Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
28/12/2024, 21:59
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation MrsMajor3.0.exe Key value queried \REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation MrsMajor3.0.exe Key value queried \REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation MrsMajor3.0.exe Key value queried \REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 6 IoCs
pid Process 5248 MrsMajor3.0.exe 5396 MrsMajor3.0.exe 5584 eulascr.exe 5612 eulascr.exe 5504 MrsMajor3.0.exe 5468 eulascr.exe -
Loads dropped DLL 3 IoCs
pid Process 5612 eulascr.exe 5584 eulascr.exe 5468 eulascr.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x00280000000462d2-327.dat agile_net behavioral1/memory/5584-330-0x0000000000B20000-0x0000000000B4A000-memory.dmp agile_net behavioral1/files/0x00280000000462e6-393.dat agile_net -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 52 raw.githubusercontent.com 53 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3eba2e32-aa05-4024-8942-b870f8099e34.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241228215942.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4664 msedge.exe 4664 msedge.exe 4108 msedge.exe 4108 msedge.exe 4036 identity_helper.exe 4036 identity_helper.exe 4072 msedge.exe 4072 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe 4944 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 5468 eulascr.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5248 MrsMajor3.0.exe 5396 MrsMajor3.0.exe 5504 MrsMajor3.0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4108 wrote to memory of 3904 4108 msedge.exe 81 PID 4108 wrote to memory of 3904 4108 msedge.exe 81 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 1956 4108 msedge.exe 82 PID 4108 wrote to memory of 4664 4108 msedge.exe 83 PID 4108 wrote to memory of 4664 4108 msedge.exe 83 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 PID 4108 wrote to memory of 1932 4108 msedge.exe 84 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/MrsMajors/MrsMajor3.0.exe1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc5f9946f8,0x7ffc5f994708,0x7ffc5f9947182⤵PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:22⤵PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:82⤵PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵PID:1224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:3236 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x24c,0x250,0x254,0x224,0x258,0x7ff7d1c25460,0x7ff7d1c25470,0x7ff7d1c254803⤵PID:3756
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5924 /prefetch:82⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:12⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6524 /prefetch:82⤵PID:2668
-
-
C:\Users\Admin\Downloads\MrsMajor3.0.exe"C:\Users\Admin\Downloads\MrsMajor3.0.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5248 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\99DE.tmp\99DF.tmp\99E0.vbs //Nologo3⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:5432 -
C:\Users\Admin\AppData\Local\Temp\99DE.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\99DE.tmp\eulascr.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5584
-
-
-
-
C:\Users\Admin\Downloads\MrsMajor3.0.exe"C:\Users\Admin\Downloads\MrsMajor3.0.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5396 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9A3C.tmp\9A3D.tmp\9A3E.vbs //Nologo3⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:5492 -
C:\Users\Admin\AppData\Local\Temp\9A3C.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\9A3C.tmp\eulascr.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5612
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:12⤵PID:5776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:12⤵PID:5784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:12⤵PID:5960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:12⤵PID:5968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵PID:5360
-
-
C:\Users\Admin\Downloads\MrsMajor3.0.exe"C:\Users\Admin\Downloads\MrsMajor3.0.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5504 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\248A.tmp\248B.tmp\248C.vbs //Nologo3⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:5496 -
C:\Users\Admin\AppData\Local\Temp\248A.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\248A.tmp\eulascr.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5468
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,13563956135103980989,16186567038429533071,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3240 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4944
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2160
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4412
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5760cd45dda9f1ae31980ede23a115598
SHA15ed99ff851ab9f9d534cf6856f30cb09859c2311
SHA2563b2f14598a7ea864bb35cb98e453f98b7593b8616f33be21d0f565cc3f077ad1
SHA512e8348f3a218e54b63778cb0f7dcf5fe672672f559d5a24748d5d6bc15f4c871c25ac1ba8692919e9ad8d14a0aec1a31fa240ded46e15a234f2b72a78a4152048
-
Filesize
152B
MD524dada8956438ead89d9727022bac03a
SHA109b4fb1dba48ec8e47350131ae6113edd0fdecf0
SHA256bf1e5c7828e4672982b16451b5a201e65e812e98a97b87c9f2f7c22677cb4ec1
SHA51203f092a4b20a4d8cc111220b35fbf5470878b7723faeddee65b1d9cf327167053792c77864103b4530b9b9f819e32a5721b44189291dfdb5832769835ea5dd94
-
Filesize
152B
MD58b712a4c83dfb3c522d032cf900e863a
SHA14f5bec4be6f4ebfa959e899ceafc62309bb1f141
SHA25631da2a41a051db11559c47feb923d4baad32a384f530013a435fa884dad64493
SHA51203b24d9307623b3a341230805f3ea662b0107c314650a51ae7e89d901cb3ad212d4219bab4d763d0aa8d50831aa0e6d4e3379573cc2f724873804578e8642898
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5339a412459e032bf487edf8c9cad4ca6
SHA128a06a5d24826104eadcf49021f461e06eaff8cc
SHA2562e3a9a058373f8584a468f490f4c901db51a9254361388b88c3d20f2e1ba6c1c
SHA512027b95aa88baeab562130f26bf827e68637adccf6c6e2b783767f27c014468d13d24527791fabc2f0b4d899e281c8d4b2b610ce354650e5ce47b49d7738610e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5e43253474ee7ebe7768505432b8e8eca
SHA17273b412d2dca7f8731962ad7c1d1166b68fbc03
SHA2564845f2dfc79d7edfdb511f889439f2c112325e0b3077eb0e2ec435e9db5ee392
SHA512587978896383b35a8bd577139805622728708e5ddb80e29d5e525721d32dec6aa688c0c9182035c117fb18371c3d816154fed753154889fe5373a863e38e72b0
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
579B
MD5ed5f4213c17629776cd75510648fc019
SHA1ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9
SHA256e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87
SHA51271bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5879fd.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD595bbfc091415b8d6367810c6236afe1d
SHA18ab3f949fa7267ce6c6007a1ccb919a05531729a
SHA256670926ebd5cbe72e1b1fc48cea975bc533333b05181fe82df0274fde063506d9
SHA512ebe43c1a31a99df2feecf0ef8ae84534a9863fd7310a732ba25402286d823567c03c190b8cfd9cfa5d30dca2a819a75130a50da102d837248d43ffbc80b69f73
-
Filesize
5KB
MD5593cd5da5726e600c63c8826bc891387
SHA1ea336233b3062905300e7ca62c36bc8fdb5d47b4
SHA25680c0846209bcbc09b1854339c78f389fb3d47aa5d1a5d12f7564a6bf35433318
SHA512238354220baa58a3fc6b70ccad5810ed4c6498c8ae887f1ab7d3ad310160e09050ef6f4a1e836ca737481f9d949788203ddc280e2c5cb961a07eecf408b4d071
-
Filesize
5KB
MD5a2be6d9a479c53cb57b76ec4db95d8e7
SHA12f839a70d6d2b65ef0289457d567c8faf37dd36e
SHA2565b8ff6f425c1d92a38c0b64aba645ab494fbfad00269499697280a58011155ff
SHA51214f9dca73a941a0683412454d8f1f318a292db59a8c27e202771712000bf16861ffac0ffa2972d352a727478539fac28e0ff502cb36c3a57dedd2e7828f0d675
-
Filesize
24KB
MD585eca930a791cbcb1373f5fdaf17857b
SHA1ffea7d54e9803374a484f1e4c124766e80024efc
SHA256fbc990061790350f00dc28f2dda277aac81bb8385a6e92e90a20101436c3312c
SHA5122ffe0de3f80ac60f2ffa55f334026979e6be328b7c69f4603aa3c5d1bfa6c3b3744d86ac2a34ecf904d0a41b36bc485392ece58f6cc89d7ffca293d02efe5bed
-
Filesize
24KB
MD599a7edf9124dba808b6d025b14aea278
SHA1f1de2fdd81ea87ee78e8afdc1a7cdffcf62a92ef
SHA2569d38a8d193a503b9be7b39be5d150bcf22038c84fbf3d53979e2f075a35b9089
SHA512fc371b7ad5606a9948ba4a315e40a0a93592f57103be4a3712020977b43e4277d95d74ff35e490239dbce1cc475fe1d1746764f5970d2e9f04483c985268f5c7
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
8KB
MD5eaa3d3117a655b701fa0793a5ae63e3f
SHA13a465dc623a7e810031aa3a676f5a5ef1c2d8e3b
SHA2569cd08e7ab9a4f171b5e399c0b1757b0070b375649cd1f4dec5ca2e5e85bf1d20
SHA5120006b613318367abe4dcb94f4c90f82fede6d16b93981f3083b96627dd7479d5276badd5eb93c550e72feef2acd3aeb5b8d352ccb3faa2769d0cbce85b9cfc8b
-
Filesize
10KB
MD50892fcd5ea5801f7aaf6cf21e928d4ca
SHA1ca1af610e96adbc238dfb94f96e658143e9578bd
SHA256db25ac5e919aa92307c3431c5ebb368419ce1c8d5322049835581c155cc81775
SHA5127bc39c1b9ccfb27e0aa2a6a829ad226c92cb2144da72d25922218bd21ea10d71803b67d813e1cd1a72c6980982b79dbdf99603d94d2a844fb3cb2d46ac43770c
-
Filesize
10KB
MD5bca144be4f22f662b02623668b27183e
SHA1acf07cdcf7d699e28f0f6e0d17d6fdcabfca6724
SHA256b2c165ef4fdf74c18ce079fc61863071f82f9024caead9836a469709f5d00c29
SHA512fbbc4b05113c38a6bc6bd5005ed0857ea2ca032da7d05f7a6024f5ce2edbb7ace32524e5c378735f852af522c7ac5b81087571fba5422b8a064d4448ff81d4f6
-
Filesize
10KB
MD5674fd542d06db817af8072f16781d737
SHA1337395f208baf7083e20d77c3f882ad88e62e9db
SHA256ab2c953d8eeabf8cd0073100aa8df47e029093c7c04b2da6ff0cbdf5f54fd778
SHA512bc0b9d8992b51d4cc7bc69671c9995519aaacd480c5c513092196dfdd8a3dc9fd474e04503262a8016aac6aaff19740c0e7b3a405494a7e018d5ede9ad08d208
-
Filesize
49KB
MD5266373fadd81120baeae3504e1654a5a
SHA11a66e205c7b0ba5cd235f35c0f2ea5f52fdea249
SHA2560798779dc944ba73c5a9ce4b8781d79f5dd7b5f49e4e8ef75020de665bad8ccb
SHA51212da48e8770dc511685fb5d843f73ef6b7e6747af021f4ba87494bba0ec341a6d7d3704f2501e2ad26822675e83fd2877467342aacdb2fd718e526dafd10506b
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
352B
MD53b8696ecbb737aad2a763c4eaf62c247
SHA14a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb
-
Filesize
143KB
MD58b1c352450e480d9320fce5e6f2c8713
SHA1d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA2562c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA5122d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD57ed1e6ced423f138ef98b2accbc01b08
SHA1dcd7df69da699eeaf1352bb4a2a6a67bd3c2d918
SHA25660073bcf827df469b2b342c5f003507b70d4ad956e145d852792e40cb2b931eb
SHA5122ff8ff1563e47490e082e2af4604bb1cdbf494ec5fc0a3128082157adca4669a242f7d56489956eb462478e08cd4487de1046093bf079c0f3549a4b146236f44
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD52b72d35fb22d1a9f4340e9bce386d24e
SHA1851934e0ad4cd76a3ef4808d9c7b1f88af251448
SHA2569032a287858eaea12dd5ef832910b805bdca3e49872c9ba75dfdc7330af14c07
SHA512e11dab818ea7a78262a1b1b055570449a615be11273ae19246c66bab1659e2dea5123af193984cc8de4c005c855213dc654e7541d1a98c576ecf2e827586a6a6
-
Filesize
381KB
MD535a27d088cd5be278629fae37d464182
SHA1d5a291fadead1f2a0cf35082012fe6f4bf22a3ab
SHA2564a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
SHA512eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5