| File name: | MrsMajor.7z |
| Full analysis: | https://app.any.run/tasks/7c719586-1878-40b3-87d6-6d7d2e36a609 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | May 23, 2025, 19:16:40 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | C9086FDF5A2414BF1DF8BAACA3B5BD1A |
| SHA1: | 071E6309AF8C0D7AC7AF06E95CDD2895375EFEA4 |
| SHA256: | F17D1FB9568BBF2B068500292E0FF149611DBD238A9C478831F3CFF8AF13F124 |
| SSDEEP: | 196608:inxEWRcHgQcgRcZKuNVMxKU3lX+U0f8ZqJhd/aY0ELXwzdPpIVmGUU:MF+1RcZIxKU3l500cJL/p0AXmdPmVv |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 7440)
Creates a new registry key or changes the value of an existing one (SCRIPT)
- wscript.exe (PID: 7668)
- wscript.exe (PID: 7984)
- wscript.exe (PID: 8164)
Uses sleep, probably for evasion detection (SCRIPT)
- wscript.exe (PID: 7984)
- wscript.exe (PID: 8164)
Copies file to a new location (SCRIPT)
- wscript.exe (PID: 8164)
Disables task manager
- wscript.exe (PID: 8164)
Changes the login/logoff helper path in the registry
- wscript.exe (PID: 8164)
Disables Windows Defender
- wscript.exe (PID: 8164)
SUSPICIOUS
Reads the date of Windows installation
- MrsMajor 3.0.exe (PID: 7612)
Reads security settings of Internet Explorer
- MrsMajor 3.0.exe (PID: 7612)
- BossDaMajor.exe (PID: 7928)
- wmplayer.exe (PID: 7212)
- setup_wm.exe (PID: 6700)
Executable content was dropped or overwritten
- MrsMajor 3.0.exe (PID: 7612)
- BossDaMajor.exe (PID: 7928)
- eulascr.exe (PID: 7720)
- wscript.exe (PID: 7984)
Runs WScript without displaying logo
- wscript.exe (PID: 7668)
The process executes VB scripts
- MrsMajor 3.0.exe (PID: 7612)
- wscript.exe (PID: 7984)
- BossDaMajor.exe (PID: 7928)
Runs shell command (SCRIPT)
- wscript.exe (PID: 7668)
- wscript.exe (PID: 7984)
- wscript.exe (PID: 8164)
Application launched itself
- wscript.exe (PID: 7984)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 7984)
- wscript.exe (PID: 8164)
Changes the desktop background image
- wscript.exe (PID: 8164)
Writes binary data to a Stream object (SCRIPT)
- wscript.exe (PID: 8164)
The system shut down or reboot
- wscript.exe (PID: 8164)
SQL CE related mutex has been found
- unregmp2.exe (PID: 1672)
The process executes via Task Scheduler
- PLUGScheduler.exe (PID: 4144)
INFO
Manual execution by a user
- MrsMajor 3.0.exe (PID: 7564)
- MrsMajor 3.0.exe (PID: 7612)
- BossDaMajor.exe (PID: 7872)
- BossDaMajor.exe (PID: 7928)
- notepad.exe (PID: 8120)
- notepad.exe (PID: 8024)
Create files in a temporary directory
- MrsMajor 3.0.exe (PID: 7612)
- BossDaMajor.exe (PID: 7928)
- eulascr.exe (PID: 7720)
- unregmp2.exe (PID: 6988)
- setup_wm.exe (PID: 6700)
Reads the computer name
- MrsMajor 3.0.exe (PID: 7612)
- BossDaMajor.exe (PID: 7928)
- eulascr.exe (PID: 7720)
- wmplayer.exe (PID: 7212)
- setup_wm.exe (PID: 6700)
Process checks computer location settings
- MrsMajor 3.0.exe (PID: 7612)
- BossDaMajor.exe (PID: 7928)
- wmplayer.exe (PID: 7212)
- setup_wm.exe (PID: 6700)
Checks supported languages
- MrsMajor 3.0.exe (PID: 7612)
- eulascr.exe (PID: 7720)
- BossDaMajor.exe (PID: 7928)
- wmplayer.exe (PID: 7212)
- setup_wm.exe (PID: 6700)
Reads the machine GUID from the registry
- eulascr.exe (PID: 7720)
Reads security settings of Internet Explorer
- notepad.exe (PID: 8120)
- wscript.exe (PID: 7984)
- notepad.exe (PID: 8024)
- unregmp2.exe (PID: 6988)
Creates files in the program directory
- wscript.exe (PID: 7984)
- wscript.exe (PID: 8164)
- unregmp2.exe (PID: 1672)
Creates files or folders in the user directory
- unregmp2.exe (PID: 1672)
Checks proxy server information
- setup_wm.exe (PID: 6700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
EXIF
ZIP
| FileVersion: | 7z v0.04 |
|---|---|
| ModifyDate: | 2025:01:20 03:06:52+00:00 |
| ArchivedFileName: | V1 |
Total processes
428
Monitored processes
20
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1672 | "C:\WINDOWS\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT | C:\Windows\System32\unregmp2.exe | — | unregmp2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Windows Media Player Setup Utility Exit code: 0 Version: 12.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4144 | "C:\Program Files\RUXIM\PLUGscheduler.exe" | C:\Program Files\RUXIM\PLUGScheduler.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Update LifeCycle Component Scheduler Exit code: 0 Version: 10.0.19041.3623 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5040 | "C:\Program Files\mrsmajor\mrsmjrgui.exe" | C:\Program Files\mrsmajor\MrsMjrGui.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Version: 1.0.0.0 Modules
| |||||||||||||||
