Malware Analysis Report

2025-08-05 19:15

Sample ID 240526-fnlhcsgf33
Target f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd
SHA256 f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd

Threat Level: Known bad

The file f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 05:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 05:01

Reported

2024-05-26 05:03

Platform

win7-20240508-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe \??\c:\windows\system\explorer.exe
PID 2348 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe \??\c:\windows\system\explorer.exe
PID 2348 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe \??\c:\windows\system\explorer.exe
PID 2348 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe \??\c:\windows\system\explorer.exe
PID 2804 wrote to memory of 2748 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2804 wrote to memory of 2748 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2804 wrote to memory of 2748 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2804 wrote to memory of 2748 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2748 wrote to memory of 2708 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2748 wrote to memory of 2708 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2748 wrote to memory of 2708 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2748 wrote to memory of 2708 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2708 wrote to memory of 2764 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2708 wrote to memory of 2764 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2708 wrote to memory of 2764 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2708 wrote to memory of 2764 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2708 wrote to memory of 2976 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2976 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2976 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2976 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 1636 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 1636 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 1636 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 1636 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 1804 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 1804 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 1804 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 1804 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe

"C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 05:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2348-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2348-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2348-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2348-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2348-3-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\explorer.exe

MD5 e2fc5fe7308dddf832f20c30d3f247df
SHA1 12890a6414f4ea3da1635c9c160cf363b44db86d
SHA256 7e3f0652435906635920a4e122dc9ab209d21cc19732b34426026de01ba5f812
SHA512 be99df12be330784121ff063d33c3b5d7fcb8122462192df4360b08e3ff33b85cc5d00e9e4a644951ed5e7b7760bca884d853fe6d505de20e0f3451d624b97a5

memory/2348-17-0x00000000025C0000-0x00000000025F1000-memory.dmp

memory/2804-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2804-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2804-18-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\spoolsv.exe

MD5 060cd3198957053f85574fa1223bb9af
SHA1 6c8e9fa47fe0f74a06eee2927873b7062bbc11b4
SHA256 02ee1759c905f190da1638f759c4a686d78bbd6fe3128072dc851bdb7a2ef7c9
SHA512 237f9785578c4c86caeea24e0a0034c7e8d6ea423960d590d4d5fd14badce7d5fdcfaf20a62f54d8191017de9eae689778715e304de1d6f9882925fa61f71ee5

memory/2804-35-0x0000000002560000-0x0000000002591000-memory.dmp

memory/2748-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2748-40-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 8fdfe5f247033887969657cb3caae9c5
SHA1 ed5fe1a2e2b8b59e6de72cae29e5b502c40c3f11
SHA256 cdd12e878a328f4378f30862e6d76558932f7f831a67fc9a95aa6edae93cab17
SHA512 71fe9a9d9c4b336ffb9f1837c29bd3bc47718a10d491da95a68ba71e7f315f1a0d5f97bb90ed8d7941abb1667fb3d3177123a0888b6be01d948fc8a7094198f9

memory/2748-56-0x0000000001CD0000-0x0000000001D01000-memory.dmp

memory/2708-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2708-52-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2708-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2764-65-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2348-64-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2764-66-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2764-71-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2748-75-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2348-78-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2348-77-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 cfbaed00aedd9bd8f959b55f78f893f0
SHA1 ffe7818592a9c4f2f12b4f845c22429a11d49546
SHA256 5f251c8f9d95bb7a772c3a48305718a511c2a027afc8bb5054d9ab684637bfea
SHA512 45b4ff77f60847e527369337756aebb63c85897a73f1c1b65e66fdbf0072c13adf087d99858e450e000607a945ce6d501bf357fe3140dd7936f9043432eccecd

memory/2804-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2708-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2804-91-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 05:01

Reported

2024-05-26 05:03

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4352 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe \??\c:\windows\system\explorer.exe
PID 4352 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe \??\c:\windows\system\explorer.exe
PID 4352 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe \??\c:\windows\system\explorer.exe
PID 4468 wrote to memory of 4932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4468 wrote to memory of 4932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4468 wrote to memory of 4932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4932 wrote to memory of 4900 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4932 wrote to memory of 4900 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4932 wrote to memory of 4900 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4900 wrote to memory of 740 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4900 wrote to memory of 740 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4900 wrote to memory of 740 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4900 wrote to memory of 4276 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4900 wrote to memory of 4276 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4900 wrote to memory of 4276 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4900 wrote to memory of 788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4900 wrote to memory of 788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4900 wrote to memory of 788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4900 wrote to memory of 3412 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4900 wrote to memory of 3412 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4900 wrote to memory of 3412 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe

"C:\Users\Admin\AppData\Local\Temp\f8e6c30e2251d270b63046794d67a9aa8a801b04315590b18b34450cfe17f0bd.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 05:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4352-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4352-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4352-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4352-2-0x0000000075430000-0x000000007558D000-memory.dmp

memory/4352-4-0x0000000000401000-0x000000000042E000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 8b2f5b0cf349fb62581f2ca78f8f5e29
SHA1 8f8fdc8e4ebaa05d0ca87bf05129e378c8a6e8e5
SHA256 c77487d144e75d4a1bdf24456f79c91cd968e7519c9535e1a569271dcb3dfbb7
SHA512 16a928cf75263711634cbd8ec0f7ef51cc5083ba7a22b6ad78afe858494b4df3e46d26c1392f88c6c7a3a0fbb93f2214b29158514d315cc31c88592d85344d58

memory/4468-13-0x0000000075430000-0x000000007558D000-memory.dmp

memory/4468-16-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4468-15-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 568215ced9d00583e162420c8e5eb6c1
SHA1 341c4ec5565e50318bfd3d95f38abeada71de8c0
SHA256 f26d8a57a96cac840f7870439908808d334d41620fbbeaed0f789cd631dafbfd
SHA512 f46fb3b056a9a64506e69bc1cf13b489be8e7c25e653a1c3190ebcd20156fe325fe311fb2d7177ca3f8e749b2f89e49c0c6d837166fbf69d3680ce11fb47cc5f

memory/4932-24-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4932-26-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4932-27-0x0000000075430000-0x000000007558D000-memory.dmp

memory/4932-32-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 f03cee8302b52d2d0ee3d527ba81d2e0
SHA1 47a8ecc6a07eeef65f4b51117ad6988aa3fdd38d
SHA256 f9ed1e3065653ec0c9d766ab7daf1639d44308147905dc058bf6d977f36ed281
SHA512 2b4b7a395ae25e2c93a9aa57b348d58c9d595b0874a4105e79c0fe98ed8424311954d51c3af768039f9021e114e035feaf0e7fe1f6e3500d7be6d9d41741f297

memory/4900-38-0x0000000075430000-0x000000007558D000-memory.dmp

memory/4900-42-0x0000000000400000-0x0000000000431000-memory.dmp

memory/740-46-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4352-45-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/740-47-0x0000000075430000-0x000000007558D000-memory.dmp

memory/4932-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/740-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4352-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4352-58-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 4e7d2cf43358b76f6bbe8c4ab5de8f0a
SHA1 43256f66588b2682bd3c4264c3da64d3d4ccabd0
SHA256 68180bd2f828a9cf9c78cbb96f2d10ef931e524c586f1f79671ebd549130aa17
SHA512 e91bf3e815ead4e235ce19bb1d100ed7f06d22cb466eb43983b0dcd057b023b41d0292d43080e98f1793eeed69594308aa1036c0b07af6474618b23c7893b626

memory/4468-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4900-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4468-71-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e