Malware Analysis Report

2025-06-16 05:39

Sample ID 250520-klygcsen9v
Target 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer
SHA256 e0f699e631ec4779cb4a05d320c477753adfad1bafad1f55ce9820220edd10df
Tags
mofksys defense_evasion discovery persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0f699e631ec4779cb4a05d320c477753adfad1bafad1f55ce9820220edd10df

Threat Level: Known bad

The file 2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

mofksys defense_evasion discovery persistence worm

Mofksys family

Mofksys

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Detects Mofksys worm

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-20 08:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-20 08:41

Reported

2025-05-20 08:44

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe"

Signatures

Detects Mofksys worm

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Mofksys

worm mofksys

Mofksys family

mofksys

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe  N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3252 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 
PID 3252 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 
PID 3252 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 
PID 3252 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 3252 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 3252 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1120 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1120 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1120 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 3876 wrote to memory of 3644 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3876 wrote to memory of 3644 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3876 wrote to memory of 3644 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3644 wrote to memory of 1080 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3644 wrote to memory of 1080 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3644 wrote to memory of 1080 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1080 wrote to memory of 2356 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1080 wrote to memory of 2356 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1080 wrote to memory of 2356 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1080 wrote to memory of 436 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1080 wrote to memory of 436 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1080 wrote to memory of 436 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4972 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 4972 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 4972 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 592 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 592 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 592 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 1080 wrote to memory of 516 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1080 wrote to memory of 516 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1080 wrote to memory of 516 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1080 wrote to memory of 2996 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1080 wrote to memory of 2996 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1080 wrote to memory of 2996 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe"

\??\c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 

c:\users\admin\appdata\local\temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO

C:\Windows\SysWOW64\at.exe

at 08:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe RO

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe RO

C:\Windows\SysWOW64\at.exe

at 08:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 08:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 95.100.153.159:443 www.bing.com tcp
GB 95.100.153.159:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\2025-05-20_fa1ed73ab92df03d34b6282b0a40c12c_black-basta_cobalt-strike_elex_luca-stealer.exe 

MD5 f8d95eb8c84c6de968a90496256180b1
SHA1 52ec2c2d0dfb4e0ee4cacf58c06308673caf7535
SHA256 d0fbb98b3de71b571276016743d1a2b56fc71b8708455a533a7489fdb64e63de
SHA512 0b2a33093ecab5307c496283bec5d8fcd40a53921b7f73ea643c2b43c712c6264337fc16f340c9021fa17f45a02e888c19b4d2a244f970376720416bbbfb883e

C:\Users\Admin\AppData\Local\Temp\log.txt

MD5 5ff7037e775f4a584d7480ef1b71c6e6
SHA1 c9e8377b8e23d17af3285f0c4ecd731c1ccc7427
SHA256 546c6bdbb0b72f756dcf519c6eded5d1ca76010d7543b50af83fa2911dffc01c
SHA512 3e97c3fa5501d14075b60efb1e3e0e842137b8513406a8a8501a65b55131fab59201bcf90543a6152fa9c4acb231304a7d60c56017c8530ceb5f78becdb6766d

C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5 c51e8794fdca57d2edafddf0b73641cd
SHA1 bba5fe452e0191442f5a6be0fe13ac45f3fb7ee1
SHA256 3ebe39bb9b9d3cee71a05e109e8b89927293fdae0191a442413a7097f65fa7ea
SHA512 cc2e0c917bca355b1ed3f0abe4bc87107a3687024784dd6a39ea80405d1963977fd309907fc29483d2e39fae50d82ae0be2d14f3916b678f4995873cb176071d

C:\Windows\System\explorer.exe

MD5 e4ff0034434b8881f5ba37b7742dbf27
SHA1 f30d1e80726458220da6166be9522cdd217a5f7b
SHA256 aa3f054b290b529c36b5957b79feb17d77db54905140bc6d05bb948ec7103164
SHA512 f0d84e803d805d1af7513055d43f1481832d6f0cfbada74837b5be52a42110f0694e5d303e281edee1ce6c7f4acc142dd11f9980704786a6eec2c61b7652d448

C:\Windows\System\spoolsv.exe

MD5 dcef40148c62610cd2172a6b8ebb2a4f
SHA1 37cc72a2e98c430f14592a2a3c97d57ead437208
SHA256 a3cb662390da0139fb4f9517db75745a7c1d391e0a7f62ff19289840cdb290ba
SHA512 797e88e6717712cf953d7ae3726c8a915121d27dd103ccb55db22a644897d3682af13ddb4b1de9268e3da0ff294f09dae9d40348773cf138033797fcf50def96

C:\Windows\System\svchost.exe

MD5 4f447da3967c607c93134a51d8d9c359
SHA1 0cd62a641d719c7eadb901e467903631ad73c8a7
SHA256 9e83f3731b71068336400ff16bab70fed76cf1802a1cf8aba2c624e825f3e26c
SHA512 4280820ae0a9f4df57d43181cef57f43262440ec6627397fc5453a14c6d5d539c670b4cdc22eaee95c2dcbe57ef5f037f334e54523e65d8436b81d555e9c9914

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 718c750d69934dea79fe17ffb5443448
SHA1 db6dd8d8d4235f9ba81111726867b2fde2fae3c1
SHA256 9afc1c4c1c57521480bf433a5aaa6038cd75b23f2d126d4a1c680cd983205f35
SHA512 779ebfd52e0067a1f0a227a430021e225ed2b08128c5c7d020dfe0572b94e64b190f1d13cd5808e8d581c233c9b0e9f81cf5ce0b0d962b00ec32cf33cd6342fe