| 5072 | "C:\Windows\System32\shutdown.exe" -r -t 03 | C:\Windows\System32\shutdown.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Shutdown and Annotation Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6700 | "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4" | C:\Program Files (x86)\Windows Media Player\setup_wm.exe | — | wmplayer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Windows Media Configuration Utility Exit code: 0 Version: 12.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6988 | "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon | C:\Windows\SysWOW64\unregmp2.exe | — | wmplayer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Windows Media Player Setup Utility Exit code: 0 Version: 12.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7212 | "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4" | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Media Player Exit code: 0 Version: 12.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7228 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | shutdown.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7440 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\MrsMajor.7z | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 7564 | "C:\Users\admin\Desktop\MrsMajor 3.0.exe" | C:\Users\admin\Desktop\MrsMajor 3.0.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
Total events
7 939
Read events
7 825
Write events
107
Delete events
7
Modification events
| (PID) Process: | (7668) wscript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | ConsentPromptBehaviorAdmin |
Value: 0 | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\MrsMajor.7z | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (7440) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (8164) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system |
| Operation: | write | Name: | wallpaper |
Value: C:\Users\admin\AppData\Local\Temp\@tile@@.jpg | |||
Executable files
5
Suspicious files
52
Text files
77
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7612 | MrsMajor 3.0.exe | C:\Users\admin\AppData\Local\Temp\E2A1.tmp\AgileDotNet.VMRuntime.dll | executable | |
MD5:266373FADD81120BAEAE3504E1654A5A | SHA256:0798779DC944BA73C5A9CE4B8781D79F5DD7B5F49E4E8EF75020DE665BAD8CCB | |||
| 7928 | BossDaMajor.exe | C:\Users\admin\AppData\Local\Temp\E939.tmp\mrsmajor\default.txt | text | |
MD5:30CFD8BB946A7E889090FB148EA6F501 | SHA256:E1EBBD3ABFCADDF7D6960708F3CCD8EDA64C944723F0905FF76551C692B94210 | |||
| 7928 | BossDaMajor.exe | C:\Users\admin\AppData\Local\Temp\E939.tmp\mrsmajor\def_resource\Skullcur.cur | binary | |
MD5:CEA57C3A54A04118F1DB9DB8B38EA17A | SHA256:D2B6DB8B28112DA51E34972DEC513278A56783D24B8B5408F11997E9E67D422B | |||
| 7928 | BossDaMajor.exe | C:\Users\admin\AppData\Local\Temp\E939.tmp\mrsmajor\DreS_X.bat | text | |
MD5:BA81D7FA0662E8EE3780C5BECC355A14 | SHA256:2590879A8CD745DBBE7AD66A548F31375CCFB0F8090D56B5E4BD5909573AC816 | |||
| 7928 | BossDaMajor.exe | C:\Users\admin\AppData\Local\Temp\E939.tmp\mrsmajor\def_resource\creepysound.mp3 | binary | |
MD5:4A9B1D8A8FE8A75C81DDBA3E411DDC5D | SHA256:79E9A3611494B5FFAFAA79788BA7E11DD218E3800C40B56684CCC0C33AB64EAC | |||
| 7928 | BossDaMajor.exe | C:\Users\admin\AppData\Local\Temp\E939.tmp\mrsmajor\def_resource\@Tile@@.jpg | image | |
MD5:3E21BCF0D1E7F39D8B8EC2C940489CA2 | SHA256:064F135FCC026A574552F42901B51052345F4B0F122EDD7ACD5F2DCC023160A5 | |||
| 7612 | MrsMajor 3.0.exe | C:\Users\admin\AppData\Local\Temp\E2A1.tmp\eulascr.exe | executable | |
MD5:8B1C352450E480D9320FCE5E6F2C8713 | SHA256:2C343174231B55E463CA044D19D47BD5842793C15954583EB340BFD95628516E | |||
| 7720 | eulascr.exe | C:\Users\admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll | executable | |
MD5:42B2C266E49A3ACD346B91E3B0E638C0 | SHA256:ADEED015F06EFA363D504A18ACB671B1DB4B20B23664A55C9BC28AEF3283CA29 | |||
| 7928 | BossDaMajor.exe | C:\Users\admin\AppData\Local\Temp\E939.tmp\mrsmajor\CPUUsage.vbs | text | |
MD5:0E4C01BF30B13C953F8F76DB4A7E857D | SHA256:28E69E90466034CE392E84DB2BDE3AD43AD556D12609E3860F92016641B2A738 | |||
| 7928 | BossDaMajor.exe | C:\Users\admin\AppData\Local\Temp\E939.tmp\E93A.vbs | text | |
MD5:5706BC5D518069A3B2BE5E6FAC51B12F | SHA256:8A74EEAD47657582C84209EB4CDBA545404D9C67DD288C605515A86E06DE0AAD | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
85
TCP/UDP connections
56
DNS requests
25
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 200 | 20.190.160.128:443 | https://login.live.com/RST2.srf | unknown | xml | 1.24 Kb | whitelisted |
— | — | POST | 400 | 20.190.160.128:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 40.126.32.76:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 40.126.32.136:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.160.64:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | GET | 304 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
— | — | GET | 200 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | compressed | 23.9 Kb | whitelisted |
— | — | GET | 200 | 20.242.39.171:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | — |
4896 | SIHClient.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4896 | SIHClient.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 20.190.160.20:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 20.190.160.20:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4896 | SIHClient.exe | 52.149.20.212:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4896 | SIHClient.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4896 | SIHClient.exe | 69.192.161.161:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4896 | SIHClient.exe | 13.95.31.18:443 | fe3cr.delivery.mp.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 52.149.20.212:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
login.live.com |
| whitelisted |
wmploc.dll |
| unknown |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |