eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

max time kernel
373s
max time network
467s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09/05/2023, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trojan-leaks-main/mrsmajor.exe
Size

361KB
MD5

83c5204bacb49b83afecea31beaf1f63
SHA1

b284a3c19ea6586be416eabdc3e9f6254a45b01c
SHA256

3aed3315e667eddd7fedb3aa2c65af9c56f9b360d4bc1f5381ed2b0fec28ad7b
SHA512

0ab6bc57cfab18d1028ed2bab44ca3b28526360228975b509d616ce9c72db677eaf8ed7af33dc120dc94e52280538b017c74cd4b8f72c6d08c495824f0c0dcb1
SSDEEP

6144:S/fAhvV6B8ErzPZp5wdz753RSvX+tgAUHATUDAvjX7QInd:SfAv6B8azBwdeX+tg3HATYAvb7/nd

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\""	WScript.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WScript.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	WScript.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1928	MrsMjrGui.exe

Loads dropped DLL 4 IoCs

pid	Process
1340	mrsmajor.exe
1340	mrsmajor.exe
1340	mrsmajor.exe
1340	mrsmajor.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	WScript.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\mrsmajor\Doll_patch.xml	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 12 IoCs

evasion

pid	Process
1864	taskkill.exe
1552	taskkill.exe
764	taskkill.exe
984	taskkill.exe
240	taskkill.exe
2016	taskkill.exe
1972	taskkill.exe
1032	taskkill.exe
1308	taskkill.exe
1828	taskkill.exe
1744	taskkill.exe
1508	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Cursors	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur"	WScript.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file	WScript.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	240	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeShutdownPrivilege	1680	shutdown.exe
Token: SeRemoteShutdownPrivilege	1680	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1520	1340	mrsmajor.exe	27
PID 1340 wrote to memory of 1520	1340	mrsmajor.exe	27
PID 1340 wrote to memory of 1520	1340	mrsmajor.exe	27
PID 1340 wrote to memory of 1520	1340	mrsmajor.exe	27
PID 1340 wrote to memory of 1320	1340	mrsmajor.exe	28
PID 1340 wrote to memory of 1320	1340	mrsmajor.exe	28
PID 1340 wrote to memory of 1320	1340	mrsmajor.exe	28
PID 1340 wrote to memory of 1320	1340	mrsmajor.exe	28
PID 1340 wrote to memory of 1876	1340	mrsmajor.exe	30
PID 1340 wrote to memory of 1876	1340	mrsmajor.exe	30
PID 1340 wrote to memory of 1876	1340	mrsmajor.exe	30
PID 1340 wrote to memory of 1876	1340	mrsmajor.exe	30
PID 1340 wrote to memory of 1824	1340	mrsmajor.exe	31
PID 1340 wrote to memory of 1824	1340	mrsmajor.exe	31
PID 1340 wrote to memory of 1824	1340	mrsmajor.exe	31
PID 1340 wrote to memory of 1824	1340	mrsmajor.exe	31
PID 1320 wrote to memory of 1308	1320	cmd.exe	32
PID 1320 wrote to memory of 1308	1320	cmd.exe	32
PID 1320 wrote to memory of 1308	1320	cmd.exe	32
PID 1320 wrote to memory of 1308	1320	cmd.exe	32
PID 1340 wrote to memory of 1928	1340	mrsmajor.exe	33
PID 1340 wrote to memory of 1928	1340	mrsmajor.exe	33
PID 1340 wrote to memory of 1928	1340	mrsmajor.exe	33
PID 1340 wrote to memory of 1928	1340	mrsmajor.exe	33
PID 1340 wrote to memory of 1296	1340	mrsmajor.exe	37
PID 1340 wrote to memory of 1296	1340	mrsmajor.exe	37
PID 1340 wrote to memory of 1296	1340	mrsmajor.exe	37
PID 1340 wrote to memory of 1296	1340	mrsmajor.exe	37
PID 1340 wrote to memory of 884	1340	mrsmajor.exe	35
PID 1340 wrote to memory of 884	1340	mrsmajor.exe	35
PID 1340 wrote to memory of 884	1340	mrsmajor.exe	35
PID 1340 wrote to memory of 884	1340	mrsmajor.exe	35
PID 884 wrote to memory of 308	884	cmd.exe	38
PID 884 wrote to memory of 308	884	cmd.exe	38
PID 884 wrote to memory of 308	884	cmd.exe	38
PID 884 wrote to memory of 308	884	cmd.exe	38
PID 1320 wrote to memory of 764	1320	cmd.exe	40
PID 1320 wrote to memory of 764	1320	cmd.exe	40
PID 1320 wrote to memory of 764	1320	cmd.exe	40
PID 1320 wrote to memory of 764	1320	cmd.exe	40
PID 1320 wrote to memory of 1828	1320	cmd.exe	41
PID 1320 wrote to memory of 1828	1320	cmd.exe	41
PID 1320 wrote to memory of 1828	1320	cmd.exe	41
PID 1320 wrote to memory of 1828	1320	cmd.exe	41
PID 1320 wrote to memory of 1744	1320	cmd.exe	42
PID 1320 wrote to memory of 1744	1320	cmd.exe	42
PID 1320 wrote to memory of 1744	1320	cmd.exe	42
PID 1320 wrote to memory of 1744	1320	cmd.exe	42
PID 1320 wrote to memory of 984	1320	cmd.exe	43
PID 1320 wrote to memory of 984	1320	cmd.exe	43
PID 1320 wrote to memory of 984	1320	cmd.exe	43
PID 1320 wrote to memory of 984	1320	cmd.exe	43
PID 1320 wrote to memory of 240	1320	cmd.exe	44
PID 1320 wrote to memory of 240	1320	cmd.exe	44
PID 1320 wrote to memory of 240	1320	cmd.exe	44
PID 1320 wrote to memory of 240	1320	cmd.exe	44
PID 1320 wrote to memory of 1508	1320	cmd.exe	45
PID 1320 wrote to memory of 1508	1320	cmd.exe	45
PID 1320 wrote to memory of 1508	1320	cmd.exe	45
PID 1320 wrote to memory of 1508	1320	cmd.exe	45
PID 1824 wrote to memory of 1736	1824	WScript.exe	46
PID 1824 wrote to memory of 1736	1824	WScript.exe	46
PID 1824 wrote to memory of 1736	1824	WScript.exe	46
PID 1824 wrote to memory of 1736	1824	WScript.exe	46

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	WScript.exe

C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\mrsmajor.exe
"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\mrsmajor.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\CPUUsage.vbs"
  2⤵
  PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\DreS_X.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im opera.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im yandex.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im firefox.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im microsoftedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im msedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mspaint.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im dllhost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im notepad.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bing.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Launcher.vbs"
  2⤵
  PID:1876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\mrsmajorlauncher.vbs"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Disables RegEdit via registry modification
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1824
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
    3⤵
    PID:1736
  - - C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"
      4⤵
      PID:1752
- - C:\Windows\SysWOW64\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 03
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGui.exe
  "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGui.exe"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\WinLogon.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Program Files\mrsmajor\CPUUsage.vbs"
    3⤵
    PID:308
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Program Files\mrsmajor\reStart.vbs"
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Program Files\mrsmajor\CPUUsage.vbs"
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGuiLauncher.bat" "
  2⤵
  PID:1296

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\CPUUsage.vbs

Filesize
92B

MD5
0e4c01bf30b13c953f8f76db4a7e857d

SHA1
b8ddbc05adcf890b55d82a9f00922376c1a22696

SHA256
28e69e90466034ce392e84db2bde3ad43ad556d12609e3860f92016641b2a738

SHA512
5e66e2793e7bc88066b8df3dccb554351287dea18207e280b69d7798ecd5cdc99bd4c126c3e394db9f45f54bb561e6688f928de4f638c5eca4f101dc2cea54a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\DreS_X.bat

Filesize
360B

MD5
ba81d7fa0662e8ee3780c5becc355a14

SHA1
0bd3d86116f431a43d02894337af084caf2b4de1

SHA256
2590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816

SHA512
0b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\DreS_X.bat

Filesize
360B

MD5
ba81d7fa0662e8ee3780c5becc355a14

SHA1
0bd3d86116f431a43d02894337af084caf2b4de1

SHA256
2590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816

SHA512
0b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Launcher.vbs

Filesize
590B

MD5
b5a1c9ae4c2ae863ac3f6a019f556a22

SHA1
9ae506e04b4b7394796d5c5640b8ba9eba71a4a6

SHA256
6f0bb8cc239af15c9215867d6225c8ff344052aaa0deeb3452dbf463b8c46529

SHA512
a644c48562e38190720fb55a6c6e7d5ccfab60f362236fe7d63caebdc01758f17196d123fb37bd11f7e247ce8ab21812165b27496d3bd6ca5e2c5efefab8fb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGui.exe

