hxxp://Google[.]com

max time kernel
240s
max time network
241s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 02:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://Google.com

Score

10^/10

agilenet defense_evasion discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	FakeMrsMajor3.0.exe

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	FakeMrsMajor3.0.exe

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	FakeMrsMajor3.0.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	FakeMrsMajor3.0.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 2 IoCs

flow	pid	Process
136	3132	chrome.exe
182	3132	chrome.exe

Executes dropped EXE 3 IoCs

pid	Process
2508	MrsMajor3.0.exe
2408	eulascr.exe
6092	FakeMrsMajor3.0.exe

Loads dropped DLL 1 IoCs

pid	Process
2408	eulascr.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico"	FakeMrsMajor3.0.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x001900000002b59a-875.dat	agile_net
behavioral1/memory/2408-877-0x00000000004E0000-0x000000000050A000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
136	raw.githubusercontent.com
137	drive.google.com
12	raw.githubusercontent.com
14	drive.google.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\w0alp.tmp"	FakeMrsMajor3.0.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\windows\winbase_base_procid_none\secureloc0x65\rcur.cur	FakeMrsMajor3.0.exe
File opened for modification	C:\windows\winbase_base_procid_none\secureloc0x65\ui66.exe	FakeMrsMajor3.0.exe
File opened for modification	C:\windows\winbase_base_procid_none\secureloc0x65\winsxs.ico	FakeMrsMajor3.0.exe
File opened for modification	C:\windows\winbase_base_procid_none\secureloc0x65\tobi0a0c.exe	FakeMrsMajor3.0.exe
File opened for modification	C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	FakeMrsMajor3.0.exe
File created	C:\windows\winbase_base_procid_none\secureloc0x65\0x000F.WAV	FakeMrsMajor3.0.exe
File opened for modification	C:\windows\winbase_base_procid_none\secureloc0x65\0x000F.WAV	FakeMrsMajor3.0.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\windows\winbase_base_procid_none\secureloc0x65\bsector3.exe	FakeMrsMajor3.0.exe
File opened for modification	C:\windows\winbase_base_procid_none\secureloc0x65\WinRapistI386.vbs	FakeMrsMajor3.0.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\FakeMrsMajor3.0.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 3 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	FakeMrsMajor3.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	FakeMrsMajor3.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	FakeMrsMajor3.0.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873445052179887"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "177"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	FakeMrsMajor3.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico"	FakeMrsMajor3.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico"	FakeMrsMajor3.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile	FakeMrsMajor3.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon	FakeMrsMajor3.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico"	FakeMrsMajor3.0.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	FakeMrsMajor3.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico"	FakeMrsMajor3.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon	FakeMrsMajor3.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file	FakeMrsMajor3.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon	FakeMrsMajor3.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\windows\\winbase_base_procid_none\\secureloc0x65\\winsxs.ico"	FakeMrsMajor3.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\FakeMrsMajor3.0.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe
Token: SeShutdownPrivilege	2180	chrome.exe
Token: SeCreatePagefilePrivilege	2180	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe
2180	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2508	MrsMajor3.0.exe
4084	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 5508	2180	chrome.exe	78
PID 2180 wrote to memory of 5508	2180	chrome.exe	78
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 4636	2180	chrome.exe	79
PID 2180 wrote to memory of 3132	2180	chrome.exe	80
PID 2180 wrote to memory of 3132	2180	chrome.exe	80
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82
PID 2180 wrote to memory of 4812	2180	chrome.exe	82

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	FakeMrsMajor3.0.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e9c0dcf8,0x7ff9e9c0dd04,0x7ff9e9c0dd10
  2⤵
  PID:5508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1912,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1468,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2236 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2372,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2392 /prefetch:13
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3056,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4168,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4196 /prefetch:9
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4640,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5112,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5048 /prefetch:14
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5152,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5572,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5544 /prefetch:14
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5624,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5564 /prefetch:14
  2⤵
  PID:72
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5496,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5628 /prefetch:14
  2⤵
  PID:5912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5564,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5724,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6292,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6280 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4340
- C:\Users\Admin\Downloads\MrsMajor3.0.exe
  "C:\Users\Admin\Downloads\MrsMajor3.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2508
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\594.tmp\595.tmp\596.vbs //Nologo
    3⤵
    - UAC bypass
    - System policy modification
    PID:5296
  - - C:\Users\Admin\AppData\Local\Temp\594.tmp\eulascr.exe
      "C:\Users\Admin\AppData\Local\Temp\594.tmp\eulascr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6320,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6452 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5996,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6404,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5340,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5444,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=7100,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=7164 /prefetch:14
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5732,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5384,i,10898012594663350449,12878632558493950766,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6748 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5260
- C:\Users\Admin\Downloads\FakeMrsMajor3.0.exe
  "C:\Users\Admin\Downloads\FakeMrsMajor3.0.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies Windows Defender DisableAntiSpyware settings
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - System policy modification
  PID:6092
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" /r /t 00
    3⤵
    PID:5256

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4516

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a34855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\65dba378-27cd-403b-953e-e51a4d665f10.tmp

Filesize
80KB

MD5
a42476272ee791e4c68641ab47d580b6

SHA1
6711a5a4778cd2c7db491c6bbaf44c69cea96524

SHA256
81b86bc932e983ee21024a93e6318e7edcb0a5efa673fa724b9c59eac46d55f2

SHA512
86d3e02f1a7b5fc13f78c05c560f4211b309e29e4f21ee5d0dd5a08a31c14f93cc6cf4ee19477d3d5e27e93ee2faf8f3fc0671da90e50700af79756ba9911593

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5eff61a876983b79d3760e98dc3f3b81

SHA1
b0f5ca74b07120b2f73527bb9fea670a847aa613

SHA256
9344e3877c9be17656ff37a7c731cd661694b99224e218b56d43bd7a52dade16

SHA512
0a27a3da263ac46edf535eb8f3343552d8b4473f0be988056c6853699b7acc19647ff6ae94de863174fa33fd18087ccd518cdb818a2b0d7f883641e3433d0cfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
215KB

MD5
e8518e1e0da2abd8a5d7f28760858c87

SHA1
d29d89b8a11ed64e67cbf726e2207f58bc87eead

SHA256
8b2c561b597399246b97f4f8d602f0354a979cbe4eea435d9dc65539f49cea64

SHA512
1c15b65bd6b998254cc6f3cbef179c266663f7b1c842229f79ff31ba30043837c398d85296fb20d3a576d9331fee9483ca0cbd06270da2d6db009bc454aee0c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\b345e6f2b32312fe_0

Filesize
289B

MD5
b655ca76cf8cf7493f57232af303b5f2

SHA1
b0f7f22f62963a8d5fbac867ad13aedfc293b158

SHA256
5da053fa153fe9e0e46f5acd9b158fb2866ce2cf25632f3e20fa91e843a378b7

SHA512
d8a1bc98ecd26213fbb4e47c77aa97811d91caa8118252cb6d6e539460c8c1af377685cdac4b0807ce6cb03530cfd84a0bb5dbf62414313baa2822a532653d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
819995a926d63e67475e3b00d5957959

SHA1
ea36a52f8591820a071322b7dc3f2748d2cba734

SHA256
2f65902597079b096418217ae362b29ca5cef0f8c782a5c5154485b62ded4cfc

SHA512
97f9aab9b42336289988faf2459c1eb7715624364f130e3b8f1bd3b824f8aff8b447749210ae896358182a848cdfa99b16985981344eea7f28dbb62c04a8921a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
2b7d30bf57f58c96b17cd0fb2031b96b

SHA1
17c7d720486d0a57f50b7483a696d5d360531a38

SHA256
476e506d97c7a2d64a7d5795221ec8cb2a20ebe74264e157c8e1d2754ce85ef2

SHA512
7656b8f8bc0352c95b7862a82b7e474e4e531cdc680183b99cb950a1700622fae3c50456763e7496a3d34ce80a21f856faf6c33b660174bd12217aa7d9e3d505

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
87c2356609e6af799234f34383e98c64

SHA1
e303c9dc8cab99860c2401a48e96ed1e61c87930

SHA256
97466aecd28c116de4b6cf472020123a146dc584f4c02f5dfab3c138eee37801

SHA512
e0fc0221964d361d9cb8c52c13dbb014db05218ee8dad53ff0247249a688caa48fe0f1e88a31de1aaa235e5bf2907f55a030614ee8443397443a4a42ba401838

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.reddit.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.reddit.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\7fb9c5d2-0273-4a5b-bee6-da0992ef6de1.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
1c5b0922de28b75a3f7796d478d52e70

SHA1
94b0746bf0418af867dfab4fe503ebd954617924

SHA256
c4d4a41a12861616e2810abd47c2bf6d1db4f462ae422f286d983032b4d94c37

SHA512
8f51e66897d505da401132ab4392eee4a657555d084c0bd965a61b8d49a522468ac620e3b88f680d7332f9d313689348ee60bd5bdeab70e46903f33a5b27d321

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
11KB

MD5
8197311c25c0fd138f3294a93128120a

SHA1
0de292c0e261a10e87ac0047a33167cc2e2f3392

SHA256
4169bd626675070a8bb37c16a5be6030d0bc360a90d6f48062af53daf02635b0

SHA512
1df71831213a9c7ea76fa27117d61385f61a467b4f3847749093c7082722542fcf43b2a8a28b3aa5baebf579b1f9f2be7765bf1d6cd484aa378247ddbbff3b5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
8141e629e8356a904c14dc5e0a3f71cc

SHA1
26b40d91aefc06f3c9a7d51faf5b0d7d291c6719

SHA256
4f10be452a9de5e2499d8f0d04b57bcdd3ff8c77f1bf6b23fadece385b841468

SHA512
ded9ff55e6a12cec93a8a159e1fdb53bbbce5f6f8a10f2c6b9aef160161129c414528a340464cce9d442d38cf8c8379fff20e6818467432b4904bf7eb1bbe8d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
7b777189e45ae2d80277db76c60204cc

SHA1
91682847f270bc625546e8e99158221b5bc9d9c7

SHA256
657f984e8fc80b6ef29398b69baad0b6184558b382e933ffc3479e68580b3897

SHA512
066cc1b5cd99e5d2bdf3ea5ff2cd29774785caf6200239c02c36f1b9435573c5eb10105f4579f1723607c6cd07c237b5192d7702191a1ff77d626f47adee9c3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3c1384e73fba41bed978d2906543b634

SHA1
3e979dbe2edc1121312f6c12328c7e56f68f778c

SHA256
0b4347baac6b2b24d077f3fb2a724a9030b65257716d5d3b309ddf65f8258ef3

SHA512
c83c95245ce9d9cf14599d81e62b55a5fc10578f4157e8de14f556454db79ad98b5905abaf4f21b07cad30789fd0e9bf34d04616c2f7c5eeaf09bdfbdcac9736

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0287c63c897cd0dcc94d63417171d59e

SHA1
5c54d62edfe2ce76672b38b4617abbe14b216605

SHA256
c9d98783aa770a21cb6d275ac2df9f1d545c22017b986e676743a5b452b65489

SHA512
8bc32ddfbcc7abbf8a02a0d839ac996c6a01c32ec09ca2a4d977c791ba0c25471d44133353cdb15a0043ffb63cad16881c167a8c5eaf01440c40b9697bfecbfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
1ba69d641239ff098e07d3df3fcfaf2c

SHA1
72882b337d82f2a42cdac0628ce9d3b823c443dd

SHA256
d5ebc401cfc43a4a37d04567737cead465ce9848f83a043012fc0f167655c265

SHA512
a95136a41a253ede40f87dcedab86b1ef524b65014c9a21708b9dbc68485851200ef837cb73ce35c43e1877f013d6c024d1293e09744400ff396386cd661b439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
beb60a5c172cfaf81c722df8b7276ded

SHA1
e1acc3f95a568ac085c19dd5a4022abb4817233f

SHA256
695af6f69688f947e7fd54789f7036a1c96b91e9ce6ff25b570b774ad02f5266

SHA512
77e46e682ecc92b170960f2904940b0c6ced612d28cc12d2e13fee13b2a2b4cb25d05651492c465af9d1ecf02c84bef8e4915877552c8259765197dbd5f5d2c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
d6d339edb5b05f80d42f48c2d950b7cb

SHA1
863c12a0f21657bc1cb70709eb43f38ecbe23cbe

SHA256
c1c7bf58e2549fa5a11d1c973b56e60be111676d62d6924ab5ed12f25e5cf93f

SHA512
7a39d2cde117bb4aa029660629a4f53732cec498689827791f0be356560c1a78624244b843f3a821a0542109c8f174189c70da6a821becbae0a927668dbab6d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
30793018086c47da4ce16e2f856cb882

SHA1
6b0ce3c586877a9f7e2209f9caf98e74d011bc7b

SHA256
248f41236a3e1ef940b8801ab08dfc2a0023db5b06728ceaa3f455764e307e1e

SHA512
681bd956a50f1b1643d49cbc12b6b3d241f1c6426ef0542379e34263881b19075260024fbf2bfd98c72fe31cb1b6e0da7e9ac4a1fa975e07cbfb65252278efa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
38638ad0c2b3bb2100021ab1d8bd80b1

SHA1
7867aa8b7dfe94cd48579a3dd7b30338a7d04eff

SHA256
9b49715d55edf2c0dcb55832c59d2d0c0e8bade229a11640be5684e5762d2e52

SHA512
c5b0b2d1f0befaed3885b2b88b592f3848ac90cb6627d4cb7cfb5ec1637bd11f3567bee4ce227326bad0ccb566212b9927e5f8d9fe778df84708d72391fdb6f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ef30eb190855032b1845ea308c6f8a70

SHA1
555cecd044d1aedc47cb3698d2e676420be7acb8

SHA256
7a1a6ff2c97ca67c243fe62905d007885058bb5f17f6e377a03d67406b2f1f3e

SHA512
620c1206d8f26327a09a48930e7737ca8a98c718b025a601e91b11ee7cb917470fe978fb969ff274ebc5ba4f43cd8dd393f8f346405d5f3dde65c8b0cccfa9f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
c6592ea8cd8c4399163eee66e015445f

SHA1
57d331bcaaae09db7fae31af87de084cd5d9b099

SHA256
1c464330ba0c0af76e0706f3ed7443ccea948f3e8465f9398e7172b3f04c7414

SHA512
34787c99da0db93039f7eff3869523b14d0c027689e08f306218d846decf878bdf962e4fc121afcbb52bc5275b8ac49e1cc76938d45898af89b2e2a914c203bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
fc10a58fdc55e93762fdc0df11274973

SHA1
5f012542e85ef1e861ddbb6f715711b2a273be17

SHA256
650d066b544ac0ed0f8b2524176f1298c7d2f9201da62aa3cea9fd07a4f355b0

SHA512
c5a33f232418da94d85d4c544f574a9df0ec57343bcc4a5c96ea7206e4fad0b8b8ff018e7582e0d47431d20202b8f929a67855ee4260a711b07e9852ea15a101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
778c30948146c6ffa043301c163171c2

SHA1
0f85467cd424ab556024df1f6fc6902e52e6e3a7

SHA256
f0be13a8860742482645d497748525c7450a522ecffe3545848bc0f7e362c9f7

SHA512
977753d7614125bbca14922881068182c29e0ef4f53efeb5c72f72ee02d3bca2a601feaaeb4ba43da44621f540f62856c847f455ccc9d5377a222a8e536af677

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
28c8db2fb849a03843edb241202281e3

SHA1
4d36bc21a5301f76ec04bdae712892bbe1aea1f2

SHA256
b451a233f6c082d8b7fdd0c83c5ec69810c507c57d84b1b342f2f8b9926a0bf8

SHA512
6c5a7a4d7a7f24c80b9b38f698e9891b1b5d318b96b8bbb6d9af0ab5e8018ec9771587d9eb54586460e4da7b146015776f7771418519bdfd3fc73aabe0306097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0c4ee74392bcb9c2651fb89da5d6ea38

SHA1
3b0c059f0763113bc1f02ff5dcbc7ab421b9bb30

SHA256
271186f51c93e49b8e397d63570f77ed64355ad873c825457f56c4be696da869

SHA512
0c69717b1882b08f112a904faf5b582497a6ba83dceeb00e15c8522c1557dc55e25ee27713984c27e49a24c9d84606c6cb4edd41168ee16587e07a3402257080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
ecac85fbbfd3c62be4755e644f6b8917

SHA1
1c94d764d02067b320e205b83728839ca7319122

SHA256
6de14666ebe536a2eb28ec0846a6c643d8886d6acd7791311743d919c8b0134d

SHA512
1d05e06d002f7f549c3cd81150f6db3461957b2605d134d995b379914a622512a24829739535753e6d84efd63679aa5fa93f4b4dfdd268e01585b896a2ac016c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2f6aa3fb795752bef1b634f08ba209ff

SHA1
4530778b0826f1a3d94f7973661eacbbd0409e59

SHA256
a8453010e13d13b0ff7fd70e9b5e45f16a40db6d06f37962bd7d802d8e3697d6

SHA512
52ca29221a558fd5153afc795e91f2a99caab5912ceaa6decde68546fc10cb92afefe5639d8a05c46f5cbb6d9882ccf5db0671ed42a08b10e00cc63e66ca173f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579ec0.TMP

Filesize
48B

MD5
be64c7b2e9c2630a2baadd7391abf07f

SHA1
2fdb4b8706df36810a01267a254f769fdca928da

SHA256
fd2d0c376745efc40d73d341f78b7b767b942d7f0bfde4fe783cded709736e2a

SHA512
7d01483685d74bd7121407cb3c1f792ff958131a796aa3612f88080d732656a961c01d7f00ef3a85b5f7575ab1ca5ff8288ce050ab6e1013b6d974b6ab100d2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
140B

MD5
8b0a9ab37b504875845cc1c07afa9160

SHA1
d92a10126086a7ef152326c4940a3b539298153f

SHA256
37c0909fd8bc0e9e9d8e89c19159a46ae4cec70e8a73ad418ae7257a4b012d14

SHA512
b68f6a5c6094d535e36578feafbc0b9a4e178488e63f132fa3bf5e3511975d4ae95d9bf801ec00f555fbc8188f548484e2a92ab02956de3d28943b4baaeb54ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe57a4ac.TMP

Filesize
140B

MD5
5c85ff0c506e5733b3379aba1888548f

SHA1
a29adca61f96d3b7b12062090ff61e2d46137893

SHA256
887d81bbccb89db4979c7840d07b2a624c7541945cdda0e9c460b069804514ac

SHA512
69a36c9c4227d2d2fd761af9e77590af01f5266ecd85ff34a21688b0145b351215e75fa6be36ad5b875f7149e72d19bfc3fc68a64799a0ba3d57731250dd333d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
a6c69bc968afae67b1447d5038d7023c

SHA1
5f4698eafbc5f339cd2561bc04dbaba7a2f5daeb

SHA256
144bc3383b951afae561a0304433241d7b3ec435f335af83d06bc19f2f5c553e

SHA512
93109207b52e36f1492eab13a6a381d429e40cf8601605eb4e8affd9cac85723fadfdf494be160815fc84e87d4b2d797af4e21d48e1c531836abef0638c8d3ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
2bc6353692f57d042ae494cd92a59a70

SHA1
81e245e6975219c465303ec9b7b6a80349a51daf

SHA256
80aa1607469afe1d55d8bef2268ebbc6dbf393bc1e713967d62d4b4fc59b403a

SHA512
cdc55a4a8eaef308ea548ceb8c8e6c62f0a3e9a6f47bd1755df6a9b892cecc1bf1221eeb5057c6bde0fa43c6375158e78a37f2d9c55d1ffb0b9cff153faa8558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
d97eb6ab82d6890b83a1f97ceff6d29d

SHA1
f67447ed9bfb8bb8c04de98107a5da3e34bd0445

SHA256
71f37cd347ec68fceb9e39a52caee50b50a040ead82b5a1b880b4377013373f1

SHA512
6d41bb8de3618723cf28ac28473fa6dfb92dfc8c6e5d6812bcea49a871e040ac33c6218340684529d619e479e5938db4a4b2ff17a42aeeba8df03528366a817e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
a23a1128704de133836eeca9d48957f3

SHA1
65fabf3c757f438892e7d9aadaa02cebc5dce7fd

SHA256
ff6f4c7087a7d0a952849b52ab79e5cc20dcd8c5e259521d0fccf03264215105

SHA512
550359ae01a30ce64c6f61b51695be243270d5895a2981ee4d7a21588546945e642f8bd795f5df86d81f22b1e04cf87684d052d11c47aae30bb720a6bda00c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\594.tmp\595.tmp\596.vbs

Filesize
352B

MD5
3b8696ecbb737aad2a763c4eaf62c247

SHA1
4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

SHA256
ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

SHA512
713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\594.tmp\eulascr.exe

Filesize
143KB

MD5
8b1c352450e480d9320fce5e6f2c8713

SHA1
d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

SHA256
2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

SHA512
2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\Downloads\FakeMrsMajor3.0.exe

Filesize
11.0MB

MD5
5ebb0732d02ca96039d4d3afbe28ea62

SHA1
a196cb3873a1e5d407b04495a29c41a6d0107c39

SHA256
d41b9d6d891d35c3c31ffbfb693ba59efa11b159b4f9e1704b73abe1c0dcabc1

SHA512
27286714261cf4a56855cec838f19a10ca102569b0d7ee729a7c42a4cc42587583cd14a638e75f0eb4b3253c3b9bda4ef691cf42a52d29ca0f2b485db1d997e6

Download Submit
C:\Users\Admin\Downloads\FakeMrsMajor3.0.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\MrsMajor3.0.exe

Filesize
381KB

MD5
35a27d088cd5be278629fae37d464182

SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

Download Submit
C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav

Filesize
2.4MB

MD5
fe3ff5c960ffe350ceef5e7ddb47a90c

SHA1
4df64c51d1412ba8607d8f361f09808f9a9a58a9

SHA256
612124638e466d5fee56aec02345d8af0908abc4482a22de96a5ad4acc2a4f01

SHA512
b9f9ebc52d54a8e4eda6c190edf6be753c340ebd765ac7b15d7d0778aac82bddf1b3c0f25e7c866f826ef39248074c9cce90c448054d531c414037d6b3afa84e

Download Submit
memory/2408-894-0x000000001CE70000-0x000000001D032000-memory.dmp

Filesize
1.8MB

Download
memory/2408-877-0x00000000004E0000-0x000000000050A000-memory.dmp

Filesize
168KB

Download
memory/2408-884-0x00007FF9C4600000-0x00007FF9C474F000-memory.dmp

Filesize
1.3MB

Download
memory/2408-895-0x000000001D570000-0x000000001DA98000-memory.dmp

Filesize
5.2MB

Download
memory/6092-1729-0x0000000000380000-0x0000000000E86000-memory.dmp

Filesize
11.0MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads