Overview
overview
10Static
static
3windows-ma...00.exe
windows7-x64
windows-ma...00.exe
windows10-2004-x64
windows-ma...fy.exe
windows7-x64
8windows-ma...fy.exe
windows10-2004-x64
8windows-ma...or.exe
windows7-x64
windows-ma...or.exe
windows10-2004-x64
windows-ma...XT.vbs
windows7-x64
1windows-ma...XT.vbs
windows10-2004-x64
1windows-ma...ck.exe
windows7-x64
6windows-ma...ck.exe
windows10-2004-x64
7windows-ma....0.exe
windows7-x64
windows-ma....0.exe
windows10-2004-x64
windows-ma...p).exe
windows7-x64
10windows-ma...p).exe
windows10-2004-x64
Analysis
-
max time kernel
23s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 05:26
Static task
static1
Behavioral task
behavioral1
Sample
windows-malware-master/000/000.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
windows-malware-master/000/000.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
windows-malware-master/Bonzify/Bonzify.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
windows-malware-master/Bonzify/Bonzify.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
windows-malware-master/BossDaMajor/BossDaMajor.exe
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
windows-malware-master/BossDaMajor/BossDaMajor.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
windows-malware-master/ILOVEYOU/LOVE-LETTER-FOR-YOU.TXT.vbs
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
windows-malware-master/ILOVEYOU/LOVE-LETTER-FOR-YOU.TXT.vbs
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
windows-malware-master/MEMZ/geometry dash auto speedhack.exe
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
windows-malware-master/MEMZ/geometry dash auto speedhack.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
windows-malware-master/MrsMajor 2.0/MrsMajor2.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
windows-malware-master/MrsMajor 2.0/MrsMajor2.0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
windows-malware-master/WinXP Horror Edition/WinXP.Horror.Destructive (Created By WobbyChip).exe
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
windows-malware-master/WinXP Horror Edition/WinXP.Horror.Destructive (Created By WobbyChip).exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
windows-malware-master/BossDaMajor/BossDaMajor.exe
-
Size
1.9MB
-
MD5
38ff71c1dee2a9add67f1edb1a30ff8c
-
SHA1
10f0defd98d4e5096fbeb321b28d6559e44d66db
-
SHA256
730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a
-
SHA512
8347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9
-
SSDEEP
49152:veG3J7FtM9SbJakTiTBMGSARaspyyx979PSxgKFdGlYU:2GZxSoJrTiTBMGtRa8t7EFddU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\"" wscript.exe -
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" wscript.exe -
Disables Task Manager via registry modification
-
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe -
Drops desktop.ini file(s) 7 IoCs
Processes:
wmplayer.exedescription ioc process File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wmplayer.exedescription ioc process File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe -
Drops file in Program Files directory 16 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg wscript.exe File created C:\Program Files\mrsmajor\def_resource\creepysound.mp3 wscript.exe File created C:\Program Files\mrsmajor\Launcher.vbs wscript.exe File created C:\Program Files\mrsmajor\MrsMjrGui.exe wscript.exe File created C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat wscript.exe File created C:\Program Files\mrsmajor\reStart.vbs wscript.exe File created C:\Program Files\mrsmajor\CPUUsage.vbs wscript.exe File opened for modification C:\Program Files\mrsmajor\CPUUsage.vbs wscript.exe File created C:\Program Files\mrsmajor\WinLogon.bat wscript.exe File created C:\Program Files\mrsmajor\Doll_patch.xml wscript.exe File created C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico wscript.exe File created C:\Program Files\mrsmajor\mrsmajorlauncher.vbs wscript.exe File created C:\Program Files\mrsmajor\def_resource\f11.mp4 wscript.exe File created C:\Program Files\mrsmajor\DreS_X.bat wscript.exe File created C:\Program Files\mrsmajor\default.txt wscript.exe File created C:\Program Files\mrsmajor\def_resource\Skullcur.cur wscript.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 4 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Cursors wscript.exe -
Modifies registry class 11 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
wmplayer.exeshutdown.exedescription pid process Token: 33 2164 wmplayer.exe Token: SeIncBasePriorityPrivilege 2164 wmplayer.exe Token: SeShutdownPrivilege 1104 shutdown.exe Token: SeRemoteShutdownPrivilege 1104 shutdown.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
wmplayer.exepid process 2164 wmplayer.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
BossDaMajor.exewscript.exewscript.exedescription pid process target process PID 2044 wrote to memory of 2768 2044 BossDaMajor.exe wscript.exe PID 2044 wrote to memory of 2768 2044 BossDaMajor.exe wscript.exe PID 2044 wrote to memory of 2768 2044 BossDaMajor.exe wscript.exe PID 2044 wrote to memory of 2768 2044 BossDaMajor.exe wscript.exe PID 2768 wrote to memory of 2580 2768 wscript.exe notepad.exe PID 2768 wrote to memory of 2580 2768 wscript.exe notepad.exe PID 2768 wrote to memory of 2580 2768 wscript.exe notepad.exe PID 2768 wrote to memory of 2596 2768 wscript.exe wscript.exe PID 2768 wrote to memory of 2596 2768 wscript.exe wscript.exe PID 2768 wrote to memory of 2596 2768 wscript.exe wscript.exe PID 2596 wrote to memory of 2164 2596 wscript.exe wmplayer.exe PID 2596 wrote to memory of 2164 2596 wscript.exe wmplayer.exe PID 2596 wrote to memory of 2164 2596 wscript.exe wmplayer.exe PID 2596 wrote to memory of 2164 2596 wscript.exe wmplayer.exe PID 2596 wrote to memory of 1104 2596 wscript.exe shutdown.exe PID 2596 wrote to memory of 1104 2596 wscript.exe shutdown.exe PID 2596 wrote to memory of 1104 2596 wscript.exe shutdown.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows-malware-master\BossDaMajor\BossDaMajor.exe"C:\Users\Admin\AppData\Local\Temp\windows-malware-master\BossDaMajor\BossDaMajor.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\2CBC.vbs2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Drops file in Program Files directory
- Access Token Manipulation: Create Process with Token
- Modifies Control Panel
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"4⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 034⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Access Token Manipulation
1Create Process with Token
1Defense Evasion
Modify Registry
4Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Access Token Manipulation
1Create Process with Token
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\2CBC.vbsFilesize
1007B
MD55706bc5d518069a3b2be5e6fac51b12f
SHA1d7361f3623ecf05e63bb97cc9da8d5c50401575c
SHA2568a74eead47657582c84209eb4cdba545404d9c67dd288c605515a86e06de0aad
SHA512fb68727db0365ab10c5b0d5e5e1d44b95aa38806e33b0af3280abcefae83f30eb8252653e158ac941320f3b38507649cce41898c8511223ee8642339cfece047
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\CPUUsage.vbsFilesize
92B
MD50e4c01bf30b13c953f8f76db4a7e857d
SHA1b8ddbc05adcf890b55d82a9f00922376c1a22696
SHA25628e69e90466034ce392e84db2bde3ad43ad556d12609e3860f92016641b2a738
SHA5125e66e2793e7bc88066b8df3dccb554351287dea18207e280b69d7798ecd5cdc99bd4c126c3e394db9f45f54bb561e6688f928de4f638c5eca4f101dc2cea54a1
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\DreS_X.batFilesize
360B
MD5ba81d7fa0662e8ee3780c5becc355a14
SHA10bd3d86116f431a43d02894337af084caf2b4de1
SHA2562590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816
SHA5120b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\Icon_resource\SkullIco.icoFilesize
244KB
MD5c7bf05d7cb3535f7485606cf5b5987fe
SHA19d480d6f1e3f17d5018c1d2f4ae257ae983f0bb5
SHA2564c1cfbe274f993941ac5fa512c376b6d7344800fb8be08cc6344e6c16a418311
SHA512d30952a75d94dd64b7bd253ed72810690f3550f2262cfaaef45854fc8334f6201a8cbafb9b175c6435f7ce0499567f2fa8667b4b0046bfb651bf61eb4278e6c8
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\Launcher.vbsFilesize
590B
MD5b5a1c9ae4c2ae863ac3f6a019f556a22
SHA19ae506e04b4b7394796d5c5640b8ba9eba71a4a6
SHA2566f0bb8cc239af15c9215867d6225c8ff344052aaa0deeb3452dbf463b8c46529
SHA512a644c48562e38190720fb55a6c6e7d5ccfab60f362236fe7d63caebdc01758f17196d123fb37bd11f7e247ce8ab21812165b27496d3bd6ca5e2c5efefab8fb03
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\MrsMjrGui.exeFilesize
71KB
MD5450f49426b4519ecaac8cd04814c03a4
SHA1063ee81f46d56544a5c217ffab69ee949eaa6f45
SHA256087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d
SHA5120cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\MrsMjrGuiLauncher.batFilesize
98B
MD5c7146f88f4184c6ee5dcf7a62846aa23
SHA1215adb85d81cc4130154e73a2ab76c6e0f6f2ff3
SHA25647e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963
SHA5123b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\WinLogon.batFilesize
117B
MD5870bce376c1b71365390a9e9aefb9a33
SHA1176fdbdb8e5795fb5fddc81b2b4e1d9677779786
SHA2562798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc
SHA512f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\def_resource\@Tile@@.jpgFilesize
7KB
MD53e21bcf0d1e7f39d8b8ec2c940489ca2
SHA1fa6879a984d70241557bb0abb849f175ace2fd78
SHA256064f135fcc026a574552f42901b51052345f4b0f122edd7acd5f2dcc023160a5
SHA5125577e20f76d6b1cccc513392532a09bdc6dcd3a8a177b8035dc5d7eb082e0093436068f92059e301c5987e6122c4d9aff3e5ae9cc94ccc1ecc9951e2785b0922
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\def_resource\Skullcur.curFilesize
3KB
MD5cea57c3a54a04118f1db9db8b38ea17a
SHA1112d0f8913ff205776b975f54639c5c34ce43987
SHA256d2b6db8b28112da51e34972dec513278a56783d24b8b5408f11997e9e67d422b
SHA512561860907fa2f53c7853094299758232a70c0cd22c6df3534abd094c6970f28792c6c334a33b129d661a46930d90fd8c98f11cb34f3e277cf20a355b792f64f0
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\def_resource\creepysound.mp3Filesize
1.2MB
MD54a9b1d8a8fe8a75c81ddba3e411ddc5d
SHA1e40cb1ee4490f6d7520902e12222446a8efbf9a8
SHA25679e9a3611494b5ffafaa79788ba7e11dd218e3800c40b56684ccc0c33ab64eac
SHA512e7a28acb04ca33d57efe0474bb67d6d4b8ceff9198198b81574c76c835d5df05d113fc468f4a4434580b1b58189f38184c376976604dc05d1424af1721995601
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\def_resource\f11.mp4Filesize
227KB
MD517042b9e5fc04a571311cd484f17b9eb
SHA1585d91c69c3f9e3d2e8cb8cf984871d89cc4adbb
SHA256a9b0f1f849e0b41924f5e80b0c4948e63fc4b4f335bbdf0f997b03a3aff55424
SHA512709076c6cef8dd61701c93e1fe331d2b1a218498b833db10ee4d2be0816e3444aeebfa092ab1bd10322617cf3385414e8fdb76fd90f25b44ac24d38937b4d47f
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\default.txtFilesize
266B
MD530cfd8bb946a7e889090fb148ea6f501
SHA1c49dbc93f0f17ff65faf3b313562c655ef3f9753
SHA256e1ebbd3abfcaddf7d6960708f3ccd8eda64c944723f0905ff76551c692b94210
SHA5128e7d98e6d0c05d199114d2d6ab8da886aed68de690c4d79643868eaf051c229fff94c88d937adb3da5e31fe48116613cf79dd00dda30f296746ce0a8aded9fe2
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\mrsmajorlauncher.vbsFilesize
3KB
MD5e3fdf285b14fb588f674ebfc2134200c
SHA130fba2298b6e1fade4b5f9c8c80f7f1ea07de811
SHA2564d3aa3ecd16a6ba46a9d6c0bdacdcd9dce70d93585941a94e544696e3e6f7d92
SHA5129b0bfbb07c77d9e9979a6c0f88b0a93010133f7dd3cf01e1de5dfbe812a5ed920e916d16d6a32fe21b9ee4b5425e61a616ded1aeeb35a410d4f77c0f9392ed0a
-
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\reStart.vbsFilesize
638B
MD50851e8d791f618daa5b72d40e0c8e32b
SHA180bea0443dc4cc508e846fefdb9de6c44ad8ff91
SHA2562cbd8bc239c5cfc3ef02f8472d867dff61e5aed9fde8a3823cda28cc37d77722
SHA51257a9d1d75dbbab842060b29f01958f7e6b27d0175ff9a3f7b97e423c1b4e3fae94547a569c2e5c88224fc5dcc785f5a1d49c61199a8c7b3afeb4fc520600df40
-
C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 5.txtFilesize
27B
MD5e20f623b1d5a781f86b51347260d68a5
SHA17e06a43ba81d27b017eb1d5dcc62124a9579f96e
SHA256afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179
SHA5122e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b
-
C:\Users\Public\Music\Sample Music\AlbumArtSmall.jpgFilesize
5KB
MD51c6a4f664e8e18eba1a5b61ac4dde46f
SHA1f09e10bc312f20ccd61c65c892666677d54d2282
SHA256ccc20b7b3b29325db0a0b1c2127c12d8a1c019ca159505a96cbcbc89701702f9
SHA5123ff32e45c7b0c1f38d5296c0a1ed6a87c987d1b5a4fd0efed2aacbce0794a8f804ec985891bf03ed1ec4bf03b18b25b9717a2aa405dc45aadae4b2b30d6012a6
-
memory/2164-121-0x0000000003970000-0x000000000397A000-memory.dmpFilesize
40KB
-
memory/2164-120-0x0000000003970000-0x000000000397A000-memory.dmpFilesize
40KB
-
memory/2164-119-0x0000000003970000-0x000000000397A000-memory.dmpFilesize
40KB
-
memory/2164-118-0x0000000003970000-0x000000000397A000-memory.dmpFilesize
40KB
-
memory/2164-117-0x0000000003970000-0x000000000397A000-memory.dmpFilesize
40KB
-
memory/2164-116-0x0000000003970000-0x000000000397A000-memory.dmpFilesize
40KB
-
memory/2164-122-0x00000000044A0000-0x00000000044AA000-memory.dmpFilesize
40KB
-
memory/2164-161-0x00000000044A0000-0x00000000044A2000-memory.dmpFilesize
8KB