Filesize
71KB

MD5
450f49426b4519ecaac8cd04814c03a4

SHA1
063ee81f46d56544a5c217ffab69ee949eaa6f45

SHA256
087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d

SHA512
0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGui.exe

Filesize
71KB

MD5
450f49426b4519ecaac8cd04814c03a4

SHA1
063ee81f46d56544a5c217ffab69ee949eaa6f45

SHA256
087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d

SHA512
0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGui.exe

Filesize
71KB

MD5
450f49426b4519ecaac8cd04814c03a4

SHA1
063ee81f46d56544a5c217ffab69ee949eaa6f45

SHA256
087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d

SHA512
0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGuiLauncher.bat

Filesize
98B

MD5
c7146f88f4184c6ee5dcf7a62846aa23

SHA1
215adb85d81cc4130154e73a2ab76c6e0f6f2ff3

SHA256
47e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963

SHA512
3b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGuiLauncher.bat

Filesize
98B

MD5
c7146f88f4184c6ee5dcf7a62846aa23

SHA1
215adb85d81cc4130154e73a2ab76c6e0f6f2ff3

SHA256
47e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963

SHA512
3b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\WinLogon.bat

Filesize
117B

MD5
870bce376c1b71365390a9e9aefb9a33

SHA1
176fdbdb8e5795fb5fddc81b2b4e1d9677779786

SHA256
2798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc

SHA512
f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\WinLogon.bat

Filesize
117B

MD5
870bce376c1b71365390a9e9aefb9a33

SHA1
176fdbdb8e5795fb5fddc81b2b4e1d9677779786

SHA256
2798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc

SHA512
f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\mrsmajorlauncher.vbs

Filesize
3KB

MD5
e3fdf285b14fb588f674ebfc2134200c

SHA1
30fba2298b6e1fade4b5f9c8c80f7f1ea07de811

SHA256
4d3aa3ecd16a6ba46a9d6c0bdacdcd9dce70d93585941a94e544696e3e6f7d92

SHA512
9b0bfbb07c77d9e9979a6c0f88b0a93010133f7dd3cf01e1de5dfbe812a5ed920e916d16d6a32fe21b9ee4b5425e61a616ded1aeeb35a410d4f77c0f9392ed0a

Download Submit
C:\Users\Admin\Desktop\MRS MAJOR WANTS TO MEET YOU 5.txt

Filesize
27B

MD5
e20f623b1d5a781f86b51347260d68a5

SHA1
7e06a43ba81d27b017eb1d5dcc62124a9579f96e

SHA256
afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179

SHA512
2e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b

Download Submit
\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGui.exe

Filesize
71KB

MD5
450f49426b4519ecaac8cd04814c03a4

SHA1
063ee81f46d56544a5c217ffab69ee949eaa6f45

SHA256
087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d

SHA512
0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

Download Submit
\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGui.exe

Filesize
71KB

MD5
450f49426b4519ecaac8cd04814c03a4

SHA1
063ee81f46d56544a5c217ffab69ee949eaa6f45

SHA256
087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d

SHA512
0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

Download Submit
\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGui.exe

Filesize
71KB

MD5
450f49426b4519ecaac8cd04814c03a4

SHA1
063ee81f46d56544a5c217ffab69ee949eaa6f45

SHA256
087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d

SHA512
0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

Download Submit
\Users\Admin\AppData\Local\Temp\trojan-leaks-main\MrsMjrGui.exe

Filesize
71KB

MD5
450f49426b4519ecaac8cd04814c03a4

SHA1
063ee81f46d56544a5c217ffab69ee949eaa6f45

SHA256
087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d

SHA512
0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

Download Submit
memory/1524-195-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1536-194-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1928-140-0x0000000000CD0000-0x0000000000CE8000-memory.dmp

Filesize
96KB

Download
memory/1928-188-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads