5b1bcbd8ac2497503833493c6566df7417202975968edd0825ca77aefc9b26fb

Analysis

max time kernel
23s
max time network
30s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 05:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

windows-malware-master/BossDaMajor/BossDaMajor.exe
Size

1.9MB
MD5

38ff71c1dee2a9add67f1edb1a30ff8c
SHA1

10f0defd98d4e5096fbeb321b28d6559e44d66db
SHA256

730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a
SHA512

8347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9
SSDEEP

49152:veG3J7FtM9SbJakTiTBMGSARaspyyx979PSxgKFdGlYU:2GZxSoJrTiTBMGtRa8t7EFddU

Score

10^/10

defense_evasion evasion persistence privilege_escalation trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\""	wscript.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

wscript.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe
Disables RegEdit via registry modification 1 IoCs
evasion

Processes:

wscript.exe

description ioc process

Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" wscript.exe
Disables Task Manager via registry modification
evasion

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	wscript.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe

Drops desktop.ini file(s) 7 IoCs

Processes:

wmplayer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmplayer.exe

description	ioc	process
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe

Drops file in Program Files directory 16 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg	wscript.exe
File created	C:\Program Files\mrsmajor\def_resource\creepysound.mp3	wscript.exe
File created	C:\Program Files\mrsmajor\Launcher.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\MrsMjrGui.exe	wscript.exe
File created	C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat	wscript.exe
File created	C:\Program Files\mrsmajor\reStart.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\CPUUsage.vbs	wscript.exe
File opened for modification	C:\Program Files\mrsmajor\CPUUsage.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\WinLogon.bat	wscript.exe
File created	C:\Program Files\mrsmajor\Doll_patch.xml	wscript.exe
File created	C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico	wscript.exe
File created	C:\Program Files\mrsmajor\mrsmajorlauncher.vbs	wscript.exe
File created	C:\Program Files\mrsmajor\def_resource\f11.mp4	wscript.exe
File created	C:\Program Files\mrsmajor\DreS_X.bat	wscript.exe
File created	C:\Program Files\mrsmajor\default.txt	wscript.exe
File created	C:\Program Files\mrsmajor\def_resource\Skullcur.cur	wscript.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
defense_evasion privilege_escalation

Create Process with Token
T1134.002

Processes:

wscript.exe

pid process

2596 wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2596	wscript.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Cursors	wscript.exe

Modifies registry class 11 IoCs

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	wscript.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

wmplayer.exeshutdown.exe

description pid process

Token: 33 2164 wmplayer.exe
Token: SeIncBasePriorityPrivilege 2164 wmplayer.exe
Token: SeShutdownPrivilege 1104 shutdown.exe
Token: SeRemoteShutdownPrivilege 1104 shutdown.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wmplayer.exe

pid process

2164 wmplayer.exe

description	pid	process
Token: 33	2164	wmplayer.exe
Token: SeIncBasePriorityPrivilege	2164	wmplayer.exe
Token: SeShutdownPrivilege	1104	shutdown.exe
Token: SeRemoteShutdownPrivilege	1104	shutdown.exe

pid	process
2164	wmplayer.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

BossDaMajor.exewscript.exewscript.exe

description	pid	process	target process
PID 2044 wrote to memory of 2768	2044	BossDaMajor.exe	wscript.exe
PID 2044 wrote to memory of 2768	2044	BossDaMajor.exe	wscript.exe
PID 2044 wrote to memory of 2768	2044	BossDaMajor.exe	wscript.exe
PID 2044 wrote to memory of 2768	2044	BossDaMajor.exe	wscript.exe
PID 2768 wrote to memory of 2580	2768	wscript.exe	notepad.exe
PID 2768 wrote to memory of 2580	2768	wscript.exe	notepad.exe
PID 2768 wrote to memory of 2580	2768	wscript.exe	notepad.exe
PID 2768 wrote to memory of 2596	2768	wscript.exe	wscript.exe
PID 2768 wrote to memory of 2596	2768	wscript.exe	wscript.exe
PID 2768 wrote to memory of 2596	2768	wscript.exe	wscript.exe
PID 2596 wrote to memory of 2164	2596	wscript.exe	wmplayer.exe
PID 2596 wrote to memory of 2164	2596	wscript.exe	wmplayer.exe
PID 2596 wrote to memory of 2164	2596	wscript.exe	wmplayer.exe
PID 2596 wrote to memory of 2164	2596	wscript.exe	wmplayer.exe
PID 2596 wrote to memory of 1104	2596	wscript.exe	shutdown.exe
PID 2596 wrote to memory of 1104	2596	wscript.exe	shutdown.exe
PID 2596 wrote to memory of 1104	2596	wscript.exe	shutdown.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

C:\Users\Admin\AppData\Local\Temp\windows-malware-master\BossDaMajor\BossDaMajor.exe
"C:\Users\Admin\AppData\Local\Temp\windows-malware-master\BossDaMajor\BossDaMajor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\2CBC.vbs
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:2580

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Drops file in Program Files directory
- Access Token Manipulation: Create Process with Token
- Modifies Control Panel
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2596

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
4⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2164

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 03
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:876

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2736

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\2CBC.vbs
Filesize
1007B

MD5
5706bc5d518069a3b2be5e6fac51b12f

SHA1
d7361f3623ecf05e63bb97cc9da8d5c50401575c

SHA256
8a74eead47657582c84209eb4cdba545404d9c67dd288c605515a86e06de0aad

SHA512
fb68727db0365ab10c5b0d5e5e1d44b95aa38806e33b0af3280abcefae83f30eb8252653e158ac941320f3b38507649cce41898c8511223ee8642339cfece047

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\CPUUsage.vbs
Filesize
92B

MD5
0e4c01bf30b13c953f8f76db4a7e857d

SHA1
b8ddbc05adcf890b55d82a9f00922376c1a22696

SHA256
28e69e90466034ce392e84db2bde3ad43ad556d12609e3860f92016641b2a738

SHA512
5e66e2793e7bc88066b8df3dccb554351287dea18207e280b69d7798ecd5cdc99bd4c126c3e394db9f45f54bb561e6688f928de4f638c5eca4f101dc2cea54a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\DreS_X.bat
Filesize
360B

MD5
ba81d7fa0662e8ee3780c5becc355a14

SHA1
0bd3d86116f431a43d02894337af084caf2b4de1

SHA256
2590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816

SHA512
0b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\Icon_resource\SkullIco.ico
Filesize
244KB

MD5
c7bf05d7cb3535f7485606cf5b5987fe

SHA1
9d480d6f1e3f17d5018c1d2f4ae257ae983f0bb5

SHA256
4c1cfbe274f993941ac5fa512c376b6d7344800fb8be08cc6344e6c16a418311

SHA512
d30952a75d94dd64b7bd253ed72810690f3550f2262cfaaef45854fc8334f6201a8cbafb9b175c6435f7ce0499567f2fa8667b4b0046bfb651bf61eb4278e6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\Launcher.vbs
Filesize
590B

MD5
b5a1c9ae4c2ae863ac3f6a019f556a22

SHA1
9ae506e04b4b7394796d5c5640b8ba9eba71a4a6

SHA256
6f0bb8cc239af15c9215867d6225c8ff344052aaa0deeb3452dbf463b8c46529

SHA512
a644c48562e38190720fb55a6c6e7d5ccfab60f362236fe7d63caebdc01758f17196d123fb37bd11f7e247ce8ab21812165b27496d3bd6ca5e2c5efefab8fb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\MrsMjrGui.exe
Filesize
71KB

MD5
450f49426b4519ecaac8cd04814c03a4

SHA1
063ee81f46d56544a5c217ffab69ee949eaa6f45

SHA256
087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d

SHA512
0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\MrsMjrGuiLauncher.bat
Filesize
98B

MD5
c7146f88f4184c6ee5dcf7a62846aa23

SHA1
215adb85d81cc4130154e73a2ab76c6e0f6f2ff3

SHA256
47e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963

SHA512
3b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\WinLogon.bat
Filesize
117B

MD5
870bce376c1b71365390a9e9aefb9a33

SHA1
176fdbdb8e5795fb5fddc81b2b4e1d9677779786

SHA256
2798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc

SHA512
f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\def_resource\@Tile@@.jpg
Filesize
7KB

MD5
3e21bcf0d1e7f39d8b8ec2c940489ca2

SHA1
fa6879a984d70241557bb0abb849f175ace2fd78

SHA256
064f135fcc026a574552f42901b51052345f4b0f122edd7acd5f2dcc023160a5

SHA512
5577e20f76d6b1cccc513392532a09bdc6dcd3a8a177b8035dc5d7eb082e0093436068f92059e301c5987e6122c4d9aff3e5ae9cc94ccc1ecc9951e2785b0922

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\def_resource\Skullcur.cur
Filesize
3KB

MD5
cea57c3a54a04118f1db9db8b38ea17a

SHA1
112d0f8913ff205776b975f54639c5c34ce43987

SHA256
d2b6db8b28112da51e34972dec513278a56783d24b8b5408f11997e9e67d422b

SHA512
561860907fa2f53c7853094299758232a70c0cd22c6df3534abd094c6970f28792c6c334a33b129d661a46930d90fd8c98f11cb34f3e277cf20a355b792f64f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\def_resource\creepysound.mp3
Filesize
1.2MB

MD5
4a9b1d8a8fe8a75c81ddba3e411ddc5d

SHA1
e40cb1ee4490f6d7520902e12222446a8efbf9a8

SHA256
79e9a3611494b5ffafaa79788ba7e11dd218e3800c40b56684ccc0c33ab64eac

SHA512
e7a28acb04ca33d57efe0474bb67d6d4b8ceff9198198b81574c76c835d5df05d113fc468f4a4434580b1b58189f38184c376976604dc05d1424af1721995601

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\def_resource\f11.mp4
Filesize
227KB

MD5
17042b9e5fc04a571311cd484f17b9eb

SHA1
585d91c69c3f9e3d2e8cb8cf984871d89cc4adbb

SHA256
a9b0f1f849e0b41924f5e80b0c4948e63fc4b4f335bbdf0f997b03a3aff55424

SHA512
709076c6cef8dd61701c93e1fe331d2b1a218498b833db10ee4d2be0816e3444aeebfa092ab1bd10322617cf3385414e8fdb76fd90f25b44ac24d38937b4d47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\default.txt
Filesize
266B

MD5
30cfd8bb946a7e889090fb148ea6f501

SHA1
c49dbc93f0f17ff65faf3b313562c655ef3f9753

SHA256
e1ebbd3abfcaddf7d6960708f3ccd8eda64c944723f0905ff76551c692b94210

SHA512
8e7d98e6d0c05d199114d2d6ab8da886aed68de690c4d79643868eaf051c229fff94c88d937adb3da5e31fe48116613cf79dd00dda30f296746ce0a8aded9fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\mrsmajorlauncher.vbs
Filesize
3KB

MD5
e3fdf285b14fb588f674ebfc2134200c

SHA1
30fba2298b6e1fade4b5f9c8c80f7f1ea07de811

SHA256
4d3aa3ecd16a6ba46a9d6c0bdacdcd9dce70d93585941a94e544696e3e6f7d92

SHA512
9b0bfbb07c77d9e9979a6c0f88b0a93010133f7dd3cf01e1de5dfbe812a5ed920e916d16d6a32fe21b9ee4b5425e61a616ded1aeeb35a410d4f77c0f9392ed0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CBB.tmp\mrsmajor\reStart.vbs
Filesize
638B

MD5
0851e8d791f618daa5b72d40e0c8e32b

SHA1
80bea0443dc4cc508e846fefdb9de6c44ad8ff91

SHA256
2cbd8bc239c5cfc3ef02f8472d867dff61e5aed9fde8a3823cda28cc37d77722

SHA512
57a9d1d75dbbab842060b29f01958f7e6b27d0175ff9a3f7b97e423c1b4e3fae94547a569c2e5c88224fc5dcc785f5a1d49c61199a8c7b3afeb4fc520600df40

Download Submit
C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 5.txt
Filesize
27B

MD5
e20f623b1d5a781f86b51347260d68a5

SHA1
7e06a43ba81d27b017eb1d5dcc62124a9579f96e

SHA256
afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179

SHA512
2e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b

Download Submit
C:\Users\Public\Music\Sample Music\AlbumArtSmall.jpg
Filesize
5KB

MD5
1c6a4f664e8e18eba1a5b61ac4dde46f

SHA1
f09e10bc312f20ccd61c65c892666677d54d2282

SHA256
ccc20b7b3b29325db0a0b1c2127c12d8a1c019ca159505a96cbcbc89701702f9

SHA512
3ff32e45c7b0c1f38d5296c0a1ed6a87c987d1b5a4fd0efed2aacbce0794a8f804ec985891bf03ed1ec4bf03b18b25b9717a2aa405dc45aadae4b2b30d6012a6

Download Submit
memory/2164-121-0x0000000003970000-0x000000000397A000-memory.dmp

Filesize
40KB

Download
memory/2164-120-0x0000000003970000-0x000000000397A000-memory.dmp

Filesize
40KB

Download
memory/2164-119-0x0000000003970000-0x000000000397A000-memory.dmp

Filesize
40KB

Download
memory/2164-118-0x0000000003970000-0x000000000397A000-memory.dmp

Filesize
40KB

Download
memory/2164-117-0x0000000003970000-0x000000000397A000-memory.dmp

Filesize
40KB

Download
memory/2164-116-0x0000000003970000-0x000000000397A000-memory.dmp

Filesize
40KB

Download
memory/2164-122-0x00000000044A0000-0x00000000044AA000-memory.dmp

Filesize
40KB

Download
memory/2164-161-0x00000000044A0000-0x00000000044A2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads