Malware Analysis Report

2025-03-14 22:27

Sample ID 240407-29h51shf47
Target 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b
SHA256 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b

Threat Level: Known bad

The file 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:16

Reported

2024-04-07 23:19

Platform

win7-20240221-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe \??\c:\windows\system\explorer.exe
PID 1224 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe \??\c:\windows\system\explorer.exe
PID 1224 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe \??\c:\windows\system\explorer.exe
PID 1224 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe \??\c:\windows\system\explorer.exe
PID 2956 wrote to memory of 2492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2956 wrote to memory of 2492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2956 wrote to memory of 2492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2956 wrote to memory of 2492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 2488 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2492 wrote to memory of 2488 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2492 wrote to memory of 2488 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2492 wrote to memory of 2488 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2488 wrote to memory of 3068 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2488 wrote to memory of 3068 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2488 wrote to memory of 3068 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2488 wrote to memory of 3068 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2488 wrote to memory of 1488 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 1488 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 1488 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 1488 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 636 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 636 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 636 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 636 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 1788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 1788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 1788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2488 wrote to memory of 1788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe

"C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 23:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 23:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 23:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1224-0-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1224-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

\Windows\system\explorer.exe

MD5 96cd97d1fad8287b2eda99e0e415a590
SHA1 d53dc9b372bb2fafdfe2c9de009e7fa7308c4694
SHA256 2a51748432b47607ed9f5c981af42299b1dc50ee86ba9550a3a2684ccd75d512
SHA512 aae27c1e4f1f38f65bb9299ec6440f07a2974d65edb6423690b00e5ae43125ea5a3e3b92d804576312aa172027fbbb1320a02c0c60d480fb3a6c5186200eaee8

memory/1224-14-0x0000000005360000-0x00000000060B6000-memory.dmp

memory/2956-15-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1224-17-0x0000000005360000-0x00000000060B6000-memory.dmp

memory/2956-18-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

\Windows\system\spoolsv.exe

MD5 df2cf1dbb6eb5b70c9e7f2a6069197b7
SHA1 445e2faf692e0ea7e5f92144ed3e83bde8809a44
SHA256 5f0329dcd30623ddc085fc22268e192d7799f4f3a814a8392283fd0caf5ef111
SHA512 ec461a6bcc31d4438455e69b96f1d87bbeef5f0fa684340657d3cabfeb6f7dfbad0c86b7ddfa258c6585e8e66e1dc0775d468e9004d67964e68275a176fa6bb5

memory/2956-32-0x0000000005260000-0x0000000005FB6000-memory.dmp

memory/2492-38-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2492-39-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

\Windows\system\svchost.exe

MD5 eec21fd191c9b3e64098eb75cec30423
SHA1 abf611929b9793592e11f530c59422dddd12a0f3
SHA256 02c04ed6b78f099d2f10bf75fdab612198e68dd10f5cd0e5f3d28cb6cfdce5fa
SHA512 5c052a9567c8ec55abb480836060b512378a0856a1ef1084ae273dd9c00815a1264807719b3c63662993e481c0881c313399087c985d34caa0f4e81bdb7e32bc

memory/2492-48-0x0000000005160000-0x0000000005EB6000-memory.dmp

memory/2488-49-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-50-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1224-57-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-61-0x0000000004FB0000-0x0000000005D06000-memory.dmp

memory/3068-63-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/3068-62-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-68-0x0000000004FB0000-0x0000000005D06000-memory.dmp

memory/1224-67-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1224-69-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2492-66-0x0000000000400000-0x0000000001156000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 3b8e23123dc1c04b3d67acf1a250e372
SHA1 1008823610ab7ab5a4c5222d6e6ca17522921cc2
SHA256 36013f5647499e668f2d59bbbba5923b66b08b5bb300482998f12bddf7a76252
SHA512 7fb0f619ddfb4896769221689bf1362f16ff820f59a6b4ba12a67e0b90023bc613d540dabb64b97d14dd1cbf0662016d0cdba6db8926f84fc7e5572a58e2db00

memory/2956-71-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-72-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2956-73-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-74-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-75-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2956-76-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-77-0x0000000004FB0000-0x0000000005D06000-memory.dmp

memory/3068-78-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2956-80-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-81-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2956-82-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-83-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2956-84-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-85-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2956-86-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-87-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2956-88-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-89-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2956-90-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-91-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2956-92-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-93-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2956-94-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-95-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2956-96-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-97-0x0000000000400000-0x0000000001156000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2956-99-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-100-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2956-101-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2488-102-0x0000000000400000-0x0000000001156000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:16

Reported

2024-04-07 23:19

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 380 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe \??\c:\windows\system\explorer.exe
PID 380 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe \??\c:\windows\system\explorer.exe
PID 380 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe \??\c:\windows\system\explorer.exe
PID 1992 wrote to memory of 2280 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2280 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2280 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2280 wrote to memory of 1416 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2280 wrote to memory of 1416 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2280 wrote to memory of 1416 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1416 wrote to memory of 3996 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1416 wrote to memory of 3996 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1416 wrote to memory of 3996 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1416 wrote to memory of 2524 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1416 wrote to memory of 2524 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1416 wrote to memory of 2524 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1416 wrote to memory of 628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1416 wrote to memory of 628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1416 wrote to memory of 628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1416 wrote to memory of 4780 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1416 wrote to memory of 4780 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1416 wrote to memory of 4780 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe

"C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 23:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 23:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 23:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/380-0-0x0000000000400000-0x0000000001156000-memory.dmp

memory/380-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 a80205e66ddb43f5d0b1c127920f97a6
SHA1 92a85095a53e9cfa1787eaee6e5ee02ba3988507
SHA256 48cf84258432d7306eb31fe65e207cd83c204cb5c3bac02addd2159a19879cee
SHA512 d3aeea2c7591597437fcf764e32677bb907b241c863ba04bef86b2bf4b8e90d0f570d35c3f5a931d0b69987ed5472382bf23c7c61864d3aff7eba121c37ab9d7

memory/1992-10-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1992-11-0x000000007FA70000-0x000000007FE41000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 3f467bfda5c756bccb8da68b8b1b2488
SHA1 9c2b20b3ade5b9a089d670583670eb972ef6e35f
SHA256 ef68a2633b83136fc79ce5e8aa9d0e3f3a08ec42633bbc7c6ba55ebe1e69ae3c
SHA512 556cfb176ff5b55011fd0ce9273a8fdca1db14888bec350dab63d97f9b3fe8085e6b6c314508152353306a6b3a73e3bf7efa847d1d2faeb7315204366bcf60fc

memory/2280-20-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2280-21-0x000000007FA70000-0x000000007FE41000-memory.dmp

\??\c:\windows\system\svchost.exe

MD5 01b8978899b4994fa349603a59e0e6b3
SHA1 27d4280b3d2707aae53c09369bd0635282deed66
SHA256 358fbd7abb7ea32b6cbc2fe53a41b97e4d26bda458bd5687082c63c3046fe7bc
SHA512 6a4174bbfe14419fe5ba266b7dc2f0fd5f1cceeea2beb296dc6210fc8f3ec5946676b9d7ca232d2d23dddeb5219d72b66fb9aba7ff6b7d5a76c9b7bd79a20440

memory/1416-30-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/3996-35-0x0000000000400000-0x0000000001156000-memory.dmp

memory/3996-36-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/3996-40-0x0000000000400000-0x0000000001156000-memory.dmp

memory/2280-44-0x0000000000400000-0x0000000001156000-memory.dmp

memory/380-43-0x0000000000400000-0x0000000001156000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 47cecd846121bd2570e0989b1b4dc941
SHA1 c140e3cc7193025d04282c802893b2a279894338
SHA256 d731c2a7b1e606f46972be3582f4b082b14a10216564a881a0e74aeaa0b23e69
SHA512 1bd2ce7ba56c313c8e3483203242395b7eacdd0eef4d8324672a265d6abbeae2cfe0029d2160c79109703cb3f65513bef0b04386f257c746c3e680830a14dd56

memory/380-45-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/1992-47-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1992-48-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-49-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1992-50-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-51-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-52-0x000000007FA70000-0x000000007FE41000-memory.dmp

memory/1992-53-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-54-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1992-55-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-56-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1992-57-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-58-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1992-59-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-60-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1992-61-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-62-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1992-63-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-64-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1992-65-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-66-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1992-67-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-68-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1992-69-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-70-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1992-71-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-72-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1992-73-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-74-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1992-75-0x0000000000400000-0x0000000001156000-memory.dmp

memory/1416-76-0x0000000000400000-0x0000000001156000-memory.dmp