Overview
overview
10Static
static
3windows-ma...00.exe
windows10-1703-x64
windows-ma...32.exe
windows10-1703-x64
3windows-ma...fy.exe
windows10-1703-x64
8Bonzify.exe
windows10-1703-x64
windows-ma...or.exe
windows10-1703-x64
windows-ma...XT.vbs
windows10-1703-x64
1windows-ma...ck.bat
windows10-1703-x64
7windows-ma...ck.exe
windows10-1703-x64
7windows-ma....0.exe
windows10-1703-x64
7windows-ma....0.exe
windows10-1703-x64
10windows-ma...ll.exe
windows10-1703-x64
1windows-ma...p).exe
windows10-1703-x64
10Analysis
-
max time kernel
23s -
max time network
27s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26-04-2024 20:48
Static task
static1
Behavioral task
behavioral1
Sample
windows-malware-master/000/000.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
windows-malware-master/BonziBuddy/BonziBuddy432.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
windows-malware-master/Bonzify/Bonzify.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
Bonzify.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
windows-malware-master/BossDaMajor/BossDaMajor.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
windows-malware-master/ILOVEYOU/LOVE-LETTER-FOR-YOU.TXT.vbs
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
windows-malware-master/MEMZ/Geometry dash auto speedhack.bat
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
windows-malware-master/MEMZ/geometry dash auto speedhack.exe
Resource
win10-20240404-en
Behavioral task
behavioral9
Sample
windows-malware-master/MrsMajor 2.0/MrsMajor2.0.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
windows-malware-master/MrsMajor 3.0/MrsMajor3.0.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
windows-malware-master/SpySheriff/Install.exe
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
windows-malware-master/WinXP Horror Edition/WinXP.Horror.Destructive (Created By WobbyChip).exe
Resource
win10-20240404-en
Errors
General
-
Target
windows-malware-master/BossDaMajor/BossDaMajor.exe
-
Size
1.9MB
-
MD5
38ff71c1dee2a9add67f1edb1a30ff8c
-
SHA1
10f0defd98d4e5096fbeb321b28d6559e44d66db
-
SHA256
730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a
-
SHA512
8347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9
-
SSDEEP
49152:veG3J7FtM9SbJakTiTBMGSARaspyyx979PSxgKFdGlYU:2GZxSoJrTiTBMGtRa8t7EFddU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\"" wscript.exe -
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" wscript.exe -
Disables Task Manager via registry modification
-
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
unregmp2.exedescription ioc process File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe -
Drops file in Program Files directory 16 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Program Files\mrsmajor\WinLogon.bat wscript.exe File created C:\Program Files\mrsmajor\Doll_patch.xml wscript.exe File created C:\Program Files\mrsmajor\CPUUsage.vbs wscript.exe File created C:\Program Files\mrsmajor\default.txt wscript.exe File created C:\Program Files\mrsmajor\def_resource\Skullcur.cur wscript.exe File created C:\Program Files\mrsmajor\mrsmajorlauncher.vbs wscript.exe File created C:\Program Files\mrsmajor\MrsMjrGui.exe wscript.exe File opened for modification C:\Program Files\mrsmajor\CPUUsage.vbs wscript.exe File created C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg wscript.exe File created C:\Program Files\mrsmajor\def_resource\f11.mp4 wscript.exe File created C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat wscript.exe File created C:\Program Files\mrsmajor\Launcher.vbs wscript.exe File created C:\Program Files\mrsmajor\def_resource\creepysound.mp3 wscript.exe File created C:\Program Files\mrsmajor\DreS_X.bat wscript.exe File created C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico wscript.exe File created C:\Program Files\mrsmajor\reStart.vbs wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 4 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Cursors wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe -
Modifies registry class 11 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
unregmp2.exeshutdown.exedescription pid process Token: SeShutdownPrivilege 3476 unregmp2.exe Token: SeCreatePagefilePrivilege 3476 unregmp2.exe Token: SeShutdownPrivilege 5064 shutdown.exe Token: SeRemoteShutdownPrivilege 5064 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 2604 LogonUI.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
BossDaMajor.exewscript.exewscript.exewmplayer.exeunregmp2.exedescription pid process target process PID 4920 wrote to memory of 3736 4920 BossDaMajor.exe wscript.exe PID 4920 wrote to memory of 3736 4920 BossDaMajor.exe wscript.exe PID 3736 wrote to memory of 4456 3736 wscript.exe notepad.exe PID 3736 wrote to memory of 4456 3736 wscript.exe notepad.exe PID 3736 wrote to memory of 688 3736 wscript.exe wscript.exe PID 3736 wrote to memory of 688 3736 wscript.exe wscript.exe PID 688 wrote to memory of 4492 688 wscript.exe wmplayer.exe PID 688 wrote to memory of 4492 688 wscript.exe wmplayer.exe PID 688 wrote to memory of 4492 688 wscript.exe wmplayer.exe PID 4492 wrote to memory of 5072 4492 wmplayer.exe setup_wm.exe PID 4492 wrote to memory of 5072 4492 wmplayer.exe setup_wm.exe PID 4492 wrote to memory of 5072 4492 wmplayer.exe setup_wm.exe PID 4492 wrote to memory of 2824 4492 wmplayer.exe unregmp2.exe PID 4492 wrote to memory of 2824 4492 wmplayer.exe unregmp2.exe PID 4492 wrote to memory of 2824 4492 wmplayer.exe unregmp2.exe PID 2824 wrote to memory of 3476 2824 unregmp2.exe unregmp2.exe PID 2824 wrote to memory of 3476 2824 unregmp2.exe unregmp2.exe PID 688 wrote to memory of 5064 688 wscript.exe shutdown.exe PID 688 wrote to memory of 5064 688 wscript.exe shutdown.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows-malware-master\BossDaMajor\BossDaMajor.exe"C:\Users\Admin\AppData\Local\Temp\windows-malware-master\BossDaMajor\BossDaMajor.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\7DFB.vbs2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"5⤵
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT6⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 034⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aec855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Modify Registry
4Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdbFilesize
64KB
MD50e807656bd86f2aef7ccf207f963973b
SHA127052af8d103d134369e356b793eb88ba873df55
SHA256c509c498682bec50142782a51785655020bea27652f46e104e07a530c2ff5162
SHA512e6c7d5e001e8322ccb1abd101d47e7f1401597518f45dd8da1d757728147262bcb3b1f96128f291e0e367c5b34026b401468e4219b27cf3c37a8d434180cd8f3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XMLFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\7DFB.vbsFilesize
1007B
MD55706bc5d518069a3b2be5e6fac51b12f
SHA1d7361f3623ecf05e63bb97cc9da8d5c50401575c
SHA2568a74eead47657582c84209eb4cdba545404d9c67dd288c605515a86e06de0aad
SHA512fb68727db0365ab10c5b0d5e5e1d44b95aa38806e33b0af3280abcefae83f30eb8252653e158ac941320f3b38507649cce41898c8511223ee8642339cfece047
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\mrsmajor\CPUUsage.vbsFilesize
92B
MD50e4c01bf30b13c953f8f76db4a7e857d
SHA1b8ddbc05adcf890b55d82a9f00922376c1a22696
SHA25628e69e90466034ce392e84db2bde3ad43ad556d12609e3860f92016641b2a738
SHA5125e66e2793e7bc88066b8df3dccb554351287dea18207e280b69d7798ecd5cdc99bd4c126c3e394db9f45f54bb561e6688f928de4f638c5eca4f101dc2cea54a1
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\mrsmajor\DreS_X.batFilesize
360B
MD5ba81d7fa0662e8ee3780c5becc355a14
SHA10bd3d86116f431a43d02894337af084caf2b4de1
SHA2562590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816
SHA5120b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\mrsmajor\Icon_resource\SkullIco.icoFilesize
244KB
MD5c7bf05d7cb3535f7485606cf5b5987fe
SHA19d480d6f1e3f17d5018c1d2f4ae257ae983f0bb5
SHA2564c1cfbe274f993941ac5fa512c376b6d7344800fb8be08cc6344e6c16a418311
SHA512d30952a75d94dd64b7bd253ed72810690f3550f2262cfaaef45854fc8334f6201a8cbafb9b175c6435f7ce0499567f2fa8667b4b0046bfb651bf61eb4278e6c8
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\mrsmajor\Launcher.vbsFilesize
590B
MD5b5a1c9ae4c2ae863ac3f6a019f556a22
SHA19ae506e04b4b7394796d5c5640b8ba9eba71a4a6
SHA2566f0bb8cc239af15c9215867d6225c8ff344052aaa0deeb3452dbf463b8c46529
SHA512a644c48562e38190720fb55a6c6e7d5ccfab60f362236fe7d63caebdc01758f17196d123fb37bd11f7e247ce8ab21812165b27496d3bd6ca5e2c5efefab8fb03
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\mrsmajor\MrsMjrGui.exeFilesize
71KB
MD5450f49426b4519ecaac8cd04814c03a4
SHA1063ee81f46d56544a5c217ffab69ee949eaa6f45
SHA256087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d
SHA5120cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\mrsmajor\MrsMjrGuiLauncher.batFilesize
98B
MD5c7146f88f4184c6ee5dcf7a62846aa23
SHA1215adb85d81cc4130154e73a2ab76c6e0f6f2ff3
SHA25647e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963
SHA5123b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\mrsmajor\WinLogon.batFilesize
117B
MD5870bce376c1b71365390a9e9aefb9a33
SHA1176fdbdb8e5795fb5fddc81b2b4e1d9677779786
SHA2562798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc
SHA512f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\mrsmajor\def_resource\@Tile@@.jpgFilesize
7KB
MD53e21bcf0d1e7f39d8b8ec2c940489ca2
SHA1fa6879a984d70241557bb0abb849f175ace2fd78
SHA256064f135fcc026a574552f42901b51052345f4b0f122edd7acd5f2dcc023160a5
SHA5125577e20f76d6b1cccc513392532a09bdc6dcd3a8a177b8035dc5d7eb082e0093436068f92059e301c5987e6122c4d9aff3e5ae9cc94ccc1ecc9951e2785b0922
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\mrsmajor\def_resource\Skullcur.curFilesize
3KB
MD5cea57c3a54a04118f1db9db8b38ea17a
SHA1112d0f8913ff205776b975f54639c5c34ce43987
SHA256d2b6db8b28112da51e34972dec513278a56783d24b8b5408f11997e9e67d422b
SHA512561860907fa2f53c7853094299758232a70c0cd22c6df3534abd094c6970f28792c6c334a33b129d661a46930d90fd8c98f11cb34f3e277cf20a355b792f64f0
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\mrsmajor\def_resource\creepysound.mp3Filesize
1.2MB
MD54a9b1d8a8fe8a75c81ddba3e411ddc5d
SHA1e40cb1ee4490f6d7520902e12222446a8efbf9a8
SHA25679e9a3611494b5ffafaa79788ba7e11dd218e3800c40b56684ccc0c33ab64eac
SHA512e7a28acb04ca33d57efe0474bb67d6d4b8ceff9198198b81574c76c835d5df05d113fc468f4a4434580b1b58189f38184c376976604dc05d1424af1721995601
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\mrsmajor\def_resource\f11.mp4Filesize
227KB
MD517042b9e5fc04a571311cd484f17b9eb
SHA1585d91c69c3f9e3d2e8cb8cf984871d89cc4adbb
SHA256a9b0f1f849e0b41924f5e80b0c4948e63fc4b4f335bbdf0f997b03a3aff55424
SHA512709076c6cef8dd61701c93e1fe331d2b1a218498b833db10ee4d2be0816e3444aeebfa092ab1bd10322617cf3385414e8fdb76fd90f25b44ac24d38937b4d47f
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\mrsmajor\default.txtFilesize
266B
MD530cfd8bb946a7e889090fb148ea6f501
SHA1c49dbc93f0f17ff65faf3b313562c655ef3f9753
SHA256e1ebbd3abfcaddf7d6960708f3ccd8eda64c944723f0905ff76551c692b94210
SHA5128e7d98e6d0c05d199114d2d6ab8da886aed68de690c4d79643868eaf051c229fff94c88d937adb3da5e31fe48116613cf79dd00dda30f296746ce0a8aded9fe2
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\mrsmajor\mrsmajorlauncher.vbsFilesize
3KB
MD5e3fdf285b14fb588f674ebfc2134200c
SHA130fba2298b6e1fade4b5f9c8c80f7f1ea07de811
SHA2564d3aa3ecd16a6ba46a9d6c0bdacdcd9dce70d93585941a94e544696e3e6f7d92
SHA5129b0bfbb07c77d9e9979a6c0f88b0a93010133f7dd3cf01e1de5dfbe812a5ed920e916d16d6a32fe21b9ee4b5425e61a616ded1aeeb35a410d4f77c0f9392ed0a
-
C:\Users\Admin\AppData\Local\Temp\7DFA.tmp\mrsmajor\reStart.vbsFilesize
638B
MD50851e8d791f618daa5b72d40e0c8e32b
SHA180bea0443dc4cc508e846fefdb9de6c44ad8ff91
SHA2562cbd8bc239c5cfc3ef02f8472d867dff61e5aed9fde8a3823cda28cc37d77722
SHA51257a9d1d75dbbab842060b29f01958f7e6b27d0175ff9a3f7b97e423c1b4e3fae94547a569c2e5c88224fc5dcc785f5a1d49c61199a8c7b3afeb4fc520600df40
-
C:\Users\Admin\AppData\Local\Temp\tmp19937.WMC\allservices.xmlFilesize
546B
MD5df03e65b8e082f24dab09c57bc9c6241
SHA16b0dacbf38744c9a381830e6a5dc4c71bd7cedbf
SHA256155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba
SHA512ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99
-
C:\Users\Admin\AppData\Local\Temp\tmp21203.WMC\serviceinfo.xmlFilesize
523B
MD5d58da90d6dc51f97cb84dfbffe2b2300
SHA15f86b06b992a3146cb698a99932ead57a5ec4666
SHA25693acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad
SHA5127f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636
-
C:\Users\Admin\AppData\Local\Temp\wmsetup.logFilesize
1KB
MD54dce4559ebb5dc12aa58ab9b79d8de2a
SHA1e6df0d53be2a72ee92196b8b896c3444fc5ee4f0
SHA256407d9d79ce18121eb45b4eb1b225d16d3e95d0bec27e8bfc9d69dcf0c726871c
SHA512ae2c52aa4a2b39155755500777d61965d73f7037dd582983853857a03fbf375dee46e3117a79ddba5b23b551fd21a2f18c4a0fae89f6f5a7b78978ff07ea4365
-
C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 5.txtFilesize
27B
MD5e20f623b1d5a781f86b51347260d68a5
SHA17e06a43ba81d27b017eb1d5dcc62124a9579f96e
SHA256afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179
SHA5122e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b