hxxps://github[.]com/cryptwareapps/Malware-Database/blob/main/Malware/Trojan/MrsMajors/MrsMajor3[.]0[.]exe

Analysis

max time kernel
173s
max time network
190s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
21/07/2024, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/cryptwareapps/Malware-Database/blob/main/Malware/Trojan/MrsMajors/MrsMajor3.0.exe

Score

10^/10

agilenet evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3944	MrsMajor3.0.exe
3860	eulascr.exe

Loads dropped DLL 1 IoCs

pid	Process
3860	eulascr.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x000100000002ab85-404.dat	agile_net
behavioral1/memory/3860-406-0x0000000000220000-0x000000000024A000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
13	drive.google.com
33	raw.githubusercontent.com
38	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 32948.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4836	msedge.exe
4836	msedge.exe
4304	msedge.exe
4304	msedge.exe
4216	msedge.exe
4216	msedge.exe
4348	identity_helper.exe
4348	identity_helper.exe
3920	msedge.exe
3920	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	eulascr.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1812	MiniSearchHost.exe
3944	MrsMajor3.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 4508	4304	msedge.exe	81
PID 4304 wrote to memory of 4508	4304	msedge.exe	81
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 2748	4304	msedge.exe	83
PID 4304 wrote to memory of 4836	4304	msedge.exe	84
PID 4304 wrote to memory of 4836	4304	msedge.exe	84
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85
PID 4304 wrote to memory of 4884	4304	msedge.exe	85

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/cryptwareapps/Malware-Database/blob/main/Malware/Trojan/MrsMajors/MrsMajor3.0.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffbe643cb8,0x7fffbe643cc8,0x7fffbe643cd8
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3992 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Users\Admin\Downloads\MrsMajor3.0.exe
  "C:\Users\Admin\Downloads\MrsMajor3.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3944
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\E0A7.tmp\E0A8.tmp\E0A9.vbs //Nologo
    3⤵
    - UAC bypass
    - System policy modification
    PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\E0A7.tmp\eulascr.exe
      "C:\Users\Admin\AppData\Local\Temp\E0A7.tmp\eulascr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,10976814808757569008,12490634258648653153,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1312 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:232

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1ff2a88b65e524450bf7c721960d7db

SHA1
382c798fcd7782c424d93262d79e625fcb5f84aa

SHA256
2d12365f3666f6e398456f0c441317bc8ad3e7b089feacc14756e2ae87379409

SHA512
f19c08edf1416435a7628064d85f89c643c248d0979ece629b882f600956f0d8cd93efbe253fa3ec61ad205233a8804807600f845e53e5ed8949290b80fe42d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
562b59fd3a3527ef4e850775b15d0836

SHA1
ffd14d901f78138fc2eece97c5e258b251bc6752

SHA256
0a64863cb40f9d3b13a7b768b62e8b4707dfee1d3e86a07e999acb87bd7d3430

SHA512
ef9fd3d83ab85b18cf0e0d17e2c7d71936f783e3ae38005e5c78742560332f88be7c4c936d4dc4179e93fde0240d2882d71ef7038289c8cbddbfc4790c0603c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fef64c8503514c36332fc0d214ea7229

SHA1
b6e15495780ef74d6262122760dd309b5f17a20b

SHA256
4f33d6639c886e2db9e0a06d8c68b7488f67e5307055564ec9ae533d8aed7b7b

SHA512
fa6049245fc6166b87f3e6147f157dbdccd7d32a2e868da9a784c78d17401a79d4f189296810a718a29e6dc25cd169d76f91180e1fae963864d4e72e2e6bb162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
365a4e3a119a7c6804f89aed8d512b63

SHA1
0458a3c03ae5bf67e6a2c65d0e724e2846870269

SHA256
b30129526bb12b3718b845e1e2003dc2063cd8b74fd958103bfec4cc82dbb8b9

SHA512
74c6617ec3a534197375499850c639d4472e46757254f23b2927f2779e33eafd9fcdb824643bb471ede5325a003fd0136b70e43560ad2aa39e0123a7d9d8eb8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
0a8a7c3dafeb4ad3d8cb846fc95b8f1c

SHA1
69e2b994e6882e1e783410dae53181984050fa13

SHA256
a88495f2c1c26c6c1d5690a29289467c8bb8a94bf6f4801d2c14da1456773f90

SHA512
2e59b4cd4cf6f86537aae4ae88e56e21abcff5070c5c1d1d2105a8e863523c80740438cc36b2b57672bc7bb7fb9387896135afcce534edfd4697fecf61031a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c9c5ce797214b8939afe58b77585c746

SHA1
ad3204cddc1a2ee5a756e90ce62475190e752355

SHA256
7a44311b565ab04768c1ba38d80fbf0a224db1d2f32c2501ea176ba96aa8d398

SHA512
73c5854e7f57816676fd84b87def22e325081cb75f4ef0dd974411a15c926e73b622018652d59608ff1baec3d0f963f190c6f82912646da545adc7a140cc5fac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87cd80275c9c5df45f5459a679389b51

SHA1
63498aadfd0070ad938d1aa69df2c6d47d492b2e

SHA256
668a5eacc6f38613bcf757fa61a8ecda8ebd34290853e57740cc4959c05d1f59

SHA512
5fdf069bdf8ecd7369d83b3413843ecfa7802afa50f1888803edff08fb4804b91285cda1af75580ef7f0d9dafddf3a0cfd7c4b6c0081789eedd4dd49295de334

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c57954636dcfb77b17d0df3865e2c97

SHA1
26e660024cff41945b8cf327d3394d314a6e031b

SHA256
3b3df03e68b0f02bbcbe06a929b827fb831ab9cf39dac8a3c73b83d95165b6ee

SHA512
edcc6bbf5101322560faae951b2d25ac70611c1492de68b86de5ccbde2f3151e9aff32a3ab3011b22770f58122bfaa42ef01fb50d605bed8d61b63b8405096bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c91a7da479ca845d64d7d654af00f06

SHA1
256c36fc371642080c5b79d705f5504c540eaf73

SHA256
5543230d6892a6634baca46142c8693540e7cc7772656874a1b41e24c7bf5a57

SHA512
1b9e9a5450f089c75306de7ae1e29f5f924ce292158fb4e6ad196f32e9ea20dc789b310c22784f6e4fb74d61eecbfd62bf3d47f6cd9ca6aa927b162da041ed57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
c1bbe23d622704bbf5a235ff18a1a2bb

SHA1
23198c7d466ca5bfb2c439465e81ef427ae2949c

SHA256
b353e8ceb556a910c323b723a79c8f16a14e790c1a7875515ed8560efdf9991a

SHA512
dbb343ad1331ff65ea21a5322dd604ea0e75d8b8c436f9d279fbf75521aa32513ad7719a7f134aaf823737963b27a46a4f82fc947b0b49577c7c9674000c213b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cd4b21569a279ce3b745259e8cd17a1c

SHA1
935e8916f91bc0315fa2692d79446beed1b38396

SHA256
546dc42124e48b83123e340023a6317b9fd89cb85ec25151a88e98650baa373b

SHA512
dc25b777d9133429dd645326154c4204ed91c73108a7b1f20b43507db7503c97af64a89c3532e1513947d88a661004c3e4c61f92d1d2ceecb6fc4b4c2e0accb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6eb891951ac49b338b5ccc4684ccf897

SHA1
e079e799b2baa909b0c6d1c2b07720e3f422f784

SHA256
c323355c25decee27b52e9a0c9679691ab4589abc672333ac99613712248d758

SHA512
695957033139f7cec217701403a6d0e6059a83dce319f6ff541f91cf379c66411ee3dc785c1e3e24c1a672a5095c07586ee7c44eaaad9af7142e6e1cbe59b68f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583a83.TMP

Filesize
706B

MD5
a75b3868e22cd8d9733d48674b11feb4

SHA1
774727a1528f778726438c794601ecd799011640

SHA256
55aa8d12439d396b94da5da0a08e1426ee813a92a06bb83145b14f492c18fee1

SHA512
980e3b62b50d99fddb40b32ae2a9c794f52bbb88507b7ad614bfe670418fe228455947a2ca3025a3ac3c0d6c335ab499521de79c9910da08072b2ecd1c04eef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9ade91e8f7ccb18ad28b7235abe79c12

SHA1
6edb277e3a4d406e18e3a1ec0d9da2ad31ae8607

SHA256
d0d199a9e2c925ebdef248f7d985dfa32ad62af4f1f09f697a10f398d729514e

SHA512
f37ec15f5cec1b500e60bd615d31fc6c35e1c7d09b4d9ef14ac6c71927fee013474b6605c2284c230c457f816aaddd7ce52790bd5a776f50e091b64ba64ecc79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1d5238a90eb4d63813ed20f3ff1d892d

SHA1
7dd25480306c9c0430387ace70aca56449bb8d95

SHA256
cc8123b9402fe2238d70af0753a75a845a44326da35db3a3d071e43522fe5b87

SHA512
66786cbe0f39c0f56dc6e4bcf6b058b7625711001cf19efa2ccb481d282b12c60e2b132d8b118bda72f5cb5c362ad7f29750826601aff7bf21079f03c1a52a68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f4d773bc8b175381eba33193bdf54359

SHA1
eb73d31a155431bb6743b6e900bd7d747f9bca70

SHA256
a86882b6f56e8401ff7e6fd611de3b1ee8df75afac1a7ce58215b1242ef31830

SHA512
5dda4897857b0057068b8f4b47f66601bebfb519c44e7b00233c0b70dd53b1572cb47e5d26fbaff97a2c85475ce064ec3e1efacaac79f3b2a25f82f547e62008

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
2b38ebcf2148207d5409435c37baa91f

SHA1
87fe72e51fb68082049a3233e6184f15ae69a81a

SHA256
07bb1c37aa8388d6f7b9e5a4f1a88e453d633d40f3cdb7fc2bb2a9b6b3f200c4

SHA512
37b2c8ca0ffd135e99d5248b4159cab2dcc5e41bf46cf7f40e0da2c57c66f7f4ee0ca863df5f545ad9ddee5dabe7fb63d699168236212a03f2551f1c629ebcf6

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
bb113d69bea68c5a9046bfda75f49014

SHA1
2fde2908ad5b87d30e328db6cd5093d9b5bf7bfd

SHA256
2ef8d715453a9ef0899735a31e90dd03f19995712345987eab124ff7b7b251ac

SHA512
19773fc35aed35898fa66e67de1e179867bad7620653fccc67c9f7dc76ff728f812c21558d3c8292e3bc4a65541264d3375d0e663c016aa69128204c60908408

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0A7.tmp\E0A8.tmp\E0A9.vbs

Filesize
352B

MD5
3b8696ecbb737aad2a763c4eaf62c247

SHA1
4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

SHA256
ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

SHA512
713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0A7.tmp\eulascr.exe

Filesize
143KB

MD5
8b1c352450e480d9320fce5e6f2c8713

SHA1
d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

SHA256
2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

SHA512
2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0A7.tmp\winfool.exe

Filesize
1KB

MD5
46b42d2de6b40ad10a3659c6dd69218e

SHA1
cabb382259e2664b51b69fa2b60ca1b6368c439a

SHA256
592e91800a3fe33aa8ac29aea26d6b3888dc8e926aea41ffe36a744b9bab2d34

SHA512
794236c2908ffb1b64963f0afde3d824a7bdb8ff64ca322e9aed7c061505380fb16e3bc6aaf2752dc4fe7225f0330c3fd9a0e3dfdb9a8e95b5fcd1e99f2613d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 32948.crdownload

Filesize
381KB

MD5
35a27d088cd5be278629fae37d464182

SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

Download Submit
memory/3860-415-0x000000001D0F0000-0x000000001D618000-memory.dmp

Filesize
5.2MB

Download
memory/3860-414-0x000000001C9F0000-0x000000001CBB2000-memory.dmp

Filesize
1.8MB

Download
memory/3860-413-0x00007FFFA9130000-0x00007FFFA927F000-memory.dmp

Filesize
1.3MB

Download
memory/3860-406-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download