File name:

mrsys.exe

Full analysis: https://app.any.run/tasks/6ff7ac7a-2eff-47f9-acfa-4ec4b066fcca
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 22, 2025, 13:05:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
mofksys
bazaloader
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

138FADD6E851703E82E9DC5408DB91EE

SHA1:

AE5453F552F5B2047BDE4672F04D11BF04B47955

SHA256:

8695DB07FA766D7FF90B380D1A824678BBA59569B71E506C1A68B12276B13811

SSDEEP:

6144:b6XnW2Kg+zWnv2UAO3iaM25DZgCaYi73U2rRCpfAbq8bi:+3BDZfGrRCpfAbq8e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • explorer.exe (PID: 2800)
      • svchost.exe (PID: 5588)

    • MOFKSYS has been detected (YARA)

      • explorer.exe (PID: 2800)
      • svchost.exe (PID: 5588)

    • BAZALOADER has been detected (YARA)

      • svchost.exe (PID: 5588)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • mrsys.exe (PID: 5316)
      • explorer.exe (PID: 2800)
      • spoolsv.exe (PID: 4308)

    • The process creates files with name similar to system file names

      • mrsys.exe (PID: 5316)
      • spoolsv.exe (PID: 4308)

    • Starts itself from another location

      • explorer.exe (PID: 2800)
      • mrsys.exe (PID: 5316)
      • spoolsv.exe (PID: 4308)
      • svchost.exe (PID: 5588)

    • There is functionality for taking screenshot (YARA)

      • explorer.exe (PID: 2800)
      • svchost.exe (PID: 5588)

  • INFO

    • Create files in a temporary directory

      • mrsys.exe (PID: 540)
      • mrsys.exe (PID: 5316)
      • spoolsv.exe (PID: 4308)
      • explorer.exe (PID: 2800)
      • svchost.exe (PID: 5588)
      • spoolsv.exe (PID: 440)

    • Checks supported languages

      • mrsys.exe (PID: 540)
      • mrsys.exe (PID: 5316)
      • explorer.exe (PID: 2800)
      • spoolsv.exe (PID: 4308)
      • svchost.exe (PID: 5588)
      • spoolsv.exe (PID: 440)

    • Failed to create an executable file in Windows directory

      • mrsys.exe (PID: 540)

    • The sample compiled with english language support

      • mrsys.exe (PID: 540)

    • Manual execution by a user

      • mrsys.exe (PID: 5316)

    • Reads the computer name

      • explorer.exe (PID: 2800)
      • mrsys.exe (PID: 540)
      • svchost.exe (PID: 5588)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 2800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:06:14 19:01:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 176128
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x3670
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft
ProductName: Win
FileVersion: 1
ProductVersion: 1
InternalName: Win
OriginalFileName: Win.exe
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mrsys.exe no specs mrsys.exe #MOFKSYS explorer.exe spoolsv.exe #MOFKSYS svchost.exe spoolsv.exe no specs at.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
440c:\windows\system\spoolsv.exe PRC:\Windows\System\spoolsv.exesvchost.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\system\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
540"C:\Users\admin\Desktop\mrsys.exe" C:\Users\admin\Desktop\mrsys.exeexplorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\mrsys.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1512at 13:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeC:\Windows\SysWOW64\at.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Schedule service command line interface
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\at.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1752\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2800c:\windows\system\explorer.exeC:\Windows\System\explorer.exe
mrsys.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\system\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
4308c:\windows\system\spoolsv.exe SEC:\Windows\System\spoolsv.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\system\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5316"C:\Users\admin\Desktop\mrsys.exe" C:\Users\admin\Desktop\mrsys.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\mrsys.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5588c:\windows\system\svchost.exeC:\Windows\System\svchost.exe
spoolsv.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\system\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
736
Read events
721
Write events
10
Delete events
5

Modification events

(PID) Process:(540) mrsys.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(5316) mrsys.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(5588) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\system\explorer.exe RO
(PID) Process:(5588) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\system\svchost.exe RO
(PID) Process:(5588) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}
Operation:writeName:StubPath
Value:
C:\Users\admin\AppData\Roaming\mrsys.exe MR
(PID) Process:(5588) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}
Operation:delete keyName:(default)
Value:
(PID) Process:(5588) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(5588) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(2800) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\system\explorer.exe RO
(PID) Process:(2800) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\system\svchost.exe RO
Executable files
4
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
440spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFACEC228095CF7588.TMPbinary
MD5:C37DCF77DF46C8AC1952055C0AEEEF03
SHA256:B4D2F3185A726E52DC750E1245798AEF8E9BC77C94178F4304C05D6983FC30F5
2800explorer.exeC:\Windows\System\spoolsv.exeexecutable
MD5:6E1A7DAB19A46AD4DF2408381B28AF7B
SHA256:6B1AB65E9FF19D9611D16108AA471998434DDF69849519FD2FFBFEF5C86DD979
5316mrsys.exeC:\Users\admin\AppData\Local\Temp\~DF20F7DFBF5E26A1D7.TMPbinary
MD5:087E81EF7A90A0D93E4FCEF721D583D7
SHA256:292D0F55A24ECF2E7750510EDAC74FD7155145EFAE297CAAF529E6081F39D282
2800explorer.exeC:\Users\admin\AppData\Roaming\mrsys.exeexecutable
MD5:653DB7F635FC7F0F2D005D669ACEC164
SHA256:EA7187B259B1B36925FD6539CD6022DB00D2C37CA49C6A6230AB5B57AA195177
5316mrsys.exeC:\Windows\System\explorer.exeexecutable
MD5:C9864771FE12166C314A2E423AFCE95F
SHA256:1CA8AEDEAF154DFBD5FF42C1AEF6BFF76E440AD5DBF319262FB26DE8AC1F1809
4308spoolsv.exeC:\Windows\System\svchost.exeexecutable
MD5:3266073C8454F3E7EC61415A9BBC3644
SHA256:36C188C6840330F027ED7BB96B6F4C6C06E25D73552E1F6CA1833EBC6D50D7AD
4308spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF511C567807F19944.TMPbinary
MD5:2A826D396276723FCB05C225DACC2226
SHA256:6BEE436297BFA1339B4DE25E20436BA7223A5284EC27ABBD9D770FB1C1ED9D1C
540mrsys.exeC:\Users\admin\AppData\Local\Temp\~DFC37E6857104368D8.TMPbinary
MD5:64DF9E4799C62A5FF31B410A3BAC6881
SHA256:50424ADC5C81D1D32290424710383F9B716BC72A7F85D2F8DF402C3FB33D71EC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
28
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
104.126.37.155:443
Akamai International B.V.
DE
unknown
104.126.37.161:443
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
716
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
mrsys.exe