Malware Analysis Report

2025-06-16 05:39

Sample ID 250520-kffdlaen3x
Target 2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer
SHA256 d2c9c7c9c025566bf2cf270f8b8e3fd6233bba864c623162625313db67fa2c78
Tags
mofksys defense_evasion discovery persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d2c9c7c9c025566bf2cf270f8b8e3fd6233bba864c623162625313db67fa2c78

Threat Level: Known bad

The file 2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

mofksys defense_evasion discovery persistence worm

Mofksys family

Detects Mofksys worm

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Mofksys

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-20 08:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-20 08:32

Reported

2025-05-20 08:34

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe"

Signatures

Detects Mofksys worm

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Mofksys

worm mofksys

Mofksys family

mofksys

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe  N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 
PID 1228 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 
PID 1228 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 
PID 1228 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1228 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1228 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1164 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1164 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1164 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 3056 wrote to memory of 6040 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3056 wrote to memory of 6040 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3056 wrote to memory of 6040 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 6040 wrote to memory of 5060 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 6040 wrote to memory of 5060 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 6040 wrote to memory of 5060 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 5060 wrote to memory of 1064 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5060 wrote to memory of 1064 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5060 wrote to memory of 1064 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5060 wrote to memory of 4760 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5060 wrote to memory of 4760 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5060 wrote to memory of 4760 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2856 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 2856 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 2856 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 4844 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 4844 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 4844 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 5060 wrote to memory of 2632 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5060 wrote to memory of 2632 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5060 wrote to memory of 2632 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5060 wrote to memory of 1856 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5060 wrote to memory of 1856 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5060 wrote to memory of 1856 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe"

\??\c:\users\admin\appdata\local\temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 

c:\users\admin\appdata\local\temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO

C:\Windows\SysWOW64\at.exe

at 08:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe RO

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe RO

C:\Windows\SysWOW64\at.exe

at 08:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 08:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
GB 95.100.153.158:443 www.bing.com tcp
GB 95.100.153.158:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\2025-05-20_c67dd6e6528753aad5cfd228b68d9468_black-basta_cobalt-strike_elex_luca-stealer.exe 

MD5 38f18ebb5b81b4481b732f68d2b9fe90
SHA1 eae6a3ea6b5b8ac5ccafcc6dd0bbdbb07d6ee6c0
SHA256 a27bef270abb8e0649358d89a004573b45156c7a2bb520fb62cfe1f50300145b
SHA512 9c38a92d015f8524b28d5b99c83f6923f2505cd65817e11b8079201148f0299cb38646bdbb8fb5f64c97b178507cf8a851c3edb38fb442f0caebfdc0482c2749

C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5 b03b0c11f7c46b181af61975f0ca255e
SHA1 7caf7c1f48e209aec8ae245d9194a2159d111e45
SHA256 3ab5d937f24e9fd0ed04e87e493111c094ea9bddfb4083d9e0247438b79f26c2
SHA512 02305908293ba9667ba341461c0f4f5842a4e3b2b3ac8444aa18b2fc5bc60d38956e2421d3b398b6a2c8d372c0a85e246f078d3f48913012fe40efdac0809a7d

C:\Windows\System\explorer.exe

MD5 7f9dabcdb38a6acf1a6e139b00e913a0
SHA1 4d33495151eef3cae8865c424d74fe3bda17f5a3
SHA256 8d277133cd022915c33b37ac25ae49491e0b8f408b0224df278c95638d3476fb
SHA512 dcb3ec3f418e7a564dc13b5fadcb027dc0efab108e54ec24a77042dafb3e79adb3700e4ad1c7af19e5345eef1fbf52c0d49c9e5d9112d11ac888dc0c9930d18e

C:\Windows\System\spoolsv.exe

MD5 a8b63025c791af5da82535476f182e3c
SHA1 82b5a2d08fd99f7fd81fb4b3aa3ed1128e9cd5fd
SHA256 6c66e1237ff70512255d1ba4a6399ded88f6bfff5d1e354569838e8570d687a8
SHA512 e2fec57471a8898958660f979aabdb43484f32122dec02d5f473f576e7cc0b95896626be269e8cddcd71239bf7d0f11cc36a5896b4e0ae85d83bff2dee4b42a9

C:\Windows\System\svchost.exe

MD5 cfe65d49cf14d5e745e5ba1b63d142b9
SHA1 e4237d25f5279577f8f9765b2f545400fd9ed0d5
SHA256 2787f7e8672bb6a2dc44b2f238e508b2d58203d96949e4cb1852f0870c633719
SHA512 fe3b20989e2c6d7e2a422cb910bbfbf7a51db179f8f2bc2d677d3c5ecc039bf466ec12f5b2edffa00349d8cf94493eb29e7b3e13a5a112191f8160e463135fcc

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 d1d04b5f68cedac7ea70374cf80aac00
SHA1 c8bd50c3cae4492a5c62e3d6ac5b17637a3b7770
SHA256 929d75ee9aced76ea2d652c713a7208617a14b25483e15b216244a54f244b310
SHA512 c4e4a5fa81a2b53386277ba40581950e6078daed697bf4d8c5a6e91e08d3874926adc6597bc6be8d96d2586270d626921e2694029f7e931f8224187a0c88c50d