6ee5dcf7a62846aa23
SHA1 215adb85d81cc4130154e73a2ab76c6e0f6f2ff3
SHA256 47e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963
SHA512 3b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\mrsmajor\MrsMjrGui.exe

MD5 450f49426b4519ecaac8cd04814c03a4
SHA1 063ee81f46d56544a5c217ffab69ee949eaa6f45
SHA256 087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d
SHA512 0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\mrsmajor\mrsmajorlauncher.vbs

MD5 e3fdf285b14fb588f674ebfc2134200c
SHA1 30fba2298b6e1fade4b5f9c8c80f7f1ea07de811
SHA256 4d3aa3ecd16a6ba46a9d6c0bdacdcd9dce70d93585941a94e544696e3e6f7d92
SHA512 9b0bfbb07c77d9e9979a6c0f88b0a93010133f7dd3cf01e1de5dfbe812a5ed920e916d16d6a32fe21b9ee4b5425e61a616ded1aeeb35a410d4f77c0f9392ed0a

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\mrsmajor\Launcher.vbs

MD5 b5a1c9ae4c2ae863ac3f6a019f556a22
SHA1 9ae506e04b4b7394796d5c5640b8ba9eba71a4a6
SHA256 6f0bb8cc239af15c9215867d6225c8ff344052aaa0deeb3452dbf463b8c46529
SHA512 a644c48562e38190720fb55a6c6e7d5ccfab60f362236fe7d63caebdc01758f17196d123fb37bd11f7e247ce8ab21812165b27496d3bd6ca5e2c5efefab8fb03

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\mrsmajor\Icon_resource\SkullIco.ico

MD5 c7bf05d7cb3535f7485606cf5b5987fe
SHA1 9d480d6f1e3f17d5018c1d2f4ae257ae983f0bb5
SHA256 4c1cfbe274f993941ac5fa512c376b6d7344800fb8be08cc6344e6c16a418311
SHA512 d30952a75d94dd64b7bd253ed72810690f3550f2262cfaaef45854fc8334f6201a8cbafb9b175c6435f7ce0499567f2fa8667b4b0046bfb651bf61eb4278e6c8

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\mrsmajor\def_resource\Skullcur.cur

MD5 cea57c3a54a04118f1db9db8b38ea17a
SHA1 112d0f8913ff205776b975f54639c5c34ce43987
SHA256 d2b6db8b28112da51e34972dec513278a56783d24b8b5408f11997e9e67d422b
SHA512 561860907fa2f53c7853094299758232a70c0cd22c6df3534abd094c6970f28792c6c334a33b129d661a46930d90fd8c98f11cb34f3e277cf20a355b792f64f0

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\mrsmajor\def_resource\f11.mp4

MD5 17042b9e5fc04a571311cd484f17b9eb
SHA1 585d91c69c3f9e3d2e8cb8cf984871d89cc4adbb
SHA256 a9b0f1f849e0b41924f5e80b0c4948e63fc4b4f335bbdf0f997b03a3aff55424
SHA512 709076c6cef8dd61701c93e1fe331d2b1a218498b833db10ee4d2be0816e3444aeebfa092ab1bd10322617cf3385414e8fdb76fd90f25b44ac24d38937b4d47f

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\mrsmajor\def_resource\creepysound.mp3

MD5 4a9b1d8a8fe8a75c81ddba3e411ddc5d
SHA1 e40cb1ee4490f6d7520902e12222446a8efbf9a8
SHA256 79e9a3611494b5ffafaa79788ba7e11dd218e3800c40b56684ccc0c33ab64eac
SHA512 e7a28acb04ca33d57efe0474bb67d6d4b8ceff9198198b81574c76c835d5df05d113fc468f4a4434580b1b58189f38184c376976604dc05d1424af1721995601

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\mrsmajor\def_resource\@Tile@@.jpg

MD5 3e21bcf0d1e7f39d8b8ec2c940489ca2
SHA1 fa6879a984d70241557bb0abb849f175ace2fd78
SHA256 064f135fcc026a574552f42901b51052345f4b0f122edd7acd5f2dcc023160a5
SHA512 5577e20f76d6b1cccc513392532a09bdc6dcd3a8a177b8035dc5d7eb082e0093436068f92059e301c5987e6122c4d9aff3e5ae9cc94ccc1ecc9951e2785b0922

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\mrsmajor\default.txt

MD5 30cfd8bb946a7e889090fb148ea6f501
SHA1 c49dbc93f0f17ff65faf3b313562c655ef3f9753
SHA256 e1ebbd3abfcaddf7d6960708f3ccd8eda64c944723f0905ff76551c692b94210
SHA512 8e7d98e6d0c05d199114d2d6ab8da886aed68de690c4d79643868eaf051c229fff94c88d937adb3da5e31fe48116613cf79dd00dda30f296746ce0a8aded9fe2

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\mrsmajor\CPUUsage.vbs

MD5 0e4c01bf30b13c953f8f76db4a7e857d
SHA1 b8ddbc05adcf890b55d82a9f00922376c1a22696
SHA256 28e69e90466034ce392e84db2bde3ad43ad556d12609e3860f92016641b2a738
SHA512 5e66e2793e7bc88066b8df3dccb554351287dea18207e280b69d7798ecd5cdc99bd4c126c3e394db9f45f54bb561e6688f928de4f638c5eca4f101dc2cea54a1

C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 5.txt

MD5 e20f623b1d5a781f86b51347260d68a5
SHA1 7e06a43ba81d27b017eb1d5dcc62124a9579f96e
SHA256 afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179
SHA512 2e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 41a7be9ceada14ffd112f53f7ca8c6cc
SHA1 56f3943d20112e63e3fae540f3f231c1aae2f7c0
SHA256 7f39dcefa5bad753d49d89ba15e107cf5ff12f9979eb854952e68681cac6e9ec
SHA512 939239fa6adec71e6b2ba9bcb771b4b1a9269887bd119e2743a65c20954995f6a0df2060558a3c62e61ed02c4653d9cffe647d2268d43cdf61c970c0808143bb

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 a9be73b2b9966467455d78e84a13c7c2
SHA1 04a3799395b0121d8b2fc6bfb4ebddda935c012d
SHA256 65726b1172f3f7678811fc60cf1d6a5980ca778c43c1e4db4aa1f75e9f1ae0ef
SHA512 2d6f99a66a0195e1dfda1321e1f41c1ce6ace1f65467960bc988fb498ea46b21f8b299bca6a9226a86231778069bee502b5aeb69d75d4be84b880edea78f0b8f