Malware Analysis Report

2025-06-16 05:39

Sample ID 250520-khmwfsen6y
Target 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer
SHA256 e0f699e631ec4779cb4a05d320c477753adfad1bafad1f55ce9820220edd10df
Tags
mofksys defense_evasion discovery persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0f699e631ec4779cb4a05d320c477753adfad1bafad1f55ce9820220edd10df

Threat Level: Known bad

The file 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

mofksys defense_evasion discovery persistence worm

Detects Mofksys worm

Modifies WinLogon for persistence

Mofksys

Modifies visiblity of hidden/system files in Explorer

Mofksys family

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-20 08:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-20 08:36

Reported

2025-05-20 08:38

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe"

Signatures

Detects Mofksys worm

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Mofksys

worm mofksys

Mofksys family

mofksys

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe  N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5688 wrote to memory of 5396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 
PID 5688 wrote to memory of 5396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 
PID 5688 wrote to memory of 5396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 
PID 5688 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 5688 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 5688 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2232 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 2232 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 2232 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 772 wrote to memory of 4516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 772 wrote to memory of 4516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 772 wrote to memory of 4516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4516 wrote to memory of 5988 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4516 wrote to memory of 5988 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4516 wrote to memory of 5988 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 5988 wrote to memory of 2404 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5988 wrote to memory of 2404 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5988 wrote to memory of 2404 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5988 wrote to memory of 3476 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5988 wrote to memory of 3476 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5988 wrote to memory of 3476 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4500 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 4500 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 4500 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 4784 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 4784 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 4784 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 5988 wrote to memory of 6036 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5988 wrote to memory of 6036 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5988 wrote to memory of 6036 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5988 wrote to memory of 628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5988 wrote to memory of 628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5988 wrote to memory of 628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe"

\??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 

c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO

C:\Windows\SysWOW64\at.exe

at 08:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe RO

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe RO

C:\Windows\SysWOW64\at.exe

at 08:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 08:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 95.100.153.164:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 

MD5 f8d95eb8c84c6de968a90496256180b1
SHA1 52ec2c2d0dfb4e0ee4cacf58c06308673caf7535
SHA256 d0fbb98b3de71b571276016743d1a2b56fc71b8708455a533a7489fdb64e63de
SHA512 0b2a33093ecab5307c496283bec5d8fcd40a53921b7f73ea643c2b43c712c6264337fc16f340c9021fa17f45a02e888c19b4d2a244f970376720416bbbfb883e

C:\Users\Admin\AppData\Local\Temp\log.txt

MD5 76c291ca73ead8003d50ec0c6bc64c68
SHA1 9a2bec8d53f7578559dbf312ff5ad972157c3b37
SHA256 4b52db3421aa2dd9d82ae0e2954a15f84695461b7a34d898606afbceb284da7b
SHA512 2bedd21cc83850807b8a9a237fb31ef20f6ea6931ce4a7b53157e42b6a3d5f75c8698a84ca089b0c4bfe67ecbf48edbd878792477cca2cf7b8bf7210393c52dc

C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5 c51e8794fdca57d2edafddf0b73641cd
SHA1 bba5fe452e0191442f5a6be0fe13ac45f3fb7ee1
SHA256 3ebe39bb9b9d3cee71a05e109e8b89927293fdae0191a442413a7097f65fa7ea
SHA512 cc2e0c917bca355b1ed3f0abe4bc87107a3687024784dd6a39ea80405d1963977fd309907fc29483d2e39fae50d82ae0be2d14f3916b678f4995873cb176071d

C:\Windows\System\explorer.exe

MD5 f6fe7787aa988593b76ad83627aea5ac
SHA1 590844a0efcf7994e3bf83f84380d8df82f05307
SHA256 5dcc2a9945302607bf83039993e1809d31e0c14bdb0ed01bfaea4ee8f9795870
SHA512 cf3c3c6a30ce8cba7ab3c43d162cd950e2d0cadd1eaaacad676c86d0997c1baa98db3b14f419b8e048d2f8e626acabc1ff38b91bd29eb5a66eed3513f0e7ad03

C:\Windows\System\spoolsv.exe

MD5 d0da6bff6beea67bfde6e2e7b2c899f0
SHA1 bda28206173b4d42e01f6d5a6e3d7853d0ab7150
SHA256 3c3678b5c738e05647a3569a2a302834d11ed91ecc74340260b5b7f2fe9b6566
SHA512 80b379e976b48f903193469d2063314e6f99b311295ad2afdac4ef1530fb7354977b2a0fc7e6771e657b7b8da0f04361c383d89c3dba5d989a12b56a3ee77576

C:\Windows\System\svchost.exe

MD5 1258e393d1a4a00d3d4a12db2cc59b52
SHA1 df1a326c10292c1ce0c801902fea3df3f83316d4
SHA256 637a4c94b50ab456b7b97608c9e698bb590651439a9ef6f2930da4f560dde9e2
SHA512 0820a543fa426adb09da2dde0dd718983ab7e3e44d7d8af058801fc2bc70940afe84d356c3c4b15532bcde7faa8406ec1591ddfe4ce1e95a578b8da2f0aba875

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 52669d51f668c98b328cf3083c79fd25
SHA1 a735f61d43ff9ec0e058615566d4e7008a3c1ff5
SHA256 345d98e49a315383ebcd4c42035aa1da3ab0cfef101668ae6afb5357dde6ffbf
SHA512 51da21ccd09877954ce8d119eeba860100cbf9311c423e68df7047130787cc77309d6b5c5f95b523b5053388648135ff6732ff8b00852658b12ff35d8d7a8270