| File name: | MrsMajor.7z |
| Full analysis: | https://app.any.run/tasks/7c719586-1878-40b3-87d6-6d7d2e36a609 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | May 23, 2025, 19:16:40 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | C9086FDF5A2414BF1DF8BAACA3B5BD1A |
| SHA1: | 071E6309AF8C0D7AC7AF06E95CDD2895375EFEA4 |
| SHA256: | F17D1FB9568BBF2B068500292E0FF149611DBD238A9C478831F3CFF8AF13F124 |
| SSDEEP: | 196608:inxEWRcHgQcgRcZKuNVMxKU3lX+U0f8ZqJhd/aY0ELXwzdPpIVmGUU:MF+1RcZIxKU3l500cJL/p0AXmdPmVv |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 7440)
Creates a new registry key or changes the value of an existing one (SCRIPT)
- wscript.exe (PID: 7668)
- wscript.exe (PID: 7984)
- wscript.exe (PID: 8164)
Uses sleep, probably for evasion detection (SCRIPT)
- wscript.exe (PID: 7984)
- wscript.exe (PID: 8164)
Copies file to a new location (SCRIPT)
- wscript.exe (PID: 8164)
Disables Windows Defender
- wscript.exe (PID: 8164)
Changes the login/logoff helper path in the registry
- wscript.exe (PID: 8164)
Disables task manager
- wscript.exe (PID: 8164)
SUSPICIOUS
Reads security settings of Internet Explorer
- MrsMajor 3.0.exe (PID: 7612)
- BossDaMajor.exe (PID: 7928)
- wmplayer.exe (PID: 7212)
- setup_wm.exe (PID: 6700)
Runs WScript without displaying logo
- wscript.exe (PID: 7668)
The process executes VB scripts
- MrsMajor 3.0.exe (PID: 7612)
- BossDaMajor.exe (PID: 7928)
- wscript.exe (PID: 7984)
Runs shell command (SCRIPT)
- wscript.exe (PID: 7668)
- wscript.exe (PID: 7984)
- wscript.exe (PID: 8164)
Executable content was dropped or overwritten
- BossDaMajor.exe (PID: 7928)
- eulascr.exe (PID: 7720)
- wscript.exe (PID: 7984)
- MrsMajor 3.0.exe (PID: 7612)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 7984)
- wscript.exe (PID: 8164)
Application launched itself
- wscript.exe (PID: 7984)
Writes binary data to a Stream object (SCRIPT)
- wscript.exe (PID: 8164)
Changes the desktop background image
- wscript.exe (PID: 8164)
SQL CE related mutex has been found
- unregmp2.exe (PID: 1672)
The system shut down or reboot
- wscript.exe (PID: 8164)
The process executes via Task Scheduler
- PLUGScheduler.exe (PID: 4144)
Reads the date of Windows installation
- MrsMajor 3.0.exe (PID: 7612)
INFO
Reads the computer name
- MrsMajor 3.0.exe (PID: 7612)
- BossDaMajor.exe (PID: 7928)
- eulascr.exe (PID: 7720)
- wmplayer.exe (PID: 7212)
- setup_wm.exe (PID: 6700)
Checks supported languages
- eulascr.exe (PID: 7720)
- BossDaMajor.exe (PID: 7928)
- setup_wm.exe (PID: 6700)
- wmplayer.exe (PID: 7212)
- MrsMajor 3.0.exe (PID: 7612)
Create files in a temporary directory
- eulascr.exe (PID: 7720)
- BossDaMajor.exe (PID: 7928)
- unregmp2.exe (PID: 6988)
- setup_wm.exe (PID: 6700)
- MrsMajor 3.0.exe (PID: 7612)
Reads the machine GUID from the registry
- eulascr.exe (PID: 7720)
Manual execution by a user
- BossDaMajor.exe (PID: 7928)
- notepad.exe (PID: 8024)
- notepad.exe (PID: 8120)
- MrsMajor 3.0.exe (PID: 7564)
- MrsMajor 3.0.exe (PID: 7612)
- BossDaMajor.exe (PID: 7872)
Process checks computer location settings
- BossDaMajor.exe (PID: 7928)
- MrsMajor 3.0.exe (PID: 7612)
- wmplayer.exe (PID: 7212)
- setup_wm.exe (PID: 6700)
Reads security settings of Internet Explorer
- wscript.exe (PID: 7984)
- notepad.exe (PID: 8024)
- unregmp2.exe (PID: 6988)
- notepad.exe (PID: 8120)
Creates files in the program directory
- wscript.exe (PID: 7984)
- wscript.exe (PID: 8164)
- unregmp2.exe (PID: 1672)
Checks proxy server information
- setup_wm.exe (PID: 6700)
Creates files or folders in the user directory
- unregmp2.exe (PID: 1672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
EXIF
ZIP
| FileVersion: | 7z v0.04 |
|---|---|
| ModifyDate: | 2025:01:20 03:06:52+00:00 |
| ArchivedFileName: | V1 |
Total processes
428
Monitored processes
20
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1672 | "C:\WINDOWS\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT | C:\Windows\System32\unregmp2.exe | — | unregmp2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Windows Media Player Setup Utility Exit code: 0 Version: 12.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4144 | "C:\Program Files\RUXIM\PLUGscheduler.exe" | C:\Program Files\RUXIM\PLUGScheduler.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Update LifeCycle Component Scheduler Exit code: 0 Version: 10.0.19041.3623 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5040 | "C:\Program Files\mrsmajor\mrsmjrgui.exe" | C:\Program Files\mrsmajor\MrsMjrGui.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Version: 1.0.0.0 Modules
| |||||||||||||||
| 5072 | "C:\Windows\System32\shutdown.exe" -r -t 03 | C:\Windows\System32\shutdown.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Shutdown and Annotation Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6700 | "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4" | C:\Program Files (x86)\Windows Media Player\setup_wm.exe | — | wmplayer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Windows Media Configuration Utility Exit code: 0 Version: 12.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6988 | "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon | C:\Windows\SysWOW64\unregmp2.exe | — | wmplayer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Windows Media Player Setup Utility Exit code: 0 Version: 12.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7212 | "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4" | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Media Player Exit code: 0 Version: 12.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7228 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | shutdown.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7440 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\MrsMajor.7z | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 7564 | "C:\Users\admin\Desktop\MrsMajor 3.0.exe" | C:\Users\admin\Desktop\MrsMajor 3.0.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
Total events
7 939
Read events
7 825
Write events
107
Delete events
7
Modification events
| (PID) Process: | (7668) wscript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | ConsentPromptBehaviorAdmin |
Value: 0 | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\MrsMajor.7z | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (8164) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system |
| Operation: | write | Name: | wallpaper |
Value: C:\Users\admin\AppData\Local\Temp\@tile@@.jpg | |||
Executable files
5
Suspicious files
52
Text files
77
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7612 | MrsMajor 3.0.exe | C:\Users\admin\AppData\Local\Temp\E2A1.tmp\eulascr.exe | executable | |
MD5:8B1C352450E480D9320FCE5E6F2C8713 | SHA256:2C343174231B55E463CA044D19D47BD5842793C15954583EB340BFD95628516E | |||
| 7928 | BossDaMajor.exe | C:\Users\admin\AppData\Local\Temp\E939.tmp\mrsmajor\def_resource\@Tile@@.jpg | image | |
MD5:3E21BCF0D1E7F39D8B8EC2C940489CA2 | SHA256:064F135FCC026A574552F42901B51052345F4B0F122EDD7ACD5F2DCC023160A5 | |||
| 7612 | MrsMajor 3.0.exe | C:\Users\admin\AppData\Local\Temp\E2A1.tmp\AgileDotNet.VMRuntime.dll | executable | |
MD5:266373FADD81120BAEAE3504E1654A5A | SHA256:0798779DC944BA73C5A9CE4B8781D79F5DD7B5F49E4E8EF75020DE665BAD8CCB | |||
| 7612 | MrsMajor 3.0.exe | C:\Users\admin\AppData\Local\Temp\E2A1.tmp\E2A2.tmp\E2A3.vbs | binary | |
MD5:3B8696ECBB737AAD2A763C4EAF62C247 | SHA256:CE95F7EEA8B303BC23CFD6E41748AD4E7B5E0F0F1D3BDF390EADB1E354915569 | |||
| 7928 | BossDaMajor.exe | C:\Users\admin\AppData\Local\Temp\E939.tmp\E93A.vbs | text | |
MD5:5706BC5D518069A3B2BE5E6FAC51B12F | SHA256:8A74EEAD47657582C84209EB4CDBA545404D9C67DD288C605515A86E06DE0AAD | |||
| 7928 | BossDaMajor.exe | C:\Users\admin\AppData\Local\Temp\E939.tmp\mrsmajor\CPUUsage.vbs | text | |
MD5:0E4C01BF30B13C953F8F76DB4A7E857D | SHA256:28E69E90466034CE392E84DB2BDE3AD43AD556D12609E3860F92016641B2A738 | |||
| 7928 | BossDaMajor.exe | C:\Users\admin\AppData\Local\Temp\E939.tmp\mrsmajor\def_resource\Skullcur.cur | binary | |
MD5:CEA57C3A54A04118F1DB9DB8B38EA17A | SHA256:D2B6DB8B28112DA51E34972DEC513278A56783D24B8B5408F11997E9E67D422B | |||
| 7928 | BossDaMajor.exe | C:\Users\admin\AppData\Local\Temp\E939.tmp\mrsmajor\default.txt | text | |
MD5:30CFD8BB946A7E889090FB148EA6F501 | SHA256:E1EBBD3ABFCADDF7D6960708F3CCD8EDA64C944723F0905FF76551C692B94210 | |||
| 7928 | BossDaMajor.exe | C:\Users\admin\AppData\Local\Temp\E939.tmp\mrsmajor\Launcher.vbs | text | |
MD5:B5A1C9AE4C2AE863AC3F6A019F556A22 | SHA256:6F0BB8CC239AF15C9215867D6225C8FF344052AAA0DEEB3452DBF463B8C46529 | |||
| 7928 | BossDaMajor.exe | C:\Users\admin\AppData\Local\Temp\E939.tmp\mrsmajor\def_resource\f11.mp4 | binary | |
MD5:17042B9E5FC04A571311CD484F17B9EB | SHA256:A9B0F1F849E0B41924F5E80B0C4948E63FC4B4F335BBDF0F997B03A3AFF55424 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
85
TCP/UDP connections
56
DNS requests
25
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 200 | 20.190.160.128:443 | https://login.live.com/RST2.srf | unknown | xml | 1.24 Kb | whitelisted |
— | — | POST | 400 | 20.190.160.128:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 40.126.32.76:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 40.126.32.136:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.160.64:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | GET | 304 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | unknown |
— | — | GET | 200 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | compressed | 23.9 Kb | whitelisted |
4896 | SIHClient.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 20.242.39.171:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | unknown |
4896 | SIHClient.exe | GET | 200 | 69.192.161.161:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 20.190.160.20:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 20.190.160.20:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4896 | SIHClient.exe | 52.149.20.212:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4896 | SIHClient.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4896 | SIHClient.exe | 69.192.161.161:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4896 | SIHClient.exe | 13.95.31.18:443 | fe3cr.delivery.mp.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 52.149.20.212:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
login.live.com |
| whitelisted |
wmploc.dll |
| unknown |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |