eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

max time kernel
10s
max time network
64s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
09-05-2023 19:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

trojan-leaks-main/mrsmajor.exe
Size

361KB
MD5

83c5204bacb49b83afecea31beaf1f63
SHA1

b284a3c19ea6586be416eabdc3e9f6254a45b01c
SHA256

3aed3315e667eddd7fedb3aa2c65af9c56f9b360d4bc1f5381ed2b0fec28ad7b
SHA512

0ab6bc57cfab18d1028ed2bab44ca3b28526360228975b509d616ce9c72db677eaf8ed7af33dc120dc94e52280538b017c74cd4b8f72c6d08c495824f0c0dcb1
SSDEEP

6144:S/fAhvV6B8ErzPZp5wdz753RSvX+tgAUHATUDAvjX7QInd:SfAv6B8azBwdeX+tg3HATYAvb7/nd

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\""	WScript.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WScript.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

WScript.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	WScript.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

MrsMjrGui.exe

pid process

3600 MrsMjrGui.exe

pid	process
3600	MrsMjrGui.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	WScript.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exe

description	ioc	process
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe

Drops file in Program Files directory 1 IoCs

Processes:

WScript.exe

description ioc process

File created C:\Program Files\mrsmajor\Doll_patch.xml WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files\mrsmajor\Doll_patch.xml	WScript.exe

Kills process with taskkill 12 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4004	taskkill.exe
2136	taskkill.exe
2460	taskkill.exe
2304	taskkill.exe
1196	taskkill.exe
4320	taskkill.exe
3272	taskkill.exe
664	taskkill.exe
4980	taskkill.exe
204	taskkill.exe
2964	taskkill.exe
512	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Control Panel\Cursors	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	WScript.exe

Modifies registry class 12 IoCs

Processes:

WScript.exemrsmajor.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	mrsmajor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	WScript.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

taskkill.exetaskkill.exeunregmp2.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3272	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeShutdownPrivilege	4376	unregmp2.exe
Token: SeCreatePagefilePrivilege	4376	unregmp2.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	204	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

mrsmajor.execmd.execmd.exeWScript.exewmplayer.exeunregmp2.exe

description	pid	process	target process
PID 4984 wrote to memory of 1416	4984	mrsmajor.exe	WScript.exe
PID 4984 wrote to memory of 1416	4984	mrsmajor.exe	WScript.exe
PID 4984 wrote to memory of 1416	4984	mrsmajor.exe	WScript.exe
PID 4984 wrote to memory of 2604	4984	mrsmajor.exe	cmd.exe
PID 4984 wrote to memory of 2604	4984	mrsmajor.exe	cmd.exe
PID 4984 wrote to memory of 2604	4984	mrsmajor.exe	cmd.exe
PID 4984 wrote to memory of 1300	4984	mrsmajor.exe	WScript.exe
PID 4984 wrote to memory of 1300	4984	mrsmajor.exe	WScript.exe
PID 4984 wrote to memory of 1300	4984	mrsmajor.exe	WScript.exe
PID 4984 wrote to memory of 4260	4984	mrsmajor.exe	WScript.exe
PID 4984 wrote to memory of 4260	4984	mrsmajor.exe	WScript.exe
PID 4984 wrote to memory of 4260	4984	mrsmajor.exe	WScript.exe
PID 4984 wrote to memory of 3600	4984	mrsmajor.exe	MrsMjrGui.exe
PID 4984 wrote to memory of 3600	4984	mrsmajor.exe	MrsMjrGui.exe
PID 4984 wrote to memory of 3600	4984	mrsmajor.exe	MrsMjrGui.exe
PID 4984 wrote to memory of 3768	4984	mrsmajor.exe	cmd.exe
PID 4984 wrote to memory of 3768	4984	mrsmajor.exe	cmd.exe
PID 4984 wrote to memory of 3768	4984	mrsmajor.exe	cmd.exe
PID 4984 wrote to memory of 3564	4984	mrsmajor.exe	cmd.exe
PID 4984 wrote to memory of 3564	4984	mrsmajor.exe	cmd.exe
PID 4984 wrote to memory of 3564	4984	mrsmajor.exe	cmd.exe
PID 2604 wrote to memory of 3272	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 3272	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 3272	2604	cmd.exe	taskkill.exe
PID 3564 wrote to memory of 3280	3564	cmd.exe	wscript.exe
PID 3564 wrote to memory of 3280	3564	cmd.exe	wscript.exe
PID 3564 wrote to memory of 3280	3564	cmd.exe	wscript.exe
PID 4260 wrote to memory of 5076	4260	WScript.exe	wmplayer.exe
PID 4260 wrote to memory of 5076	4260	WScript.exe	wmplayer.exe
PID 4260 wrote to memory of 5076	4260	WScript.exe	wmplayer.exe
PID 5076 wrote to memory of 5048	5076	wmplayer.exe	setup_wm.exe
PID 5076 wrote to memory of 5048	5076	wmplayer.exe	setup_wm.exe
PID 5076 wrote to memory of 5048	5076	wmplayer.exe	setup_wm.exe
PID 5076 wrote to memory of 5060	5076	wmplayer.exe	unregmp2.exe
PID 5076 wrote to memory of 5060	5076	wmplayer.exe	unregmp2.exe
PID 5076 wrote to memory of 5060	5076	wmplayer.exe	unregmp2.exe
PID 5060 wrote to memory of 4376	5060	unregmp2.exe	unregmp2.exe
PID 5060 wrote to memory of 4376	5060	unregmp2.exe	unregmp2.exe
PID 2604 wrote to memory of 4004	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 4004	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 4004	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 664	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 664	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 664	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2136	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2136	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2136	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2460	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2460	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2460	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 4980	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 4980	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 4980	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 204	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 204	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 204	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2304	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2304	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2304	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2964	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2964	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2964	2604	cmd.exe	taskkill.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WScript.exe

C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\mrsmajor.exe
"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\mrsmajor.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\CPUUsage.vbs"
  2⤵
  PID:1416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\DreS_X.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im opera.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im yandex.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im firefox.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im microsoftedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mspaint.exe
    3⤵
    - Kills process with taskkill
    PID:2964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dllhost.exe
    3⤵
    - Kills process with taskkill
    PID:1196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im notepad.exe
    3⤵
    - Kills process with taskkill
    PID:512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bing.exe
    3⤵
    - Kills process with taskkill
    PID:4320
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Launcher.vbs"
  2⤵
  PID:1300
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\mrsmajorlauncher.vbs"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Disables RegEdit via registry modification
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4260
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
      4⤵
      PID:5048
  - - C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\System32\unregmp2.exe
        
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        5⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
- - C:\Windows\SysWOW64\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 03
    3⤵
    PID:1752
- C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGui.exe
  "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGui.exe"
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\WinLogon.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Program Files\mrsmajor\CPUUsage.vbs"
    3⤵
    PID:3280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGuiLauncher.bat" "
  2⤵
  PID:3768

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3acf855 /state1:0x41c64e6d
1⤵
PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
9574d26ecc89d8ef027e51b9e47f2bc9

SHA1
1d6e6c558321dde60102ba63accf08b0a7d74cc5

SHA256
6dc988b85852834380f897e1b13c9a6e4f3f9bb6ae63ed3974b1005a979d6ebe

SHA512
60d552bcecc6c46d4e4c0c8f514cdcd9afde6256002ecb54342a2118ed496694485f1d2cda7082560f9a94b9ba1fb8da9bdd47f69a761a54873b51ad88e4ba7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp87421.WMC\allservices.xml

Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp89906.WMC\serviceinfo.xml

Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\CPUUsage.vbs

Filesize
92B

MD5
0e4c01bf30b13c953f8f76db4a7e857d

SHA1
b8ddbc05adcf890b55d82a9f00922376c1a22696

SHA256
28e69e90466034ce392e84db2bde3ad43ad556d12609e3860f92016641b2a738

SHA512
5e66e2793e7bc88066b8df3dccb554351287dea18207e280b69d7798ecd5cdc99bd4c126c3e394db9f45f54bb561e6688f928de4f638c5eca4f101dc2cea54a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\DreS_X.bat

Filesize
360B

MD5
ba81d7fa0662e8ee3780c5becc355a14

SHA1
0bd3d86116f431a43d02894337af084caf2b4de1

SHA256
2590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816

SHA512
0b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Launcher.vbs

Filesize
590B

MD5
b5a1c9ae4c2ae863ac3f6a019f556a22

SHA1
9ae506e04b4b7394796d5c5640b8ba9eba71a4a6

SHA256
6f0bb8cc239af15c9215867d6225c8ff344052aaa0deeb3452dbf463b8c46529

SHA512
a644c48562e38190720fb55a6c6e7d5ccfab60f362236fe7d63caebdc01758f17196d123fb37bd11f7e247ce8ab21812165b27496d3bd6ca5e2c5efefab8fb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGui.exe

Filesize
71KB

MD5
450f49426b4519ecaac8cd04814c03a4

SHA1
063ee81f46d56544a5c217ffab69ee949eaa6f45

SHA256
087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d

SHA512
0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGui.exe

Filesize
71KB

MD5
450f49426b4519ecaac8cd04814c03a4

SHA1
063ee81f46d56544a5c217ffab69ee949eaa6f45

SHA256
087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d

SHA512
0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGuiLauncher.bat

Filesize
98B

MD5
c7146f88f4184c6ee5dcf7a62846aa23

SHA1
215adb85d81cc4130154e73a2ab76c6e0f6f2ff3

SHA256
47e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963

SHA512
3b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\WinLogon.bat

Filesize
117B

MD5
870bce376c1b71365390a9e9aefb9a33

SHA1
176fdbdb8e5795fb5fddc81b2b4e1d9677779786

SHA256
2798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc

SHA512
f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\mrsmajorlauncher.vbs

Filesize
3KB

MD5
e3fdf285b14fb588f674ebfc2134200c

SHA1
30fba2298b6e1fade4b5f9c8c80f7f1ea07de811

SHA256
4d3aa3ecd16a6ba46a9d6c0bdacdcd9dce70d93585941a94e544696e3e6f7d92

SHA512
9b0bfbb07c77d9e9979a6c0f88b0a93010133f7dd3cf01e1de5dfbe812a5ed920e916d16d6a32fe21b9ee4b5425e61a616ded1aeeb35a410d4f77c0f9392ed0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
a4797127e26ef75bba5e57797b6e564c

SHA1
030d722e78ba73df4fd87c7cc22af7cef5d80dc3

SHA256
ae53d562b7c29cab36bc66c9211f261e89f8c45452cf4fb8e0bc51ba22937c49

SHA512
ad0579646081be8c02384a72696b2bd56c88e4e96a36a5dc6740aee83379aa29a5880116e3f901a1652888cc7dac0f5de3d7e992bee4213ee68c3300aa417d7e

Download Submit
C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 5.txt

Filesize
27B

MD5
e20f623b1d5a781f86b51347260d68a5

SHA1
7e06a43ba81d27b017eb1d5dcc62124a9579f96e

SHA256
afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179

SHA512
2e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b

Download Submit
memory/3600-215-0x0000000005780000-0x0000000005812000-memory.dmp

Filesize
584KB

Download
memory/3600-211-0x0000000005C80000-0x000000000617E000-memory.dmp

Filesize
5.0MB

Download
memory/3600-239-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/3600-240-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/3600-243-0x0000000005940000-0x0000000005996000-memory.dmp

Filesize
344KB

Download
memory/3600-207-0x00000000056E0000-0x000000000577C000-memory.dmp

Filesize
624KB

Download
memory/3600-206-0x0000000000E00000-0x0000000000E18000-memory.dmp

Filesize
96KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads